Disable TLS 1.0 on SEG Relay

DanielWarrenDan · ‎10-02-2018

We are attempting to disable TLS 1.0 on our SEG relay box in our airwatch environment.
No specific documentation that we can find, when we use the IIS crypto tool to disable; e-mail & content stop working.
Several hours with Airwatch support that don't seem to know what they're doing or how TLS works. Does anyone have any experience around this?

ANDREWSPENCE · ‎10-02-2018

I'm also looking to disable TLS 1.0 but across my entire AW environment.
Any info would be appreciated.

DavidGoehner · ‎10-02-2018

I could be mistaken, but I believe TLS 1.0 is required on the SEG, at least on 9.2.3.

DanielWarrenDan · ‎10-03-2018

Hi David, Do you know of a way of getting this confirmed? A colleague of mine has wasted countless hours on frustrating support calls, so if this was to be the case and not one of their support engineers were aware of this it will be extremely upsetting.

ThomasCheng · ‎10-03-2018

I am interested as well as I don't ever recall seeing such option being available within the web console or the SEG console.
Did anyone escalate the case to subject matter expert at AirWatch/Workspace ONE?

ANDREWSPENCE · ‎10-03-2018

I spoke to AW Support about this back in February 2018, I tried enabling TLS 1.2 and disabling TLS 1.0/1.1 but couldn't ever get it working.

I used the following article: https://support.workspaceone.com/articles/115001666088

And raised a support request as the SEG information was missing, I got the following back from support:

The default TLS settings can be overridden for each AirWatch application and service by updating each configuration file to explicitly indicate the use of a particular setting: The file path on the SEG server is ../AirWatch/AirWatch x.x/AW.Eas.Web.Listener/web.config In the configuration file, add a new entry to the section as follows:

ANDREWSPENCE · ‎10-03-2018

For TLS 1.2 only:
' <add key=”OutboundTlsProtocols” value=”Tls12” />'

For TLS 1.0, 1.2:
' <add key=”OutboundTlsProtocols” value=”Tls, Tls12” />'

For TLS 1.0, 1.1, 1.2:
' <add key=”OutboundTlsProtocols” value=”Tls, Tls11, Tls12” />'

I had to put quotes in to display the commands. Ignore the first and last quotes.

PaulReganPaulRe · ‎10-17-2018

To close this off. As it's taken support over a month to get to this conclusion; so if i can save anyone else the pain and frustration of dealing with them then some good will have come from this.
1. Content locker : Disable using IISCrypto AND add to the Airwatch or AirwatchEnterpriseIntegrationContent or web.config
2. SEG : V1 doesn't support anything >TLS1.0! NB//IF you have SEG V1 and Content on the same server, which apparently is not recommended, but is the way VMWare PS built it for us then mail will break.
SEG V2 is required for TLS1.2

DavidWuDavidWu1 · ‎11-13-2018

Have anyone successfully disabled TLS 1.0 and 1.1 on Mag, Seg servers? just use TLS 1.2?

anonymousmigrat · ‎12-19-2018

' The file path on the SEG server is ../AirWatch/AirWatch x.x/AW.Eas.Web.Listener/web.config In the configuration file'

My SEG server installs do not appeat to have this path. Is anybody able to assist in letting me know where I can tell my SEG to use TLS1.2?

Stansfield · ‎12-19-2018

It is not a terribly helpful solution but seg v2 drops tls 1.0 and just supports 1.1 and 1.2

anonymousmigrat · ‎12-19-2018

so on in our SEG server logs in the app.log file we see a line saying server chose TLSv1 which is odd if SEG v2 drops support for it.

We are using SEG v2
The SEG installer I have used is 2.9

Stansfield · ‎01-02-2019

Did you used to run classic? It re-uses the log spot for v2 when I run a scan on my seg v2 it does not support tls 1.0

All

Disable TLS 1.0 on SEG Relay

Email Management