Has anybody managed to successfully deploy Sophos Enterprise 5.5.1 while using the TLS1.2 database connectivity?

I just cant seem to figure it out how to get it to work...? even though Im on server2012 R2 fully updated, with SQL 2012 SP4. No matter what i do the Sophos Installer always says:

 

(x) SQL Server instance does not support TLS 1.2

(x) There is no certificate installed that can be used with SQL Server

I ignored these warnings and Installed SEC5.5.1 anyway as it still works with TLS1.0, but i relly want it to work with TLS1.2, Anybody else have any similar issues?

 

Cheers

Parents Reply Children
  • Hi guys,

    yep no worries, if I'm a slow getting back to this thread it's only because it's a slow process with the Sophos support team. So far they have just referred me to these two links below, which are the same as those referenced during this installer.

    -----------------------------------------
    Article ID: 127521
    Title: Enterprise Console - Database connection check
    URL: https://sophos.com/kb/127521
    -----------------------------------------


    The KBA also links to a Microsoft page that describes what needs to be done in order to prepare the SQL server for TLS 1.2:
    https://support.microsoft.com/en-us/help/3135244/tls-1-2-support-for-microsoft-sql-server

     

    Slightly annoying as the initial ticket a logged included output from the dbcheckconnection.exe tool.

    regards,

    Grant

  • Exactely the same here.  They referred us to the link already provided in the installation instructions.  dbconnection.exe, logs, et.c.

  • Hi Guys, 

     

    Sophos got back to me today. and..yep..you guessed it, they RE-referred me to the article!

    And they are avoiding speaking to me over the phone about this. One of the engineers that i spoke to told me straight of the bat that he doesn't no much about SQL etc..like okay, but then why are you picking up a ticket that involves SQL? 

    They said they'll look into it further and let me know. 

  • Hi guys,

    I'm going to take a different approach at this point. I found the xls matrix really quick and it appears SQL 2016 SP1 is the latest version supported with 5.4.1. So I'm going to upgrade SQL to this version as it should have the added benefit of exposing the "trace" debug in SQL extended events which will show me the SSL handshake (and what version it is, e.g. TLS 1.2).

    So working with the article below I should already see this information using SQL 2012 SP4, but I can confirm on a few different SQL boxes that I never see this option. But I do see it on an SQL 2016 SP1 box.

    www.sqlservercentral.com/.../


    The SQL instance is on the same box and is just SQL express, so I'll just snapshot the VM before upgrading, and can rollback if any problems are found.

    I'll report back in once I've completed and check the above work.

    Ta,

    Grant

  • Can’t wait to see the result of this ...

  • Okay, so I have got to the root of the issue for my environment. I am running SEC 5.4.0 with SQL Express 20012 SP4. I get the following output from the installer:


    (/) Operating system is ready to use TLS 1.2

    (/) Installed .NET Framework supports TLS 1.2

    Connection to the SQL Server established

    (x) SQL Server instance does not support TLS 1.2

    (/) SQL Server TCP/IP protocol is enabled

    (/) There is a certificate installed that can be used with SQL Server

    (/) SQL Server Native Client library supports TLS 1.2

     

    Everything looks supported and I should follow the KB’s:

    -----------------------------------------
    Article ID: 127521
    Title: Enterprise Console - Database connection check
    URL: https://sophos.com/kb/127521
    -----------------------------------------


    The KBA also links to a Microsoft page that describes what needs to be done in order to prepare the SQL server for TLS 1.2:
    https://support.microsoft.com/en-us/help/3135244/tls-1-2-support-for-microsoft-sql-server

    However, no joy for me at this point. I try to follow this article to see what version of TLS is really being used:


    http://www.sqlservercentral.com/blogs/sqltact/2018/01/09/sql-server-on-tls-12-xevent-session-to-catch-tls-in-use/

    Still no joy as there is no extended event for “trace” even though the article says SQL 2012 SP4 is supported.

    At this point I look to upgrade to SQL 2016 SP1 and realise that a minimum SEC version of 5.4.1 needs to be installed.

    I first verified a successful upgrade to SEC 5.4.1, and then went ahead and upgraded to SQL 2016 SP1. At this point I can see errors with the SEC connection to the DB and SEC wont open.

    So I enabled TLS 1.1 and TLS 1.0 via the registry, rebooted and now SEC is working. I can also trace the DB connections and see that SEC 5.4.1 is using TLS 1.0

     

    I can also verify that the SQL mgt studio is using TLS 1.2

    Now when I run the installer DBcheckconnection I can a much better outcome.

    (/) Operating system is ready to use TLS 1.2

    (/) Installed .NET Framework supports TLS 1.2

    Connection to the SQL Server established

    (!) SQL Server instance can be configured to use TLS 1.2

    (/) SQL Server TCP/IP protocol is enabled

    (/) There is a certificate installed that can be used with SQL Server

    (/) SQL Server Native Client library supports TLS 1.2

    Encrypted connection to the SQL Server is established


    Upgraded to version 5.5.1

     

    SEC still connecting to DB using TLS 1.0, even after removing the registry entries.

     

    So to me it looks like SQL 2012 SP4 does not support TLS 1.2 as everything is working fine when I upgraded to SQL 2016 SP1. However, I still need to find out why SEC is still connecting using TLS 1.0. I'm in the process of taking this back to support now.

    regards,

    Grant

  • Hi guys,

    apologies but I didn't remove the registry entries properly. Once I did, I was back to getting a DB connection error:



    Back to the support team.

    regards,

    Grant

  • Hi Grant, 

     

    thank you for the detailed post about your procedure. I think ill also upgrade to 2016 to see if it helps. 

    Let us know how you get on. 

    Cheers

     

  • Hi guys,

    So the last thing I have done is the usual SDU logs to the support team, who will probably take them to the product team. On the brightside at least it's now running the latest version of SEC.

    Ta,

    Grant

  • Hi guys,

    not much to add to the Friday afternoon wrap up, other than I've been told that the incident has gone to GES engineers, who, "are the highest technical tier within support and are responsible for interacting with our development teams".

    Should have some better information next week.

    have a good weekend.

    Grant