This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Has anybody managed to successfully deploy Sophos Enterprise 5.5.1 while using the TLS1.2 database connectivity?

I just cant seem to figure it out how to get it to work...? even though Im on server2012 R2 fully updated, with SQL 2012 SP4. No matter what i do the Sophos Installer always says:

 

(x) SQL Server instance does not support TLS 1.2

(x) There is no certificate installed that can be used with SQL Server

I ignored these warnings and Installed SEC5.5.1 anyway as it still works with TLS1.0, but i relly want it to work with TLS1.2, Anybody else have any similar issues?

 

Cheers



This thread was automatically locked due to age.
  • Hello Redfern,

    I am in the process of updating from 5.4.1 and have outcome all but the stated instance support error. I too am on 2012 SP4 /w CU 10. I've tried many different things after ensuring it was not anything to do with an encrypted connection to the SQL server.

    So I decided to log a ticket with Sophos to get their explanation on the issue. I'm wondering if it is simply checking for a version number that is different, below mine is stated as 11.4.7001.0 which might identify express version over other versions.

      SQL Server 2012
         codename Denali
    11.0.2100.60 11.0.3000.0
    or 11.1.3000.0
    11.0.5058.0
    or 11.2.5058.0
    11.0.6020.0
    or 11.3.6020.0
    11.0.7001.0
    or 11.4.7001.0

    In your case the cert issue is that you will need to configure a certificate for use with the SQL Server. We have an enterprise CA so it's quite straightforward for me (just remember to configure all the alternate names you might be using). Sophos link below if you haven't already seen it.

    community.sophos.com/.../127521


    Can let you know what they reply.

    Cheers,

    Grant

  • Hi Grant. 

    Thanks for this. 

    Did you get a helpful Reply? 

     

    Would be grateful if you can share it with us. 

     

    Cheers. 

     

    Shahid 

  • Do a quick research this is a common issue.  The installer is unaware which version of SQL is really compatible with TLS 1.2

  • Hi Shahid,


    I got a reply that said they are discussing it with their product team and will get back to me. I'm sure the post below is spot on with simple installer issues, but I need an official response from Sophos for our compliance. Will update the thread when they provide such information.

    best wishes,

    Grant

  • Hi guys,

    yep no worries, if I'm a slow getting back to this thread it's only because it's a slow process with the Sophos support team. So far they have just referred me to these two links below, which are the same as those referenced during this installer.

    -----------------------------------------
    Article ID: 127521
    Title: Enterprise Console - Database connection check
    URL: https://sophos.com/kb/127521
    -----------------------------------------


    The KBA also links to a Microsoft page that describes what needs to be done in order to prepare the SQL server for TLS 1.2:
    https://support.microsoft.com/en-us/help/3135244/tls-1-2-support-for-microsoft-sql-server

     

    Slightly annoying as the initial ticket a logged included output from the dbcheckconnection.exe tool.

    regards,

    Grant

  • Exactely the same here.  They referred us to the link already provided in the installation instructions.  dbconnection.exe, logs, et.c.

  • Hi Guys, 

     

    Sophos got back to me today. and..yep..you guessed it, they RE-referred me to the article!

    And they are avoiding speaking to me over the phone about this. One of the engineers that i spoke to told me straight of the bat that he doesn't no much about SQL etc..like okay, but then why are you picking up a ticket that involves SQL? 

    They said they'll look into it further and let me know. 

  • Hi guys,

    I'm going to take a different approach at this point. I found the xls matrix really quick and it appears SQL 2016 SP1 is the latest version supported with 5.4.1. So I'm going to upgrade SQL to this version as it should have the added benefit of exposing the "trace" debug in SQL extended events which will show me the SSL handshake (and what version it is, e.g. TLS 1.2).

    So working with the article below I should already see this information using SQL 2012 SP4, but I can confirm on a few different SQL boxes that I never see this option. But I do see it on an SQL 2016 SP1 box.

    www.sqlservercentral.com/.../


    The SQL instance is on the same box and is just SQL express, so I'll just snapshot the VM before upgrading, and can rollback if any problems are found.

    I'll report back in once I've completed and check the above work.

    Ta,

    Grant