Preparing Agents and Probes for communicating over TLS1.2 with Modern Security Profile or Agent/Probe not checking in

Last Modified

Wed 20 Jan 12:52 GMT 2021

Description

  • Patch Management introduces a change to the Modern Security Profile, which could cause devices which are not fully patched and/or on Older Operating Systems to fail to check in/report to N-central.
  • Symptoms of this issue include:
    • Agent or Probe not checking in after upgrade - Could not create TLS channel
      • Soap.log (C:\Program Files (x86)\N-able Technologies\Windows Agent\log)
        [GetConfig] 2020-03-16 09:18:03,357 <<*>> com.nable.agent.framework.rpc.ServerProxy GetConfig: will retry server.ApplianceGetConfig: Exception caught - The request was aborted: Could not create SSL/TLS secure channel.
    • Agent or Probe not installing - Communication with Server failed
      • NableTrace.log (c:\windows\temp)
        2020-03-24 17:10:01,868 - Version: .1500 - ValidateCustomerNameID Error: System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
         
      • User-added image
  • Using the Modern Security Profile in Patch Management, Devices with the Agent or Probe installed must have at least one of the following ciphers enabled, and these must be in the preferred Cipher Order on the device:
  • |   TLSv1.2:
    |     ciphers:
    |       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
    |       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
    |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
    |       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong

     
  • User-added image

Environment

  • N-able N-central or later

Solution

  • Optional: Choose Legacy Setting. If you have already upgraded to or later, you can resolve this immediately by switching back to Legacy Settings. The server will restart, and begin accepting connections using older TLS versions and older ciphers. This is not desirable since it reduces the security of the server. It could be useful as a temporary measure in order to access devices and ensure they are fully patched and configured. This setting is found under Administration > Mail and Network Settings > Network Security > Legacy Settings (see screenshot above).
  1. Check Readiness. Check that the Ciphers are enabled and in the preferred order as below. 
    1. Check OS steps. Check the appropriate Operating System section below for preparation steps. The basic steps are to apply Updates, and Reboot.
    2. Check Cipher Script. Once updated, check can check a device's readiness by running the Cipher Check Script. The output will advise you on the status of enabled and preferred ciphers.
Table of Contents


Windows 10 & Server 2016 or later

  • Windows 10 and Windows Server 2016 are configured with compatible ciphers by default. It may be necessary to reorder ciphers, especially if third party software or GPO was used to modify security settings.
  1. Run the Cipher Check Script.
  2. If there is a problem with Cipher Order, use GPO or gpedit.msc to add ciphers to the order or reset the preferred order.
  3. Reboot and retest the N-able N-central Agent.
  4. If still unsuccessful, reset or enable the ciphers in the cipher order on the system see the same article as above:https://docs.microsoft.com/en-us/windows-server/security/tls/manage-tls

Earlier versions of Windows & Windows Server

  1. Apply any Windows updates which add GCM cipher capability.
    1. Install the relevant patches below (via N-able N-central if you have switched back to Legacy mode), or apply them manually/via GPO, etc:
      • Windows 7, Server 2008 R2 
        • Install SP1, then ensure any Update Rollup or Cumulative Rollup after June 2016 has been installed, preferably the most recent. 
      • Windows 7 SP1, Server 2008 R2 SP1 
        • Ensure any Update Rollup or Cumulative Rollup after June 2016 has been installed, preferably the most recent.
      • Windows 8
        • Install one or all of:
        • KB2992611 - "Security Update for Windows 8"
        • KB4492872 - "Internet Explorer 11 for Windows <OS_VERSION> for <ARCH>-based systems",
        • KB4540671 - "2020-03 Cumulative Security Update for Internet Explorer 11 for Windows <OS_VERSION> for <ARCH>-based systems", or
        • KB4541510 - "2020-03 Security Monthly Quality Rollup for Windows <OS_VERSION> for <ARCH>-based Systems"
      • Windows 8 Embedded, Server 2012 
        • Install one or all of:
        • KB4492872 - "Internet Explorer 11 for Windows <OS_VERSION> for <ARCH>-based systems",
        • KB4540671 - "2020-03 Cumulative Security Update for Internet Explorer 11 for Windows <OS_VERSION> for <ARCH>-based systems", or
        • KB4541510 - "2020-03 Security Monthly Quality Rollup for Windows <OS_VERSION> for <ARCH>-based Systems"
      • Windows 8.1, Server 2012 R2 
        • Ensure any Update Rollup or Cumulative Rollup after June 2016 has been installed, preferably the most recent.
        • Ensure that KB3174644 (April 2020) is installed, which enables the use of higher security ciphers, specifically, accepting 2048-bit DHE parameters required by the Modern Profile.
        • If there is still any issue, try disabling cipher ordering (see below).
  2. Then enable the ciphers using GPO or gpedit (or other method) see: https://docs.microsoft.com/en-us/windows-server/security/tls/manage-tls. This step should not be necessary, but may be necessary if the preferred cipher order was manually changed or changed by third party software.
  3. Switch N-able N-central settings back to Modern and confirm the issue is resolved..
 

Linux

  1. Apply any updates for older Operating Systems to make the compatible ciphers available. 
  2. Enable the above ciphers.
  3. Reset or enable the ciphers in the cipher order on the system
  • Example Command to show ciphers available on a Linux system:
    /usr/bin/openssl ciphers -v

    ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
    ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
    ...


    KRB5-RC4-SHA            SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(128)  Mac=SHA1
    KRB5-RC4-MD5            SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(128)  Mac=MD5
 

Mac

 

Testing your N-able N-central Server (or another server)

  • From linux or on a device with the nmap package installed:
    nmap --script ssl-enum-ciphers -p 443 <server_address_here>
  • Alternately, use a third party website, such as: https://www.ssllabs.com/ssltest/