09-09-2016 02:35 AM - edited 03-18-2019 06:21 AM
Just upgraded our TMS from 14.6 to 15.3 and since then all my CUCMs show up on the TMS with a status of "no HTTPS response".
I looked at: https://supportforums.cisco.com/discussion/11809721/no-https-response-when-adding-cucm-tms
and the TMS 15.3 administration guide
but none help.
And from the TMS server, using a browser I can access to the CUCM using HTTPS.
Has anything changed on this new version ?
Solved! Go to Solution.
09-14-2016 07:35 PM
After analyzing the network logs on the TMS, we found out the issue.
It was a two-fold problem.
1- The change of TLS support in the new version. Windows does not support TLS 1.1 and TLS 1.2 by default and have to be activated by updating registery key as mentioned in pointed in Cisco's TMS documentation https://technet.microsoft.com/en-us/library/dn786418.aspx
2- But that was not enough. After taking wireshark captures on the TMS, we also found out that in the TLS handshake the TMS was not advertising SHA512 capabilities and the CUCM was requiring them. SHA512 was not enabled for TLS1.2 on windows server: https://social.technet.microsoft.com/Forums/office/en-US/857c6804-8ce1-4f09-b657-00554055da16/tls-12-and-sha512?forum=winserversecurity
After applying the patch the issue was fixed
09-11-2016 08:11 PM
Also found out that none of the endpoints pointing to the TMS with https://... URL couldn't retreive the phonebook. We had to change all URLs as http://...
Seems like a problem related with the TLS change in version 15.3
Not sure what must be done to get the TMS to connect back to the CUCM in HTTPS, though...
09-11-2016 08:30 PM
It's likely that TLS 1.0 has been disabled on the IIS server. A quick and easy way to check/change that is with the IISCrypto tool.
Wayne
--
Please remember to rate responses and to mark your question as answered if appropriate.
Please remember to mark helpful responses and to set your question as answered if appropriate.
09-14-2016 07:37 PM
Thanks but that was not enough as I mentioned in my reply to my own discussion. The other issue was that SHA512 is not enabled for TLS1.2 by default on windows server.
09-14-2016 07:35 PM
After analyzing the network logs on the TMS, we found out the issue.
It was a two-fold problem.
1- The change of TLS support in the new version. Windows does not support TLS 1.1 and TLS 1.2 by default and have to be activated by updating registery key as mentioned in pointed in Cisco's TMS documentation https://technet.microsoft.com/en-us/library/dn786418.aspx
2- But that was not enough. After taking wireshark captures on the TMS, we also found out that in the TLS handshake the TMS was not advertising SHA512 capabilities and the CUCM was requiring them. SHA512 was not enabled for TLS1.2 on windows server: https://social.technet.microsoft.com/Forums/office/en-US/857c6804-8ce1-4f09-b657-00554055da16/tls-12-and-sha512?forum=winserversecurity
After applying the patch the issue was fixed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide