This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Has anybody managed to successfully deploy Sophos Enterprise 5.5.1 while using the TLS1.2 database connectivity?

I just cant seem to figure it out how to get it to work...? even though Im on server2012 R2 fully updated, with SQL 2012 SP4. No matter what i do the Sophos Installer always says:

 

(x) SQL Server instance does not support TLS 1.2

(x) There is no certificate installed that can be used with SQL Server

I ignored these warnings and Installed SEC5.5.1 anyway as it still works with TLS1.0, but i relly want it to work with TLS1.2, Anybody else have any similar issues?

 

Cheers



This thread was automatically locked due to age.
  • Hello

    There have been many mentions to many articles.  When you write "that article", I am not sure which one you refer to ...

    Paul Jr

  • Hi Paul,

    This is one below the main culprit for me, as I'm never one to read details parameters of application unless I think I need the functionality. I really did not expect that the convert string would be found in a db check tool.

    -----------------------------------------
    Article ID: 127521
    Title: Enterprise Console - Database connection check
    URL: https://sophos.com/kb/127521 
    -----------------------------------------

    Anyway, time to continue, I've spent way too much time on this already and life's too short.

    Big thanks again to Dominic for showing me what I had missed.

    Best wishes to all,

    Grant

  • No problem Grant,

    Agree the single line in the document is not particularly obvious or that it is required to run the connectivity tool in -a mode to migrate the console over to TLS 1.2

    Surely going forward the functionality will be built into the Installer/Console itself, and would be the recommended default on install. 

     

  • I have tried that tools many times.  It does just nothing.  The -a switch does nothing more ...

    Not sure I get it ...

    Paul Jr

  • Hi Paul,

    The goal of the tool is to merely convert the sql connection string used by the Sophos app to a SQL client library that supports TLS 1.2. I kept the output of the process which I'll paste below, and yours should look similar. Double check against mine below.

    C:\sourceRepository\Sophos\Sophos Enterprise Console\sec_551\ServerInstaller\CheckDBConnection>CheckDBconnection.exe -a -c -l
    Sophos Connectivity Verifier
    5.5.1.955

    Copyright 2000-2018 Sophos Limited. All rights reserved.
    Sophos and Sophos Anti-Virus are registered trademarks of Sophos Limited and Sop
    hos Group. All other product and company names mentioned are trademarks or regis
    tered trademarks of their respective owners.

    UpdateConnectionString 64 bit system
    UpdateConnectionString :
    Registry Key: Software\Wow6432Node\Sophos\EE\Management Tools
    Value: DatabaseConnectionMS
    Trust cert: True

    Found: Provider=SQLOLEDB;Integrated Security=SSPI;Initial Catalog=SOPHOS551;Data Source=(hostname)\SOPHOS;

    Testing: Provider=SQLNCLI11;Trusted_Connection=Yes;Database=SOPHOS551;Server=(hostname)\SOPHOS;Encrypt=yes;TrustServerCertificate=true;

    TestDatabaseConnectionWithConnectionString 'Provider=SQLNCLI11;Trusted_Connection=Yes;Database=SOPHOS551;Server=(hostname)\SOPHOS;Encrypt=yes;TrustServerCertificate=true;'

    NewConnStr 'Trusted_Connection=Yes;Database=SOPHOS551;(hostname)\SOPHOS;Encrypt=yes;TrustServerCertificate=true;;'

    Test successfull, writing reg key
    UpdateConnectionString :
    Registry Key: Software\Sophos\ServerSecurity
    Value: DatabaseConnection
    Trust cert: True

    Found: Integrated Security=SSPI;Initial Catalog=SophosSecurity;Data Source=(local)\SOPHOS;

    Testing: Provider=SQLNCLI11; Trusted_Connection=Yes;Database=SophosSecurity;Server=(hostname)\SOPHOS;Encrypt=yes;TrustServerCertificate=true;

    TestDatabaseConnectionWithConnectionString 'Provider=SQLNCLI11; Trusted_Connection=Yes;Database=SophosSecurity;(hostname)\SOPHOS;Encrypt=yes;TrustServerCertificate=true;'

    NewConnStr ' Trusted_Connection=Yes;Database=SophosSecurity;(hostname)\SOPHOS;Encrypt=yes;TrustServerCertificate=true;;'

    Test successfull, writing reg key
    UpdateConnectionString :
    Registry Key: Software\Wow6432Node\Sophos\ServerSecurity
    Value: DatabaseConnection
    Trust cert: True

    Found: Integrated Security=SSPI;Initial Catalog=SophosSecurity;Data Source=(local)\SOPHOS;

    Testing: Provider=SQLNCLI11; Trusted_Connection=Yes;Database=SophosSecurity;Server=(hostname)SOPHOS;Encrypt=yes;TrustServerCertificate=true;

    TestDatabaseConnectionWithConnectionString 'Provider=SQLNCLI11; Trusted_Connection=Yes;Database=SophosSecurity;Server=(hostname)\SOPHOS;Encrypt=yes;TrustServerCertificate=true;'

    NewConnStr ' Trusted_Connection=Yes;Database=SophosSecurity;Server=(hostname)\SOPHOS;Encrypt=yes;TrustServerCertificate=true;;'

    Test successfull, writing reg key
    UpdateConnectionString :
    Registry Key: Software\Sophos\Patch
    Value: SophosPatchConnectionString
    Trust cert: True

    Found: Data Source=(local)\SOPHOS;Initial Catalog=SOPHOSPATCH52;Integrated Security=SSPI;Connect Timeout=60

    Testing: Provider=SQLNCLI11; Server=(hostname)\SOPHOS;Database=SOPHOSPATCH52;Trusted_Connection=Yes;Timeout=60;Encrypt=yes;TrustServerCertificate=true;

    TestDatabaseConnectionWithConnectionString 'Provider=SQLNCLI11; Server=(hostname)\SOPHOS;Database=SOPHOSPATCH52;Trusted_Connection=Yes;Timeout=60;Encrypt=yes;TrustServerCertificate=true;'

    NewConnStr ' Server=(hostname)\SOPHOS;Database=SOPHOSPATCH52;Trusted_Connection=Yes;Timeout=60;Encrypt=yes;TrustServerCertificate=true;;'

    Test successfull, writing reg key
    Database connection settings modified successfully

     

    best wishes,

    Grant

  • Hello

    I get the exact same output as you with the command "CheckDBconnection.exe -a -c -l".  But running C:\sec_551\ServerInstaller\CheckDBConnection\CheckDBConnection.exe without switches afterward, you get this:

    C:\sec_551\ServerInstaller\CheckDBConnection>CheckDBConnection.exe
    Sophos Connectivity Verifier
    5.5.1.955

    Copyright 2000-2018 Sophos Limited. All rights reserved.
    Sophos and Sophos Anti-Virus are registered trademarks of Sophos Limited and Sophos Group. All other product and company names mentioned are trademark
    s or registered trademarks of their respective owners.

    (/) Operating system is ready to use TLS 1.2
    (/) Installed .NET Framework supports TLS 1.2
    Connection to the SQL Server established
    (x) SQL Server instance does not support TLS 1.2
    (x) SQL Server TCP/IP protocol detection failed
    (/) There is a certificate installed that can be used with SQL Server
    (/) SQL Server Native Client library supports TLS 1.2
    Encrypted connection to the SQL Server cannot be established

    C:\sec_551\ServerInstaller\CheckDBConnection>

    My version of SQL clearly support TLS 1.2.  And TCP/IP is clearly enabled.

    Paul Jr Robitaille

  • My version of SQl is: 

    Product Version: 11.0.7469.6
    Product Name: SQL Server 2012
    Product Level: SP4
    Product Edition: Express Edition (64-bit)

    Which clearly supports TLS1.2

    Paul Jr

  • Hi Paul,

    I'd probably start with SQL Server configuration manager and make sure that the TCP/IP connections are accepted.

    Grant

  • Start the SQL Server Browser Service

     
  • Sorry for awaking a dead thread, however I am experiecing some issues with my upgrade to 5.5.2 from 5.5.0 I followed all the steps in here and still I am receiving the following. Any advice will be appreciated as this seems as the best thread on the matter since support isn't of much help. Thanks

     

    C:\sec_552\ServerInstaller\CheckDBConnection>checkdbconnection -s .\sophos
    Sophos Connectivity Verifier
    5.5.2.700

    Copyright 1989-2020 Sophos Limited. All rights reserved.
    Sophos and Sophos Anti-Virus are registered trademarks of Sophos Limited and Sop
    hos Group. All other product and company names mentioned are trademarks or regis
    tered trademarks of their respective owners.

    (/) Operating system is ready to use TLS 1.2
    (/) Installed .NET Framework supports TLS 1.2
    Connection to the SQL Server established
    (!) SQL Server instance can be configured to use TLS 1.2
    (/) SQL Server TCP/IP protocol is enabled
    (/) There is a certificate installed that can be used with SQL Server
    (/) SQL Server Native Client library supports TLS 1.2
    Encrypted connection to the SQL Server cannot be established

    C:\sec_552\ServerInstaller\CheckDBConnection>CheckDBconnection.exe -a -c -l
    Sophos Connectivity Verifier
    5.5.2.700

    Copyright 1989-2020 Sophos Limited. All rights reserved.
    Sophos and Sophos Anti-Virus are registered trademarks of Sophos Limited and Sop
    hos Group. All other product and company names mentioned are trademarks or regis
    tered trademarks of their respective owners.

    WMI namespace to use: root\Microsoft\Sqlserver\ComputerManagement14
    TestDatabaseConnectionWithConnectionString 'Server=.\SOPHOS;Database=master;Time
    out=3;Trusted_Connection=Yes;TrustServerCertificate=true;'

    NewConnStr 'Server=.\SOPHOS;Database=master;Timeout=3;Trusted_Connection=Yes;Tru
    stServerCertificate=true;;'

    WMI namespace to use: root\Microsoft\Sqlserver\ComputerManagement14
    WMI namespace to use: root\Microsoft\Sqlserver\ComputerManagement14
    WMI namespace to use: root\Microsoft\Sqlserver\ComputerManagement14
    WMI namespace to use: root\Microsoft\Sqlserver\ComputerManagement14
    TestDatabaseConnectionWithConnectionString 'Server=.\SOPHOS;Database=master;Time
    out=3;Trusted_Connection=Yes;Encrypt=yes;TrustServerCertificate=true;'

    NewConnStr 'Server=.\SOPHOS;Database=master;Timeout=3;Trusted_Connection=Yes;Enc
    rypt=yes;TrustServerCertificate=true;;'

    UpdateConnectionString 64 bit system
    UpdateConnectionString :
    Registry Key: Software\Wow6432Node\Sophos\EE\Management Tools
    Value: DatabaseConnectionMS
    Trust cert: True

    Found: Provider=SQLOLEDB;Integrated Security=SSPI;Initial Catalog=SOPHOS550;Data
    Source=(local)\SOPHOS;

    Testing: Provider=SQLNCLI11;Trusted_Connection=Yes;Database=SOPHOS550;Server=sop
    hos.starlight.com\SOPHOS;Encrypt=yes;TrustServerCertificate=true;

    TestDatabaseConnectionWithConnectionString 'Provider=SQLNCLI11;Trusted_Connectio
    n=Yes;Database=SOPHOS550;Server=sophos.starlight.com\SOPHOS;Encrypt=yes;TrustSer
    verCertificate=true;'

    NewConnStr 'Trusted_Connection=Yes;Database=SOPHOS550;Server=sophos.starlight.co
    m\SOPHOS;Encrypt=yes;TrustServerCertificate=true;;'

    Test successful, writing reg key
    UpdateConnectionString :
    Registry Key: Software\Sophos\ServerSecurity
    Value: DatabaseConnection
    Trust cert: True

    Found: Integrated Security=SSPI;Initial Catalog=SophosSecurity;Data Source=(loca
    l)\SOPHOS;

    Testing: Provider=SQLNCLI11;Trusted_Connection=Yes;Database=SophosSecurity;Serve
    r=sophos.starlight.com\SOPHOS;Encrypt=yes;TrustServerCertificate=true;

    TestDatabaseConnectionWithConnectionString 'Provider=SQLNCLI11;Trusted_Connectio
    n=Yes;Database=SophosSecurity;Server=sophos.starlight.com\SOPHOS;Encrypt=yes;Tru
    stServerCertificate=true;'

    NewConnStr 'Trusted_Connection=Yes;Database=SophosSecurity;Server=sophos.starlig
    ht.com\SOPHOS;Encrypt=yes;TrustServerCertificate=true;;'

    Test successful, writing reg key
    UpdateConnectionString :
    Registry Key: Software\Wow6432Node\Sophos\ServerSecurity
    Value: DatabaseConnection
    Trust cert: True

    Found: Integrated Security=SSPI;Initial Catalog=SophosSecurity;Data Source=(loca
    l)\SOPHOS;

    Testing: Provider=SQLNCLI11;Trusted_Connection=Yes;Database=SophosSecurity;Serve
    r=sophos.starlight.com\SOPHOS;Encrypt=yes;TrustServerCertificate=true;

    TestDatabaseConnectionWithConnectionString 'Provider=SQLNCLI11;Trusted_Connectio
    n=Yes;Database=SophosSecurity;Server=sophos.starlight.com\SOPHOS;Encrypt=yes;Tru
    stServerCertificate=true;'

    NewConnStr 'Trusted_Connection=Yes;Database=SophosSecurity;Server=sophos.starlig
    ht.com\SOPHOS;Encrypt=yes;TrustServerCertificate=true;;'

    Test successful, writing reg key
    UpdateConnectionString :
    Registry Key: Software\Sophos\Patch
    Value: SophosPatchConnectionString
    Trust cert: True

    Found: Data Source=(local)\SOPHOS;Initial Catalog=SOPHOSPATCH52;Integrated Secur
    ity=SSPI;Connect Timeout=60

    Testing: Provider=SQLNCLI11;Server=sophos.starlight.com\SOPHOS;Database=SOPHOSPA
    TCH52;Trusted_Connection=Yes;Timeout=60;Encrypt=yes;TrustServerCertificate=true;


    TestDatabaseConnectionWithConnectionString 'Provider=SQLNCLI11;Server=sophos.sta
    rlight.com\SOPHOS;Database=SOPHOSPATCH52;Trusted_Connection=Yes;Timeout=60;Encry
    pt=yes;TrustServerCertificate=true;'

    NewConnStr 'Server=sophos.starlight.com\SOPHOS;Database=SOPHOSPATCH52;Trusted_Co
    nnection=Yes;Timeout=60;Encrypt=yes;TrustServerCertificate=true;;'

    Test successful, writing reg key
    (/) Operating system is ready to use TLS 1.2
    (/) Installed .NET Framework supports TLS 1.2
    Connection to the SQL Server established
    (!) SQL Server instance can be configured to use TLS 1.2
    (/) SQL Server TCP/IP protocol is enabled
    (/) There is a certificate installed that can be used with SQL Server
    (/) SQL Server Native Client library supports TLS 1.2
    Encrypted connection to the SQL Server is established


    Database connection settings modified successfully

    OS version information:
    Microsoft Windows Server 2012 R2 Standard - 6.3.9600 - 0

    SQL Server version:
    SOPHOS - 14.0.3335.7 - RTM - CU21

    SQL Server protocol information:
    Sm: True
    Np: True
    Tcp: True

    SQL Server Certificates:
    Sophos-CA Sophos-CA

    Client Library information:
    sm - SQLNCLI11 - 11.0.7493
    tcp - SQLNCLI11 - 11.0.7493
    np - SQLNCLI11 - 11.0.7493
    tcp - SQLNCLI11 - 11.0.7493.4

    C:\sec_552\ServerInstaller\CheckDBConnection>CheckDBconnection.exe -s .\sophos
    Sophos Connectivity Verifier
    5.5.2.700

    Copyright 1989-2020 Sophos Limited. All rights reserved.
    Sophos and Sophos Anti-Virus are registered trademarks of Sophos Limited and Sop
    hos Group. All other product and company names mentioned are trademarks or regis
    tered trademarks of their respective owners.

    (/) Operating system is ready to use TLS 1.2
    (/) Installed .NET Framework supports TLS 1.2
    Connection to the SQL Server established
    (!) SQL Server instance can be configured to use TLS 1.2
    (/) SQL Server TCP/IP protocol is enabled
    (/) There is a certificate installed that can be used with SQL Server
    (/) SQL Server Native Client library supports TLS 1.2
    Encrypted connection to the SQL Server cannot be established