Requirements for forcing TLS 1.2 on the Connector and Roaming Client

Overview

Cisco Umbrella is updating the connector and roaming client to support TLS 1.2 natively before TLS 1.0 and 1.1 are disabled on the Umbrella cloud. Clients with lower versions will need to make manual adjustments after September 2020 to continue using the Umbrella clients without updating.

Windows Roaming Client or AnyConnect Module
-------
Endpoint Agent Version:
Cisco Umbrella roaming client: Version 2.2.356+ (link)
or
Cisco AnyConnect with Umbrella roaming module: Version 4.8.02042+ (link)
or
Using older client version, configure TLS 1.2 use with changes to the Windows Registry: https://support.umbrella.com/hc/en-us/articles/115005871543-Requirements-for-forcing-TLS-1-2-on-the-Connector-and-Roaming-Client

Microsoft .NET Framework Version:
.NET 4.6.2+ or patched .NET 3.5.1 (link)
(Note: AnyConnect requires .NET

Windows Version: 7, 8, 8.1, 10

MacOS Roaming Client or AnyConnect Module
-------
Endpoint Agent Version
Umbrella Roaming Client, Minimum Endpoint Version: Any
or
Cisco AnyConnect roaming module minimum version: Any

macOS Version: 10.9+

For those that do not meet these requirements, please continue reading.

Technical Detail

Prior to disabling TLS 1.0 and SSL protocols on the Windows end point, you will need to verify if any older .NET versions are installed, and apply the registry keys as per the Microsoft article above.

Below is a step-by-step guide:

1. Verify what .NET Framework version is installed on the Windows machine

2. If only .NET version 4.6.2 (and above) is installed, the latest .NET Framework requires you to toggle with stronger cipher using these registry keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

3. If both .NET version 4 and 3.5 are installed, on top of the registry keys for .NET version 4,  .NET 3.5 would also require you to:

• Install the .NET 3.5 patch from https://support.microsoft.com/en-us/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework. 
• Toggle the following registry keys in order to support TLS  protocols:
  
  

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001