This recipe will cover how to enable the Transport Layer Security (TLS) protocol version 1.2 for the DPM Management server.
TLS is a protocol that provides privacy and data integrity between two communicating applications. In this case, this is between DPM server and protected servers. TLS is the most widely deployed security protocol used today.
Several known vulnerabilities have been reported against SSL and earlier versions of TLS. Microsoft recommend that you upgrade to TLS 1.2 for secure communication.
To enable TLS protocol version 1.2 in your DPM environment, you need to perform the following steps:
- Install all of the required updates.
- Make sure that the DPM setup is functional as it was before applying the updates (for example, you can check if you are able to launch the DPM console).
- Change the configuration settings to enable TLS 1.2.
- Ensure that all required SQL Server services are up and running.
- Finally, validate the protection and recovery process.
To enable TLS protocol version 1.2, follow these steps:
- Make sure that you are running Windows Server 2012 R2, Windows Server 2016, or Windows Server 2019 and that it is up-to-date with the latest security fixes.
- Make sure that .NET version 4.6 is installed on all of your machines (DPM server, protected servers) .NET version 4.7 is supported on Windows Server 2019. You can use the following PowerShell command to determine whether .NET has been installed:
Get-WindowsFeature NET*:
- For the DPM database and for all SQL Servers that you intend to protect with DPM, you need to make sure that you are running a SQL Server that supports TLS 1.2. You can follow the instructions described here to find out whether you need this update: https://support.microsoft.com/en-in/help/3135244/tls-1-2-support-for-microsoft-sql-server.
- You need to make sure that SQL Server 2012 Native client 11.0 is installed on the DPM Management Server. You can verify whether SQL Native client 11.0 is installed by running the following PowerShell command on SQL Server:
Get-odbcdriver -name "SQL Server Native Client*". You can download Microsoft SQL Server 2012 Native client 11.0 from the following link: https://www.microsoft.com/en-us/download/details.aspx?id=50402.
- Make sure that you are running a DPM server that supports TLS 1.2. Starting with DPM 2012 R2 Update Rollup 14, DPM 2016 Update Rollup 4 including DPM 1801, DPM 1807, DPM 2019, and DPM 1901, the DPM team added TLS version 1.2 support.
- System Center components now generate both SHA1 and SHA2 self-signed certificates. This is a requirement for enabling TLS1.2. If case CA signed certificates are used for workgroup machines or untrusted domains, please ensure that they are either SHA1 or SHA2. In other words, TLS 1.2 supports only SHA1 and SHA2 certificates. Hence, all of the certificates must be updated to be SHA1 or SHA2.
- You need to implement these settings on all of the Windows machines in the environment on which System Center Data Protection agent is installed, including the DPM management server. Follow these steps to disable all of the SCHANNEL protocols except TLS 1.2 system-wide so that only TLS 1.2 protocol is used for communication. Making these registry changes does not affect the use of Kerberos or NTLM protocols:
- Open the registry on your server(s) by running
regeditin the run window and navigate to the following location:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols - Add the SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2 keys under Protocol.
- Now, create two keys called
ClientandServerunder the SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2 keys.
- Open the registry on your server(s) by running
- Now create two
REG_DWORDvalues under theServerandClientkeys if you want to enable the TLS 1.2 protocol: set theDisabledByDefaultvalue to0and theEnabledvalue to1. You will now have something that looks as follows:
- If you want to disable the protocol, you can set the
DisabledByDefaultvalue to1and theEnabledvalue to0. - After we have enabled the TLS 1.2 protocol on all systems, we need to set DPM to use only TLS 1.2. The following settings should be implemented on the DPM management server and all other servers on which DPM agents are installed, that is, Hyper-V hosts, File Server, SQL, Exchange, SharePoint, and so on. Follow these steps to create these settings:
- Open the registry on your server by running
regeditin the run window and navigate to the following location:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.3031. - Now, create the
REG_DWORDvalue under the registry:SchUseStrongCrypto [Value = 1]. - Navigate to the following registry location:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319. - Now, create the same
REG_DWORDvalue under the preceding registry as well:SchUseStrongCrypto [Value = 1].
- Open the registry on your server by running
- Finally, you need to restart the system (DPM server and the protected server).
For all kinds of workloads backed up by DPM TLS 1.2 enabled (that is, SQL, SharePoint, Exchange, File Servers, Hyper-V hosts, Hyper-V VMs, VMWare VMs, Clients, System State, and BMR), you can do the following:
- Attach the Protected Server in the workgroup/untrusted domain to DPM.
- While Creating Protection Groups, all data sources on the protected server will be displayed.
- Protect different kinds of workloads to disk, to tape, and to the cloud.
- Recover the different kinds of workloads at the Original Location, Alternate Location, recover cloud recovery points, and use an External DPM server.
There are two scenarios that are impacted when using TLS 1.2 with DPM:
The DPM agent can be installed on the protected server either directly from the DPM server for the servers in the domain, or using certificate-based authentication for computers in a workgroup or untrusted domain. Please refer to Chapter 8, Protecting Workgroups and Untrusted Domains. DPM uses elements of the .NET Framework on the protected server to communicate if certificate-based authentication is used. TLS 1.2 needs .NET 4.5 or above. Since DPM is built with .NET 4.0—which does not support TLS 1.2 directly—when DPM tries to communicate with the protected servers, establishing the connection will fail.
DPM requires a MARS agent to back up data to the cloud. The MARS agent also leverages the .NET Framework, and changes need to be made on the DPM server to ensure that the backups continue smoothly when TLS 1.2 is enabled. Check out https://support.microsoft.com/en-ie/help/4022913/how-to-resolve-azure-backup-agent-issues-when-disabling-tls-1-0-for-pc to resolve Azure Backup agent issues when enabling TLS 1.2.
For more information about Azure Backup, please checkChapter 10, IntegratingDPM with Azure Backup.
Check out the following article to learn more about how to automate and enable TLS 1.2 in System Center Data Protection Manager: https://charbelnemnom.com/2018/08/how-to-enable-tls-1-2-protocol-in-system-center-data-protection-manager-dpm-scdpm-tls1-2.