Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3431
Views
0
Helpful
5
Replies

Ironport - Disabling TLS Version

jamie6910
Level 1
Level 1

‎09-15-2021 08:51 AM

Hey guys, I have a question regarding to the Cisco IronPort. Based on this article link can we remove the TLS 1.0 and TLS 1.1, and leaving TLS 1.2 enabled? As I understand, we cannot disable TLS 1.1, as it is pre-requisition for TLS 1.0 or TLS 1.2. 

 

Can anyone enlighten me on this matter? I finding a hard time to find any article related to disabling TLS 1.0, TLS 1.1.

 

Thank you in advance.

 
 
Preview file
20 KB
0 Helpful
5 Replies 5

Milos_Jovanovic
VIP Alumni
VIP Alumni

‎09-15-2021 01:44 PM

Hi @jamie6910,

As TLS v1.0 and 1.1 are deprecated for some time now, I believe you should be able to disable them, leaving only TLS v1.2.

I'm not aware of any dependency between versions, and they are protocols for themselves. However, you should approach this carefully - you must confirm that your clients are enabled for TLS v1.2, and you should test your integrations to make sure your other systems are enabled for TLS v1.2 (e.g. your LDAPs integration).

I would try this in off-peak hours, with careful testing.

BR,

Milos

0 Helpful

jamie6910
Level 1
Level 1
In response to Milos_Jovanovic

‎09-15-2021 05:22 PM

Hi Milos, 

 

Thank you for your prompt response. But do you mind if I ask whether you have any kb or documentation about this matter? I would like to look into the reference thoroughly.

 

Regards, 

Jamie. 

 

0 Helpful

Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to jamie6910

‎09-16-2021 03:06 AM

Hi Jamie,

I'm not aware of any KB article on this topic. I know about couple of Field notices (#1, #2), in which Cisco is stating that they are shifting their services away from obsolete TLS versions to v1.2.

BR,

Milos

0 Helpful

jamie6910
Level 1
Level 1
In response to Milos_Jovanovic

‎10-03-2021 10:50 PM

Hi Milos, 

 

Thank you for your updates and apologies for the late response. 

 

How can I confirm that users are enabled for TLS v1.2? And the documentation you provided is for WSA and SMA, is it applicable for ESA? 


Can you verify that the steps is to uncheck TLS v1.0, TLS v1.1 and check on TLS v1.2 

 

Is there anything to check on cipher suite?

 

Regards,

 

Jamie.

0 Helpful

Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to jamie6910

‎10-04-2021 01:10 AM

Hi @jamie6910,

In order to confirm if users are using TLS v1.2, you could do packet capture on your clients and ESA, and to see if you see TLSv1.2 inside packets.

As all three products (WSA, SMA and ESA) are running AsyncOS as operating system, I'm taking this as relevant information.

Yes, I would also uncheck older protocol versions, and leave only v1.2. I would do it one at a time (disable v1.0 in first iteration, and then v1.1 in second).

Regarding cipher suite, I wouldn't configure those, unless I know what I'm targeting specifically (like I want to enable only certain protocols, and disable everything else).

BR,

Milos

0 Helpful
Customers Also Viewed These Support Documents