Overview

As of January 27th, 2021, all clients must use TLS 1.2+ to connect to the Umbrella cloud for sync, registration, and updates.  Clients with lower versions will need to make manual adjustments to continue using the Umbrella clients without updating.

AnyConnect Roaming Module

Windows Roaming Client or AnyConnect Module
-------
Endpoint Agent Version:

Standalone Umbrella roaming clients only support the current version. Older versions are not supported. This version supports TLS 1.2 natively with .NET 4.6.2+

Must meet both requirements

A: Client Version

1. Cisco AnyConnect with Umbrella roaming module: Version 4.8.02042+ (link)
   or
2. Cisco AnyConnect 4.3 MR4+ plus configure TLS 1.2 use with changes to the Windows Registry noted below to expand TLS support to include TLS 1.2:

B: .NET Framework Version

1. Microsoft .NET Framework Version:
   .NET 4.6.2
   or
2. older .NET versions in accordance with registry key requirements

Windows Version: 7, 8, 8.1, 10

MacOS Roaming Client or AnyConnect Module

No change in system requirements for TLS 1.2 support

For those that do not meet these requirements, please continue reading.

Technical Detail

Verify if any older .NET versions are installed, and apply the registry keys as per the Microsoft article above.

Steps required for older client versions below AnyConnect 4.8 MR2 from 2) above:

Option A: schusestrongcrypto

What does it do?

A: Explicitly sets the supported secure protocols to the set of TLS 1.0, TLS 1.1, and TLS 1.2 rather than rely on .NET call defaults.

Below is a step-by-step guide:

1. Verify what .NET Framework version is installed on the Windows machine

2. If only .NET version 4.6.2 (and above) is installed, the latest .NET Framework requires you to toggle with stronger cipher using these registry keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

A PowerShell script is provided as an example for making these changes via SCCM/CLI. This script is provided as is.

# set strong cryptography on 64 bit .Net Framework (version 4 and above)
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SystemDefaultTlsVersions' -Value '1' -Type DWord


# set strong cryptography on 32 bit .Net Framework (version 4 and above)
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord 
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SystemDefaultTlsVersions' -Value '1' -Type DWord

Option B: SystemDefaultTlsVersions

For older .NET versions - this option will work in older clients and would also be needed. For .NET 4.6.2+, this is an equivalent alternative to schusestrongcrypto and both would not be required.

What does it do?

A: Defers TLS version choice to the OS rather than determining it within .NET. Allows legacy calls to use system supported versions. In most cases, this includes TLS 1.2.

.NET 4.5.1, 4.5.2: Requires https://support.microsoft.com/kb/3156421

.NET 3.5 SP1 on Windows 7: Requires https://support.microsoft.com/kb/3154518  
.NET 3.5 SP1 on Windows 8.1: Requires https://support.microsoft.com/kb/3154520  
.NET 4.6.2+: No additional requirements 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001

Active Directory Connector

Platforms supported: Windows Server 2012 and above 

Note: Support for connectors running Windows Server 2008 and 2008 R2 has been discontinued, since Microsoft has announced End of support for these versions in Jan 2020. You will need to upgrade to a supported Windows Server version to continue running the Connector. 

If your Connector is running on Windows Server 2012 or above and has only .NET version 4.x, the Connector should use TLS 1.2 by default when communicating with Umbrella. 

If you are running .NET 3.5 on the connector server, disable this to force the connector to use TLS1.2.

If .NET 3.5 cannot be disabled, ensure that the following changes are made:

• If the Connector is running on Windows Server 2012 R2, check if patch 3154520 has been applied to the server. If not, download and apply the patch from https://support.microsoft.com/en-us/help/3154520/support-for-tls-system-default-versions-included-in-the-net-framework. 
• If the Connector is running on Windows Server 2012, check if patch 3154519 has been applied to the server. If not, download and apply the patch from https://support.microsoft.com/en-us/help/3154519/support-for-tls-system-default-versions-included-in-the-net-framework. 
• If the Connector is running on Windows Server 2016, this will require patch 3156421 to be applied to the server. Microsoft does not offer this patch for individual download, so ensure that any cumulative updates that appear under Settings, Update and Security, Windows Updates. are applied.
• Toggle/set the following registry keys to force the connector to use TLS 1.2: 

  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] 

  "SchUseStrongCrypto"=dword:00000001  

  [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] 

  "SchUseStrongCrypto"=dword:00000001 

  [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] 

  “DisabledByDefault”=dword:00000000 
  “Enabled”=dword:00000001

Reboot the server after the above changes are made.