4 min. Read

Last year, Microsoft announced Transport Layer Security (TLS) 1.2 protocol support for System Center 2012 R2 and System Center 2016. This, of course, includes support System Center semi-annual channel (SAC 1801 and SAC 1807) or later.

TLS is Protocol Protected, and TLS 1.2 support has recently been authorized for Microsoft products. This means that any product uses TLS, TLS 1.2 should be supported. You can read more about TLS here.

Between TLS version 1.3 was recently configured in RFC 8446 in August 2018. It is based on the previous TLS 1.2 specification. You can read about the biggest differences between TLS 1.2 and TLS 1.3 here. The $ 1 million question is, will Microsoft support TLS 1.3 in the near future? since this writing, the information has not yet been made public.

In the case of DPM, the effect is when backups are sent to the cloud (Azure backup), and when certificate-based authentication is used to install the agent on a workgroup or untrusted domain and, in some cases, while protecting SQL servers.

This article describes all the steps required to enable TLS 1.2 support System Center Data Protection Manager.

The following are prerequisites for supporting TLS 1.2 for System Center Data Protection Manager:

  1. .NET version 4.6 must be installed on all machines – DPM server and secure servers. .NET version 4.7 is supported on Windows Server 2019. You can use the following PowerShell command to determine whether .NET is installed: Get-WindowsFeature NET *
  2. Install the required SQL Server TLS 1.2 support update. You can follow the instructions described here to know if you need this update or not. This update is required for the DPM database and all secure SQL servers.
  3. Install SQL Server 2012 Native Client 11.0 on the DPM Management Server. You can download Microsoft® SQL Server® 2012 Native Client 11.0 from here. Note that Microsoft SQL Server 2012 Native Client 11.0 is installed by default when you install SQL Server 2016 (13.x).
  4. Make sure you are running DPM A server that supports TLS 1.2. The DPM team added TLS version 1.2 as of support DPM 2012 R2 Update Rollup 14, DPM 2016 Update Collection 4 including DPM SAC 1801 and SAC 1807.
  5. System Center components, including SC DPM, now generate both self-signed SHA1 and SHA2 certificates. If CA-signed certificates are used for workgroup machines or untrusted domains, make sure they are either SHA1 or SHA2. In other words, TLS 1.2 only supports SHA1 and SHA2 certificates. Therefore, all certificates must be upgraded to SHA1 or SHA2.

The following steps are required to enable TLS 1.2 support in System Center Data Protection Manager:

  1. First, we need to harden all systems to use only the TLS 1.2 protocol. To do this, we must remove everything SCHANNEL protocol, except TLS 1.2, so only the TLS 1.2 protocol is used for communication between the DPM server and the secure server (s). This setting is made in the registry on all secure systems, including the DPM server. To automate this process, use the following PowerShell script in Administrator mode to make the setting by changing the required values ​​in the registry accordingly: . Enable-TLS1.2.ps1 -Verbose
    <#
    //-----------------------------------------------------------------------
    
    //     Copyright (c) {https://charbelnemnom.com}. All rights reserved.
    
    //-----------------------------------------------------------------------
    
    .NOTES
    File Name : Enable-TLS1.2.ps1
    Author    : Charbel Nemnom
    Version   : 1.1
    Date      : 17-August-2018
    Update    : 20-August-2018
    Requires  : PowerShell Version 5.0 or above
    
    .LINK
    To provide feedback or for further assistance please visit:
    
    Cover Page
    #> [CmdletBinding()] Param ( $ProtocolList = @("SSL 2.0","SSL 3.0","TLS 1.0", "TLS 1.1", "TLS 1.2"), $ProtocolSubKeyList = @("Client", "Server"), $DisabledByDefault = "DisabledByDefault", $Enabled = "Enabled", $registryPath = "HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols" ) foreach($Protocol in $ProtocolList) { Write-Verbose "Configuration for Protocol $Protocol" foreach($key in $ProtocolSubKeyList) { $currentRegPath = $registryPath + $Protocol + "" + $key Write-Verbose "Registry Path $currentRegPath" if(!(Test-Path $currentRegPath)) { Write-Verbose "Creating the registry..." New-Item -Path $currentRegPath -Force | out-Null } if($Protocol -eq "TLS 1.2") { Write-Verbose "Enable Protocol $Protocol for the $Key" New-ItemProperty -Path $currentRegPath -Name $DisabledByDefault -Value "0" -PropertyType DWORD -Force | Out-Null New-ItemProperty -Path $currentRegPath -Name $Enabled -Value "1" -PropertyType DWORD -Force | Out-Null } else { Write-Verbose "Disable Protocol $Protocol for the $Key" New-ItemProperty -Path $currentRegPath -Name $DisabledByDefault -Value "1" -PropertyType DWORD -Force | Out-Null New-ItemProperty -Path $currentRegPath -Name $Enabled -Value "0" -PropertyType DWORD -Force | Out-Null } } }

    Enabling TLS 1.2 in System Center Data Protection Manager DPM SCDPM # TLS1.2 2

  2. Once we have implemented TLS 1.2 on all systems, we need to configure DPM to use only TLS 1.2. Note that this setting must be made in the registry on the DPM management server and on all other servers where DPM agents are installed (e.g., Hyper-V hosts, file servers, SQL, SharePoint, Exchange, workstations, etc.). To automate this process, use the following PowerShell script in Administrator mode to set DPM to use only the TLS 1.2 protocol by changing the required values ​​in the registry:
    # The following setting should be done on DPM management server and all other servers on which DPM agents are installed
    # E.g. Hyper-V, File Server, SQL Server, Exchange Server, etc.
    
    # Set SCDPM to support only TLS 1.2 protocol
    $NetRegistryPath = "HKLM:SOFTWAREMicrosoft.NETFrameworkv4.0.30319"
    New-ItemProperty -Path $NetRegistryPath -Name "SchUseStrongCrypto" -Value "1" -PropertyType DWORD -Force | Out-Null
    
    $NetRegistryPath = "HKLM:SOFTWAREWOW6432NodeMicrosoft.NETFrameworkv4.0.30319"
    New-ItemProperty -Path $NetRegistryPath -Name "SchUseStrongCrypto" -Value "1" -PropertyType DWORD -Force | Out-Null
  3. Finally, you need to reboot the system (DPM and secure server).

The DPM Agent can be installed on a secure server either directly from the DPM server on the domain servers or by using certificate-based authentication on workgroup or untrusted domain computers. If TLS 1.2 is not set up correctly for the DPM server and the secure server (for the entire system), then DPM will throw an error when the access denied message is similar to the one below. As you can see, the error message is misleading 🙂

Enabling TLS 1.2 in System Center Data Protection Manager DPM SCDPM # TLS1.2 3

For all DPM TLS 1.2 compliant loads (e.g., SQL, SharePoint, Exchange, file servers, Hyper-V hosts, Hyper-V virtual machines, clients, system status, BMR), you can do the following:

  1. Connecting a secure server in a workgroup / untrusted domain for DPM (Note that VMware VM backup is not supported with DPM TLS 1.2).
  2. Meanwhile Creating security groups, all secure server data sources are displayed.
  3. Protective different loads on disk, tape and cloud. However, you must do so that Data Protection Manager can work with TLS 1.2 to back up to Azure Backup enable these steps on the Data Protection Manager server only.
  4. Recovering different loads at the original location, the alternate location, restore the cloud restore points, and use an external DPM server.

Finally, DPM 1807 comes with a set of bug fixes. One of the problems addressed was that DPM updates do not work when Transport Layer Security (TLS) 1.2 is enabled. So if you are still using the DPM 1801, I recommend upgrading to the latest SAC 1807 release.

Until then … Stay protected DPM!

__
Thanks for locking my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Pro

LEAVE A REPLY

Please enter your comment!
Please enter your name here