Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Arturxr
Explorer

question about cipher_util

1. tell me, when you disable weak ciphers, you lose access to some old resources on the Internet or our services stop working from the Internet?

2.  after configuring in Global Properties->Advanced->Configure…->Portal Properties, Are there any restrictions on the protocols with which Internet users can connect to our Remote Access Portal?

There is now information that some servers on the Internet are still using TLS 1.0. After completing this step, it will not be possible to connect to these servers through the Security Gateway, but I would like to study these issues in more detail

0 Kudos
4 Replies
G_W_Albrecht
Legend
Legend

First: cipher_util can configure MultiPortal and/or SSL Inspection ciphers. 

1. Not that i knew any ! Why should that be ?

2. Mobile Access or IPSec VPN should not be changed.

You can always connect to TLS 1.0 servers if you exclude the traffic from https inspection and use an old browser 😉

CCSE CCTE SMB Specialist
0 Kudos
Arturxr
Explorer

please specify,
1. By disabling weak ciphers, will we lose access to any old resources on the Internet that use TLS 1.0, but our services from the Internet will continue to work?
And also, can we resume their work by excluding the check in https inspection?
2. What is meant by this? Is it not recommended to disable ciphers when selecting (2) MultiPortal in cipher_util or what? In the portal properties there is no choice to disable for mobile access or ipsec vpn, it is disabled for all services at once

0 Kudos
G_W_Albrecht
Legend
Legend

- if you disable weak ciphers for outbound https inspection, you can only reach TLS 1.0 by excluding the traffic from it

- if you disable weak ciphers for inbound https inspection, internal servers with TLS 1.0 can not be reached anymore

- if you disable weak ciphers for MultiPortal, GAiA, SmartView, SSLVPN a.o. portals can be reached as before

- IPSec has nothing to do with TLS 1.0

CCSE CCTE SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin

If you’re not using HTTPS Inspection, the configuration you make with cipher_util will have no effect on sites you connect to through the gateway.
If you have proper bypass rules in the HTTPS Inspection policy, those sites should still work.

It will definitely impact all connections to the gateway itself, including the Mobile Access Portal, but excluding IPsec VPN.

0 Kudos