Tightening cipher suites breaks Windows 7 Global protect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Tightening cipher suites breaks Windows 7 Global protect

L4 Transporter

Hi folks.

 

I have recently, as I'm sure a lot of us have, attempted to tighten security on my global protect portal.

 

I ran an SSL labs scan on it, and it came back with a B result because of some older cipher suites still being in use - so I made some changes to try and tighten this up.

 

I was successful - got it up to an A - but it came at a cost.

 

I, unfortunately, still have numerous Windows 7 workstations (save the outrage, please, I'm well aware of the risks, and there are legitimate reason I can't upgrade them yet), and it seems that tightening these protocols on the firewall completely broke Global protect on the Windows 7 machines. They simply would not connect.

 

The changes I made were as follows

 

1. Minimum TLS version set to TLS 1.2

2. Modified shared ssl-tls profile settings as follows

  1. auth-algo-sha1 no
  2. enc-algo-3des no
  3. enc-algo-aes-128-cbc no
  4. enc-algo-aes-128-gcm no
  5. enc-algo-rc4 no

One of these settings simply broke global protect - I had to revert them all (except the SHA1 and RC4)

 

Has anyone come across his, and know of a solution on he Windows 7 end? Advice to upgrade to Windows 10, while certainly correct, aren't helpful at this point in time - I'm working to get that happening as quickly as I can.

 

Oh, the GP client running was 5.0.7

 

Thanks for any input

0 REPLIES 0
  • 1841 Views
  • 0 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!