This article covers the steps and prerequisites required to allow TLS 1.2 communication between PureMessage for Microsoft Exchange 4.0.4 and the SOPHOS SQL instance. The following sections are covered:
Applies to the following Sophos products and versions PureMessage for Microsoft Exchange 4.0.4
From PureMessage for Mirosoft Exchange 4.0.4 and onward PureMessage will support connecting to a microsoft SQL Server using the TLS 1.2 protocol. This requires a number of configuration steps.
For new installs of Sophos PureMessage - where there has been no previous installation of Sophos PureMessage on the Exchange Server - configuration of the Microsoft SQL Server to allow TLS 1.2 communication can be carried out prior to the install process. This is only possible if Microsoft SQL server is already installed and available. If there is a requirement to use the Database Connection Check tool provided with Sophos PureMessage 4.0.4 then these steps will need to be carried out after Sophos PureMessage has been installed.
For customers upgrading from a previous version of Sophos PureMessage 4.0.4 the configuration steps for TLS 1.2 must be completed after the upgrade is complete. This is because versions of Sophos PureMessage prior to 4.0.4 do not support TLS 1.2 and the communication to the database will fail.
Supporting TLS 1.2 requires SQL server side changes that need to be completed by the Administrator. The steps required can vary depending on the local environment - the below tool is installed with PureMessage to help identify the potential required steps:
KBA 132091 - Sophos PureMessage - Database Connection check tool
Please note. This tool is not run as part of the installation process. It is provided for the convenience of customers to assist in the configuration of TLS 1.2.
To enable TLS 1.2 communication there is a requirement to create a self signed certificate to validate the connection - the below article documents these steps:
KBA 132093 - Sophos PureMessage - How to create the required certificate package to allow TLS 1.2 connection to the database
Please also note that there is also a requirement for SQL native client 11.0 (SQLNCLI 11.0) to be installed to allow PureMessage to communicate to a Microsoft SQL server using TLS 1.2. If SQLNCLI is not present on the machine then it will be installed as part of the PureMessage installation process. This process may require a reboot of the server.
To lever the enhanced security of TLS 1.2 your SQL servers must be set up with FQDN names that relate to the names specified in the certificate generated as part of this process. After TLS 1.2 has been configured the names of these servers cannot be changed.
There is also a requirement for TCP/IP connections to be enabled and allowed on the SQL server.
Depending on your environment there may be a requirement to force TLS 1.2 connections for PureMessage without forcing TLS 1.2 on the Microsoft SQL server. The ability to do this is provided in PureMessage 4.0.4 and is documented in the below article:
KBA 132301 - Sophos PureMessage - How to Force the database connection to use TLS 1.2
Upon completion of the pre-requisite and setup steps PureMessage will use the available TLS 1.2 connection. This can be confirmed by reviewing the Application Event Log on the PureMessage server. If the TLS 1.2 connection is configured and used correctly the below event will be shown:
However if the TLS 1.2 connection cannot be established then PureMessage will continue to function on a TLS 1.0 connection. If that is the case the below Event is seen:
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.