Table of contents

Use TLS 1.2 with Workload Security

Topics:

TLS architecture

Deep Security Agents version 10.0 or later installed on any platform communicate with Workload Security over TLS 1.2.

In addition, Deep Security Agents version 9.6 installed on the following platforms communicate with Workload Security over TLS 1.2:

  • Windows 2000
  • Linux Debian 6
  • SuSE 10. Note that the Deep Security Agent 9.6 support extension for this platform expired on 23-May-2021.
  • Ubuntu 12.04

TLS 1.2 is also supported on Deep Security Agents version 9.0 on the following platforms:

  • AIX. Note that the Deep Security Agent 9.0 support extension for this platform expired on 31-Dec-2020.
  • Solaris. Note that the Deep Security Agent 9.0 support extension for this platform expired on 31-Dec-2019.

For complete details on platform support, including the extensions expiration dates, see the following:

Similarly to Deep Security Agents, later versions of third-party applications use TLS 1.2, while earlier ones use earlier TLS versions.

The following diagram shows the TLS communication in a Workload Security environment:

Diagram showing TLS communication in a Workload Security environment

Enable the TLS 1.2 architecture

To enable TLS 1.2 in your Workload Security environment, you may need to upgrade your agents and relays based on the following guidelines as well as the information provided in TLS architecture:

  • If you have Deep Security Agents version 9.6 in any environment other than Windows 2000, Linux Debian 6, SuSE 10, or Ubuntu 12.04, you must upgrade them to version 10.0 or later.
  • If you have version 9.6 relays in any environment other than Windows 2000, Linux Debian 6, SuSE 10, or Ubuntu 12.04, you must upgrade them to version 10.0 or later.
  • If you have Deep Security Agents version 9.5 or earlier in any environment, you must upgrade them to version 10.0 or later.
  • If your environment has relays for Deep Security Agent version 9.5 or earlier, you must upgrade them to version 10.0 or later.

First, upgrade your agents.

Next, upgrade your relays.

Next steps: deploy new agents and relays

After setting up your TLS 1.2 environment, if you decide to use a deployment script (among other methods) to deploy new agents and relays, you should adhere to a number of guidelines.

Guidelines for using deployment scripts

  1. If you are deploying an agent or relay onto Windows computers, use PowerShell 4.0 or later, which uses TLS 1.2 to communicate with the manager or relay to obtain agent software and install it.

  2. If you are deploying an agent or relay onto Linux, use curl 7.34.0 or later. This version uses TLS 1.2 to communicate with the manager or relay to obtain agent software and install it.

  3. If you are deploying onto Red Hat Enterprise Linux 6 which uses curl 7.19 by default, upgrade to curl 7.34.0 or later. If you cannot upgrade curl, see the next step for a workaround.

  4. If you are deploying onto Windows XP, 2003, or 2008, where PowerShell 4.0 is not supported, remove the following lines:

#requires -version 4.0 
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;