3 Replies Latest reply on Sep 19, 2018 9:44 AM by JTrett

    Disabling TLS 1.0 in EMSS/Patch and remediation

    Rookie

      Has anyone using Endpoint Security 8.5.0.20 with Patch and Remediation installed disabled TLS 1.0 on the EMSS server?

      With  Windows Server 2008 R2 SP1 ,SQL 2008R2 and EMSS 8.5 installed on the same machine....

      and after following the MS recommended articles to enable TLS 1.2 support on the OS, SQL Server and .Net frameworks

      If we disable TLS 1.0 on the server, the clients can connect to the EMSS server, but after a little while, the Patch and remediation tab shows all endpoints in a  Agent Status=Online / PR Status=Offline state  and the icons are Red.

       

      Just wondering if anyone has successfully disabled TLS 1.0 on their EMSS server?

        • 1. Re: Disabling TLS 1.0 in EMSS/Patch and remediation
          bohdan.podlaski SupportEmployee

          Hello!

           

          Thanks for posting to the Ivanti Community.

           

          Sorry that it seems no one has the answer to be able to assist you on this yet.  Did you manage to get any further information on this?

          If you still experience issues please check the following article https://community.ivanti.com/docs/DOC-57830

           

          There is a bug where STATEngine service will not start when TLS 1.0 and SSL 3.0 are disabled.

           

          Best Regards

          • 2. Re: Disabling TLS 1.0 in EMSS/Patch and remediation
            Rookie

            In addition to disabling TLS 1.0 in the registry.  All SQL, .NET framework and  OS patches/hotfixes related to enabling/using TLS 1.1 and 1.2 need to be installed.

             

            You also need to modify a registry entry to allow the EMSS servers web site to contact the SQL DB when a Patch and Remediation client ( gravitixService) connects to the server to run a DAU scan.

            The default uses the DNETLIB library of SQL Server drivers (SQL OLE DB) which are not TLS 1.1 or 1.2 compatible.

             

            In this example, I changed the registry values from the SQLOLEDB drivers to the SQL Server Native Client 11  ( SQL Server 2012 Native client)

            This will allow the clients to complete a DAU scan.

             

            Change Gravitix connections from sqloledb to SQLCLI11

            Key:

            •             HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\PatchLink.com\Gravitix

             

            Value/Data Before:

            •             sConnect:
            Provider= sqloledb;Initial Catalog=PLUS;Data
            Source=TETHYS2K12-001\UPC;Trusted_Connection=Yes;

            •             sNetConnect:
            Provider= sqloledb;Initial Catalog=PLUS;Data
            Source=TETHYS2K12-001\UPC;Trusted_Connection=Yes;

             

            Value/Data After:

            •             sConnect:
            Provider=SQLNCLI11;Initial Catalog=PLUS;Data
            Source=TETHYS2K12-001\UPC;Trusted_Connection=Yes;

            •             sNetConnect:
            Provider=SQLNCLI11;Initial Catalog=PLUS;Data
            Source=TETHYS2K12-001\UPC;Trusted_Connection=Yes;

            1 of 1 people found this helpful
            • 3. Re: Disabling TLS 1.0 in EMSS/Patch and remediation
              JTrett Rookie

              Many thanks, JBrack!  After forcing only TLS 1.2 on our Ivanti server, our Endpoint's Patch Agent no longer communicated back to the server.  I made the above registry changes and DAU scans are running once again.  I used SQLNCLI10 instead, as we're using SQL Server 2008 R2.