The Cisco Umbrella Roaming Client and AD Connector are built against .NET Framework 3.5. The .NET 3.5 does not support TLS 1.2 by default (ref Microsoft article). If TLS 1.0 and SSL protocols are disabled on the Windows end point, it will break the SSL handshake between Roaming Client/AD Connector and the Umbrella API. If .NET 3.5 is installed, and may be used, deploy the .NET 3.5 patch to ensure maximum compatibility when older TLS versions are disabled.
Recommended steps for the Connector on Server 2012R2+: Uninstall .NET 3.5 and ensure .NET 4.7+ is installed.
Have you used these steps and suddenly it stops working again after a Windows update? This is a known issue with Windows.
Prior to disabling TLS 1.0 and SSL protocols on the Windows end point, you will need to verify if any older .NET versions are installed, and apply the registry keys as per the Microsoft article above.
Below is a step-by-step guide:
1. Verify what .NET Framework version is installed on the Windows machine
2. If only .NET version 4.6.2 (and above) is installed, the latest .NET Framework requires you to toggle with stronger cipher using these registry keys:
3. If both .NET version 4 and 3.5 are installed, on top of the registry keys for .NET version 4, .NET 3.5 would also require you to:
- Install the .NET 3.5 patch from https://support.microsoft.com/en-us/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework.
- Toggle the following registry keys in order to support TLS protocols: