Overview

As of January 13th, 2021, all clients must use TLS 1.2+ to connect to the Umbrella cloud for sync, registration, and updates.  Clients with lower versions will need to make manual adjustments to continue using the Umbrella clients without updating.

Roaming Client or AnyConnect

Windows Roaming Client or AnyConnect Module
-------
Endpoint Agent Version:
Cisco Umbrella roaming client: Version 2.2.356+ (link)
or
Cisco AnyConnect with Umbrella roaming module: Version 4.8.02042+ (link)
or
Using older client version, configure TLS 1.2 use with changes to the Windows Registry:

Microsoft .NET Framework Version:
.NET 4.6.2+ or patched .NET 3.5.1 (link)
(Note: AnyConnect requires .NET)

Windows Version: 7, 8, 8.1, 10

MacOS Roaming Client or AnyConnect Module
-------
Endpoint Agent Version
Umbrella Roaming Client, Minimum Endpoint Version: Any
or
Cisco AnyConnect roaming module minimum version: Any

macOS Version: 10.9+

For those that do not meet these requirements, please continue reading.

Technical Detail

Verify if any older .NET versions are installed, and apply the registry keys as per the Microsoft article above.

Below is a step-by-step guide:

1. Verify what .NET Framework version is installed on the Windows machine

2. If only .NET version 4.6.2 (and above) is installed, the latest .NET Framework requires you to toggle with stronger cipher using these registry keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

3. If both .NET version 4 and 3.5 are installed, on top of the registry keys for .NET version 4,  .NET 3.5 would also require you to:

• Install the .NET 3.5 patch from https://support.microsoft.com/en-us/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework. 
• Toggle the following registry keys in order to support TLS  protocols:
  
  

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001

Active Directory Connector

Platforms supported: Windows Server 2012 and above 

Note: Support for connectors running Windows Server 2008 and 2008 R2 has been discontinued, since Microsoft has announced End of support for these versions in Jan 2020. You will need to upgrade to a supported Windows Server version to continue running the Connector. 

If your Connector is running on Windows Server 2012 or above and has only .NET version 4.x, the Connector should use TLS 1.2 by default when communicating with Umbrella. 

If you are running .NET 3.5 on the connector server, disable this to force the connector to use TLS1.2.

If .NET 3.5 cannot be disabled, ensure that the following changes are made:

• If the Connector is running on Windows Server 2012 R2, check if patch 3154520 has been applied to the server. If not, download and apply the patch from https://support.microsoft.com/en-us/help/3154520/support-for-tls-system-default-versions-included-in-the-net-framework. 
• If the Connector is running on Windows Server 2012, check if patch 3154519 has been applied to the server. If not, download and apply the patch from https://support.microsoft.com/en-us/help/3154519/support-for-tls-system-default-versions-included-in-the-net-framework. 
• If the Connector is running on Windows Server 2016, this will require patch 3156421 to be applied to the server. Microsoft does not offer this patch for individual download, so ensure that any cumulative updates that appear under Settings, Update and Security, Windows Updates. are applied.
• Toggle/set the following registry keys to force the connector to use TLS 1.2: 

  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] 

  "SchUseStrongCrypto"=dword:00000001  

  [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] 

  "SchUseStrongCrypto"=dword:00000001 

  [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] 

  “DisabledByDefault”=dword:00000000 
  “Enabled”=dword:00000001

Reboot the server after the above changes are made.