Prior to Sophos Enterprise Console (SEC) version 5.5.1, earlier versions require TLS 1.0. If TLS 1.0 has been disabled on the SEC management server or SQL server that hosts the Sophos database, the Management Service will not run.
In order to comply with upcoming PCI requirements, and security concerns such as POODLE, and BEAST, many organizations are turning off support for TLS 1.0 in their environments. This change is required to be implemented by June 2018 for compliance with PCI.
Turning off TLS 1.0 on the main server running the Sophos Management Service or on the SQL server hosting the database, will result in the Management Service being unable to connect to the SQL server.
Microsoft has been updating several of the different connection methods to support TLS 1.2, however they have not updated the OLE DB methods, which is what we use to connect to the database for Sophos Enterprise Console. OLE DB only supports TLS 1.0, and it must be present on the both sides of the connection.
The following sections are covered:
Applies to the following Sophos products and versions Enterprise Console 5.5.0Enterprise ConsoleEnterprise Console 5.4.1
In a default install, both SQL and the Management Service are on the same server. Since TLS vulnerabilities are used for Man-in-the-Middle attacks, local connections are not as susceptible to disruption. Only the main Sophos Enterprise Console server and SQL server require TLS 1.0. All other endpoints protected by Sophos do not require this protocol.
If you require TLS 1.2 for your database you will need to upgrade to SEC 5.5.1. This version contains a database connection check tool that performs a number of checks to determine whether the system can connect to the Sophos database with TLS 1.2 and provide further information on the changes required to enable the use of TLS 1.2.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.