As of March 31, 2020, Transport Layer Security (TLS) 1.0 and 1.1 will no longer be supported. All endpoints will be required to support TLS 1.2 after this date in order to function properly with Cisco Umbrella.
Update: Cisco Umbrella will continue to support Cisco AnyConnect and Cisco Umbrella Roaming Client versions that require TLS 1.0/1.1 until October 30th 2020. All other uses of TLS 1.0 and 1.1 will be discontinued as planned on March 31st.
Question: Why are you deprecating TLS 1.0 and 1.1?
Answer: TLS 1.0 and 1.1 are out-of-date protocols that do not support modern cryptographic algorithms, and they contain security vulnerabilities that may be exploited by attackers. The Internet Engineering Task Force is also planning to officially deprecate both protocols. In addition, the vast majority of encrypted Internet traffic is now over TLS 1.2, which was introduced over a decade ago.
Question: Why did you choose March 31, 2020?
Answer: The industry is working to deprecate support for TLS 1.0 and 1.1 in this timeframe. Google, Microsoft, Apple, and Mozilla have all announced that their browsers will no longer support TLS 1.0 and 1.1 as of March 2020.
Question: Will this affect my users that have up-to-date devices?
Answer: It should not, because the vast majority of websites support TLS 1.2. According to Qualys’s SSL Labs 95.2% of websites support TLS 1.2. We expect this number to rise significantly as March 2020 approaches. A small number of websites may not work but the overall impact to your users will be minimal. Note that having an up-do-date device includes the version of .NET for Windows machines. See below for further information.
Question: What will happen if I do not update my endpoints by the deadline?
Answer: Endpoints that are not able to negotiate a TLS 1.2 connection will be unable to access Cisco Umbrella systems including the dashboard, intelligent proxy services, and block pages. Additionally, for those customers running the Umbrella Roaming Module within AnyConnect, the Umbrella Enterprise Roaming Client or the Umbrella AD Connector, the client will be unable to connect to any Umbrella service. This will result in the client no longer synchronizing configuration and status with the Umbrella dashboard. In addition, some security features such as IP Blocking will no longer function until TLS 1.2 support is enabled on the endpoint. New clients that do not support TLS 1.2 will not be able to register with Umbrella.
If an endpoint attempts to reach a site that is blocked or sent through the Intelligent Proxy, the device will be unable to connect. Devices using our roaming client will be unable to access our website, block pages, or proxy services.
Question: If I update my endpoint to support TLS1.2, do I need to do anything further to re-enable Umbrella Support?
Answer: In most cases, no. The client will re-establish communications with the Umbrella systems leveraging the more secure TLS1.2 protocol. For those customers with the Umbrella Enterprise Roaming Client or the Umbrella Roaming Client for AnyConnect there may be a delay in restoration if your system was offline during a Cisco client software update. The client may need to download updates prior to service being fully restored.
Question: How can I tell if my endpoints support TLS 1.2?
Answer: For Microsoft Windows users, there are two areas that will impact TLS compatibility with Cisco Umbrella Services
- Web Browser Support to access the Umbrella dashboard and related websites
- Browser test: https://www.ssllabs.com/ssltest/viewMyClient.html. Confirm that there is a “Yes” next to TLS 1.2 in the “Protocols” section
- .NET framework Support for users of the Enterprise Roaming Client or AnyConnect Roaming Module or the Umbrella AD Connector
- .NET: Native TLS 1.2 support requires .NET framework 4.6.2+. Prior versions require registry edits (4.x) or Registry edits and manual hotfix patches (3.5). More information can be found here - https://support.umbrella.com/hc/en-us/articles/115005871543-Requirements-for-forcing-TLS-1-2-on-the-Connector-and-Roaming-Client. This applies to Umbrella software running on .NET framework - currently AD Connector and Roaming client
We also recommend that you disable support for SSL, TLS 1.0 and TLS v1.1 at the operating system level: https://support.microsoft.com/en-us/help/187498/how-to-disable-pct-1-0-ssl-2-0-ssl-3-0-or-tls-1-0-in-internet-informat.
For Apple Mac and other systems, you should perform the browser test: https://www.ssllabs.com/ssltest/viewMyClient.html. Confirm that there is a “Yes” next to TLS 1.2 in the “Protocols” section
Question: What is the minimum agent software version requirements?
Answer: The following are the software requirements for TLS 1.2 support natively.
Umbrella Endpoint Agent Requirements for TLS 1.2 Support
The newest versions of the Umbrella roaming client and Umbrella roaming module for AnyConnect will automatically use TLS 1.2 if the correct .NET version is found (Windows). We recommend all customers upgrade to one of these new versions as listed below. If an upgrade is not possible, then older clients can be configured to use TLS 1.2 by changing the Windows Registry: https://support.umbrella.com/hc/en-us/articles/115005871543-Requirements-for-forcing-TLS-1-2-on-the-Connector-and-Roaming-Client
Windows Roaming Client or AnyConnect Module
Cisco Umbrella roaming client: Version 2.2.356+ (link)
Cisco AnyConnect with Umbrella roaming module: Version 4.8.02042+ (link)
Using older client version, configure TLS 1.2 use with changes to the Windows Registry: https://support.umbrella.com/hc/en-us/articles/115005871543-Requirements-for-forcing-TLS-1-2-on-the-Connector-and-Roaming-Client
.NET 4.6.2+ or patched .NET 3.5.1 (link)
(Note: AnyConnect requires .NET
7, 8, 8.1, 10
MacOS Roaming Client or AnyConnect Module
Umbrella Roaming Client, Minimum Endpoint Version: Any
Cisco AnyConnect roaming module minimum version: Any