cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Companion Guide for TETRA Update Server Deployment

281
Views
0
Helpful
0
Comments

 

Overview

In this guide will we be taking a look at how to configure the web.config file using the URL Rewrite tool when deploying the TETRA update server. This guide is meant as a companion to the existing guides and to help fill in some information that users may find useful. Please refer to those guide on deployment and troubleshooting:

AMP Update Server Configuration Steps by TJ Busch, Matt Franks and Mathew Huynh

Troubleshooting TETRA definitions update failures by Abhishek Sha

AMP for Endpoints User Guide, Chapter 27 page 213.

URL Rewrite

During the AMP Update Server Configuration Steps in Step 6 there is the option to use the URL Rewrite tool to perform the modification to web.config file with the signature directory or mirrored directory. This section will go over how to add those lines via this tool.

  1. Open the IIS Manager and click your website from the Connections panel. In the center panel select URL Rewrite tool.
    URL Rewrite.png
  2. If you have already created the rule via the XML file you should see a entry here otherwise it will be blank. In our example below we already have a entry.
    URL rewrite tool.png
  3. If you do not have an entry you can create one by selecting Add Rule... from the Actions menu.
    Ad rules.png
  4. This will open a new window select New Blank Rule and hit OK.
    Inbound Rule.png
  5. Here we are going to fill out the following sections as shown:

     

    Section Option Value

    Name

    Name Rewrite fetch URL
    Match URL Requested URL Matches the pattern
    Match URL

    Using

    Regular Expressions
    Match URL Pattern ^(.*)_[\d]*\/avx\/(.*)$

    Match URL

    Ignored case Checked
    Action
    Action Type Redirect
    Action Properties Redirect URL {R:1}/avx/{R:2}
    Action Properties Redirect Type Permanent (301)

     

  6. Once completed your web.config file should have the following entry:
    <rewrite>
    <rules>
        <rule name="Rewrite fetch URL">
            <match url="^(.*)_[\d]*\/avx\/(.*)$" />
            <action type="Redirect" url="{R:1}/avx/{R:2}" appendQueryString="false" />
        </rule>
    </rules>
    </rewrite>

Enable Directory Browsing

In the AMP Update Server Configuration Steps it mentions an XML line called <directoryBrowse enabled="true" showFlags="Extension" /> but does not mention how to enable it or where this setting can be seen. To enable this feature or verify if its enable you can open the IIS Manager and click your website from the Connections panel. In the center panel select Directory Browsing and make sure that Extension is checked. If not checked make sure to enable this option.

Dir Brw.png

Working with Harden Windows IIS Servers

In some network requirements its necessary to remove older protocols such as SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1 while keeping stronger protocols enabled such as TLS1.2 and TLS 1.3 on servers. This section will address a main issue that is seen when deploying TETRA when these older protocols are disabled. Please refer to Troubleshooting TETRA definitions update failures for more troubleshooting information.

 

If we take a look into BUG CSCvq02465 - Tetra update failing with error 3000 when TLS1.0 is disabled on Win Server 2012, 2008 R2 SP1 and Win 7 SP1 Tetra update fails with error code -3000. Although Tetra engine does not use TLS1.0, update fails due to older Windows versions not choosing TLSv1.2 by default when starting the SSL client server handshake if not exclusively configured in Registry.

 

You can confirm this issue by first enabling Debugging mode either from within the policy in the console or via Settings > Cisco AMP Connector Settings from within the AMP IPTray and checking within the AMP for Endpoint logs under C:\Program Files\Cisco\AMP\<your_version>\sfc.exe.log or corresponding sfc.exe_<date>_<time>.logs.  Depending on your TETRA update interval you may need to wait up to 1 hour, which is the default update interval, for logs to be generated if on a version prior to 7.2.7. If on 7.2.7 or newer you can force TETRA updates by running the following command from an elevated Command Line or Powershell: .\sfc.exe -forceupdate. You will need to be within the directory C:\Program Files\Cisco\AMP\<your_version>\ for this to work.

 

Excerpt of error code:

ERROR: TetraUpdateInterface::update Update failed with error -3000

 

You can also filter these logs for any TETRA related error codes by searching for "TetraUpdate" if using software such as Notepad++ or Sublime.

 

Some customers also use tools such as IIS Crypto 3.0 by Nartac Software to see the current configurations of Schannel and Cipher Suites with the Registry keys.

 

Microsoft provides a "Easy Fix" for this issue and can be downloaded from here: Easy Fix

 

In addition to the DefaultSecureProtocols registry subkey, the Easy fix also adds the SecureProtocols at the following location to help enable TLS 1.1 and 1.2 for Internet Explorer.

 

The DefaultSecureProtocols registry entry can be added in the following path as 0x00000800 which Enables TLS 1.2 as default:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
On x64-based computers, DefaultSecureProtocols must also be added to the Wow6432Node path:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
The registry value is a DWORD bitmap. The value to use is determined by adding the values corresponding to the protocols desired.

 

The SecureProtocols registry entry that has value 0xA80 for enabling TLS 1.1 and 1.2 will be added in the following paths:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings