Solved: Can I Disable TLS v1.1 on NSX ESG SSL VPN v6.4.8?

KWKirchner · ‎08-05-2020

Security people are up our butts over TLS v1.1 and associated ciphers being available on our ESG/SSL VPN VM. I dont see any way to disable them through the Admin GUI. I would love to take a look on the backend, but Engineering Mode is no longer available. Is there a RESTful way to allow only TLS v1.2-1.3 on the ESG?

KWKirchner · ‎08-22-2020

So YES, this is possible and here is the KB with the correct answer:

VMware Knowledge Base

Using the API you can tell the NSX Manager to turn on/off different TLS version support on the ESG web service.

The settings in the NSX Manager web GUI have no affect on the ESG's, they appear to only affect the web server on the NSX Manager VM.

The change made via the API does survive ESG reboots and re-deployments as well as upgrades. We made the change in v6.4.6 and it is still in effect after upgrading to v6.4.8.

View solution in original post

Lalegre · ‎08-10-2020

From NSX 6.4 TLS 1.0 is disabled by default but maybe the configuration has been inherited from previous upgrade. Check if it is enabled on the NSX Manager but i should not.

Follow the next procedure:

Change FIPS Mode and TLS Settings on NSX Manager

KWKirchner · ‎08-13-2020

My mistake, they actually want to disable TLS 1.1 now. TLS v1.0 is not enabled.

Lalegre · ‎08-13-2020

No worries, same procedure applies.

Follow it and let us know!

KWKirchner · ‎08-22-2020

So YES, this is possible and here is the KB with the correct answer:

VMware Knowledge Base

Using the API you can tell the NSX Manager to turn on/off different TLS version support on the ESG web service.

The settings in the NSX Manager web GUI have no affect on the ESG's, they appear to only affect the web server on the NSX Manager VM.

The change made via the API does survive ESG reboots and re-deployments as well as upgrades. We made the change in v6.4.6 and it is still in effect after upgrading to v6.4.8.

All

Can I Disable TLS v1.1 on NSX ESG SSL VPN v6.4.8?