I am on 9.5.11 on Server 2016 and SQL 2016. I have separate servers for Core, SQL, Web Reports, Inventory, and Compliance.
We updated the SQL native client to 11.4.7001.0 on servers with an older version. This was definitely needed on BigFix infrastructure servers. The older version installed by default did not support TLS 1.2. I believe that I originally installed 9.5.8 in this new environment. No older than 9.5.6 for certain.
I ran the following weak cipher baseline. Note that many of these were not enabled, but it is a baseline for all servers, not just BigFix, so there is some legacy stuff. These did not impact anything in BigFix.
Backup cipher and protocol config
Multi-Protocol Unified Hello Client
Multi-Protocol Unified Hello Server
Disable SSL 2.0 Protocol Server
Disable SSL 2.0 Protocol Client
Disable PCT 1.0 Protocol Server
Disable PCT 1.0 Protocol Client
Disable DES 56/56 Cipher
Disable NULL Cipher
Disable RC2 128/128 Cipher
Disable RC2 40/128 Cipher
Disable RC2 56/128 Cipher
Disable RC4 128/128 Cipher
Disable RC4 40/128 Cipher
Disable RC4 56/128 Cipher
Disable RC4 64/128 Cipher
Disable Triple DES 168 Cipher
Enable AES 128/128 Cipher
Enable AES 256/256 Cipher
I then disabled TLS 1.0 and 1.1. TLS 1.2 was previously enabled, and I had told apps to use 1.2 where applicable. This reg key exists for both client and server for 1.0, 1.1, and 1.2.Note that the key “disabled by default” does not actually disable anything. This one does.
After this, everything works except for the Security and Compliance application server. It lost its database connection. I re-enabled TLS 1.0 on it and the SQL server to get it working again just this morning. I have not dug deeper to see what I missed yet.
Then I got my weekly email that had this thread as the lead, so I thought I’d chime in…