Security people are up our butts over TLS v1.1 and associated ciphers being available on our ESG/SSL VPN VM. I dont see any way to disable them through the Admin GUI. I would love to take a look on the backend, but Engineering Mode is no longer available. Is there a RESTful way to allow only TLS v1.2-1.3 on the ESG?
So YES, this is possible and here is the KB with the correct answer:
Using the API you can tell the NSX Manager to turn on/off different TLS version support on the ESG web service.
The settings in the NSX Manager web GUI have no affect on the ESG's, they appear to only affect the web server on the NSX Manager VM.
The change made via the API does survive ESG reboots and re-deployments as well as upgrades. We made the change in v6.4.6 and it is still in effect after upgrading to v6.4.8.
From NSX 6.4 TLS 1.0 is disabled by default but maybe the configuration has been inherited from previous upgrade. Check if it is enabled on the NSX Manager but i should not.
Follow the next procedure:
My mistake, they actually want to disable TLS 1.1 now. TLS v1.0 is not enabled.
No worries, same procedure applies.
Follow it and let us know!
So YES, this is possible and here is the KB with the correct answer:
Using the API you can tell the NSX Manager to turn on/off different TLS version support on the ESG web service.
The settings in the NSX Manager web GUI have no affect on the ESG's, they appear to only affect the web server on the NSX Manager VM.
The change made via the API does survive ESG reboots and re-deployments as well as upgrades. We made the change in v6.4.6 and it is still in effect after upgrading to v6.4.8.