Block old TLS versions

Hi,

I'm pretty new to Sophos UTM and hoping to get some info. Here's the situation. I have a Sophos UTM version 9.702-1 server with a Windows Server 2012 R2 machine behind it. I host some website on the Windows server, and in the DNS I use the public IP address, which is handled by the Sophos firewall machine. Sophos then directs traffic to the Windows server.

When I run a test at ssllabs.com, an alert is given that TLS 1.0/1.1 are still enabled. I checked the registry on the Windows Server machine, and as far as I can tell these protocols are disabled there. So I think, it might be because Sophos is the first machine that is answering a call because the test uses the IP address which is first handled by Sophos.

So I started digging and found an option in Sophos UTM: 

Webserver Protection > Web Application Firewall > Advanced > Minimum TLS Version. The active option there is '1.0 or higher'.

Am I correct that when I choose a higher option here, all the lower versions will be blocked? Or is this option only used for connecting to the webinterface/admin panel of Sophos?

Thanks!

  • Hallo Michel,

    Webserver Protection is a reverse proxy to proxy web traffic to your webserver(s) through the UTM. For this to work you must configure it and not just forward (DNAT) ports 80 and/or 443 to the webserver.

    If you do use webserver protection than the option you found should indeed be the one you need. If you simply DNAT then webserver protection is bypassed.