As of March 31, 2020**, Transport Layer Security (TLS) 1.0 and 1.1 will no longer be supported by Cisco Umbrella servers and services. All endpoints will be required to support TLS 1.2 after this date in order to function properly with Cisco Umbrella.
Except for AnyConnect, the Umbrella Roaming Client, and the AD Connector, Umbrella ended support for TLS 1.0/1.1 in March 2020. However because of backend dependencies, some additional services for dashboard and APIs unofficially continued to support TLS 1.0/1.1 -- On January 27th, these additional services will stop accepting TLS 1.0/1.1 connections. If you have trouble accessing the dashboard or APIs, please check your device for TLS 1.2 support.
**IMPORTANT MESSAGE RE PROTECTION FOR ANYCONNECT OR ROAMING CLIENT DEVICES** We are providing a FINAL extension to January 27, 2021 to complete the upgrade to TLS 1.2.There will be no further extensions. AnyConnect and Roaming Client devices not meeting TLS 1.2 requirements by January 27, 2021 will no longer be protected by Umbrella.
**Secure Web Gateway: Umbrella will no longer support HTTPS traffic using TLS1.0 / TLS1.1 in our Secure Gateway product. Previously (prior to January 27th, 2021) the Secure Web Gateway offered limited support for these TLS protocols only in scenarios where HTTPS Decryption was disabled.
Non-browser applications may require an upgrade or additional changes to support TLS1.2. Contact the application vendor for advice on TLS1.2 compatibility.
**Umbrella Active Directory Connector: Umbrella does not support Active Directory connectors deployed on Windows operating systems that have reached end of life. If your AD connectors are still running on an unsupported Windows version (Windows Server 2008/2008 R2 or Windows 7), these connectors will stop synchronizing to Umbrella and move to error state on January 27th 2021.
Umbrella Agents: Minimum version requirements
The newest versions of the Umbrella roaming client and Umbrella roaming module for AnyConnect will automatically use TLS 1.2 if the correct .NET version is found (Windows). We recommend all customers upgrade to one of these new versions as listed below. If an upgrade is not possible, then older clients can be configured to use TLS 1.2 by changing the Windows Registry as noted below.
Windows Roaming Client or AnyConnect Module
Endpoint Agent Version:
- Cisco Umbrella roaming client: Version 2.2.356+ (link)
- Cisco AnyConnect with Umbrella roaming module: Version 4.8.02042+ (link)
- Using older client version, configure TLS 1.2 use with changes to the Windows Registry with these steps.
Microsoft .NET Framework Version:
.NET 4.6.2+ or patched Windows 7 with .NET 3.5.1 (link)
(Note: AnyConnect requires .NET 4.x+)
Windows Version: 7, 8, 8.1, 10
MacOS Roaming Client or AnyConnect Module
Endpoint Agent Version
Umbrella Roaming Client, Minimum Endpoint Version: Any version will support TLS 1.2
Cisco AnyConnect roaming module minimum version: Any version will support TLS 1.2
macOS Version: 10.9+
Additional Questions and Answers
Question: What will happen if I do not update my endpoints by the deadline?
Answer: Endpoints that are not able to negotiate a TLS 1.2 connection will be unable to access Cisco Umbrella systems including the dashboard, intelligent proxy services, and block pages. Additionally, for those customers running the Umbrella Roaming Module within AnyConnect, the Umbrella Enterprise Roaming Client or the Umbrella AD Connector, the client will be unable to connect to any Umbrella service. This will result in the client no longer synchronizing configuration and status with the Umbrella dashboard.
In addition, existing roaming clients will cease to activate and remain unprotected beginning at the next service start and new clients that do not support TLS 1.2 will not be able to register with Umbrella. Clients will fail open, and DNS in general will continue to resolve via the local network stack; however, roaming client security services will not activate.
If an endpoint attempts to reach a site that is blocked or sent through the Intelligent Proxy, the device will be unable to connect. Devices using our roaming client will be unable to access our website, block pages, or proxy services.
Question: If we have an older version, will the registry key work? Why?
Answer: Yes (for AnyConnect). You may continue to use older versions after applying the registry edit to prefer strongcrypto. Prior to the minimum versions listed, the roaming client made calls for HTTPS connections without specifying TLS 1.2 strongcrypto explicitly. .NET - if supported - would use TLS 1.2. The registry keys apply the logic to .NET to use strongcrypto, thereby effectively making the same changes made in our updated client versions. Note, standalone roaming clients older than the latest release are not supported.
Question: Can I test TLS 1.2 only?
Answer: Yes! TLS 1.0 and TLS 1.1 may be disabled on the Windows Registry. Use this setting to validate your devices can fully function using TLS 1.2 only.
Question: Why are you deprecating TLS 1.0 and 1.1?
Answer: TLS 1.0 and 1.1 are out-of-date protocols that do not support modern cryptographic algorithms, and they contain security vulnerabilities that may be exploited by attackers. The Internet Engineering Task Force is also planning to officially deprecate both protocols. In addition, the vast majority of encrypted Internet traffic is now over TLS 1.2, which was introduced over a decade ago.
Question: Why did you choose March 31, 2020?
Answer: The industry is working to deprecate support for TLS 1.0 and 1.1 in this timeframe. Google, Microsoft, Apple, and Mozilla have all announced that their browsers will no longer support TLS 1.0 and 1.1 as of March 2020.
Question: Will this affect my users that have up-to-date devices?
Answer: It should not, because the vast majority of websites support TLS 1.2. According to Qualys’s SSL Labs 95.2% of websites support TLS 1.2. We expect this number to rise significantly as March 2020 approaches. A small number of websites may not work but the overall impact to your users will be minimal. Note that having an up-do-date device includes the version of .NET for Windows machines. See below for further information.
Question: If I update my endpoint to support TLS1.2, do I need to do anything further to re-enable Umbrella Support?
Answer: In most cases, no. The client will re-establish communications with the Umbrella systems leveraging the more secure TLS1.2 protocol. For those customers with the Umbrella Enterprise Roaming Client or the Umbrella Roaming Client for AnyConnect there may be a delay in restoration if your system was offline during a Cisco client software update. The client may need to download updates prior to service being fully restored.
Question: How can I tell if my endpoints support TLS 1.2?
Answer: For Microsoft Windows users, there are two areas that will impact TLS compatibility with Cisco Umbrella Services
- Web Browser Support to access the Umbrella dashboard and related websites
- Browser test: https://www.ssllabs.com/ssltest/viewMyClient.html. Confirm that there is a “Yes” next to TLS 1.2 in the “Protocols” section
- .NET framework Support for users of the Enterprise Roaming Client or AnyConnect Roaming Module or the Umbrella AD Connector
- .NET: Native TLS 1.2 support requires .NET framework 4.6.2+. Prior versions require registry edits (4.x) or Registry edits and manual hotfix patches (3.5). More information can be found here - https://support.umbrella.com/hc/en-us/articles/115005871543-Requirements-for-forcing-TLS-1-2-on-the-Connector-and-Roaming-Client. This applies to Umbrella software running on .NET framework - currently AD Connector and Roaming client
We also recommend that you disable support for SSL, TLS 1.0 and TLS v1.1 at the operating system level: https://support.microsoft.com/en-us/help/187498/how-to-disable-pct-1-0-ssl-2-0-ssl-3-0-or-tls-1-0-in-internet-informat.
For Apple Mac and other systems, you should perform the browser test: https://www.ssllabs.com/ssltest/viewMyClient.html. Confirm that there is a “Yes” next to TLS 1.2 in the “Protocols” section