Use TLS 1.2 with Deep Security

In Deep Security Manager 11.1 and higher, TLS 1.2 is enforced by default for new installations.

Topics on this page:

Benefits of TLS 1.2

Transport Layer Security (TLS), and the earlier Secure Sockets Layer (SSL), are encryption protocols that enable secure connections between different endpoints. When Deep Security components need to communicate, they determine the latest mutually-supported version of the encryption protocol and then use that version to secure all communication for the duration of their session. The latest version of TLS is 1.2. SSL has been discontinued due to security issues.

Trend Micro strongly recommends that you use TLS 1.2 communication between all its components. This page describes the benefits of TLS 1.2, and how to use it in your Deep Security environment.

The main benefit of TLS 1.2 is additional security. TLS 1.2 has been enhanced to safeguard against the latest exploits.

TLS architecture

Figure 1 shows the TLS communication in a Deep Security as a Service environment. You can see that 10.0 or higher agents communicate with Deep Security as a Service over TLS 1.2, while 9.6 versions communicate over early TLS. Similarly, newer third-party applications use TLS 1.2, while older ones use early TLS.

Figure 1: TLS communication in a Deep Security as a Service environment

Enable the TLS 1.2 architecture

To enable TLS 1.2 in your Deep Security as a Service environment, you may need to upgrade your agents and relays. Follow these guidelines:

  • If you have 9.6 agents in your environment, you must upgrade them to 10.0 or later. Only 10.0 or later agents support TLS 1.2.
  • If you have 9.6 relays in your environment, you must upgrade them to 10.0 or later. Only 10.0 or later relays support TLS 1.2.

First, upgrade your agents:

Next, upgrade your relays (the instructions are the same as those for agents):

Next steps (deploy new agents and relays)

After setting up your TLS 1.2 environment, if you decide to Use deployment scripts to add and protect computers (among other methods) to deploy new agents and relays, adhere to the guidelines below.

Guidelines for using deployment scripts

  1. If you are deploying an agent or relay onto Windows computers, use PowerShell 4.0 or higher, which uses TLS 1.2 to communicate with the manager or relay to obtain agent software and install it.
  2. If you are deploying an agent or relay onto Linux, use curl 7.34.0 or higher. This version uses TLS 1.2 to communicate with the manager or relay to obtain agent software and install it.
  3. If you are deploying onto Red Hat Enterprise Linux 6 which uses curl 7.19 by default, upgrade to curl 7.34.0 or later. If you can't upgrade curl, see the next step for a workaround.
  4. If you are deploying onto Windows XP, 2003, or 2008, where PowerShell 4.0 is not supported, remove these lines:

    #requires -version 4.0

    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;

    OR

    If you are deploying onto Red Hat Enterprise Linux 6, which uses curl 7.19 by default, remove this tag:

    --tls1.2

To upgrade the appliance: