About FIPS 140-2 support

The Federal Information Processing Standard (FIPS) 140-2 is a US government security standard that defines an allowable set of cryptographic functions. Ivanti® Endpoint Manager doesn't use its FIPS 140-2 mode by default, but you can enable it. FIPS 140-2 support in Endpoint Manager encrypts communication from managed Windows devices through the CSA to the core server. The encryption method is FIPS-enabled SSL.

FIPS support requires Endpoint Manager Version 9.5 SP1 or later and a Ivanti Cloud Services Appliance with Gateway service version 4.3 or later.

The Endpoint Manager components that support FIPS 140-2 are:

The broker service on the core server. This service handles communication with the CSA.

The remote control viewer, both HTML and legacy.

The broker daemon on the CSA.

Proxyhost.exe on the device. This process handles general Endpoint Manager agent communication.

The remote control agent on the device.

No other components in the system are FIPS-enabled, such as the console, roll-up core, and so on.

You'll need to do the following steps to enable FIPS 140-2. Each step is described in more detail later on.

1.On the CSA, enable FIPS mode.

2.On the core server's LDMS console, enable FIPS mode.

3.Roll out the Endpoint Manager agents on Windows devices with an agent configuration that uses the CSA and FIPS.

Enabling FIPS on the CSA

To enable FIPS on the CSA, you must either use the built-in CSA console or use the CSA Web interface, available from http://<CSA IP address or name>/gsb. The default CSA username is admin, and the password is whatever it was changed to during CSA installation.

To enable FIPS on the CSA

1.Directly on the CSA or using the CSA Web management interface, log in and click the Gateway service button on the left side.

2.Change the Server FIPS 140-2 mode option to 1.

3.Click Save.

Enabling FIPS on the core server

Enabling FIPS on the core server generates new security certificates. This means that you won't be able to manage existing clients until you redeploy updated agents that include the new certificates. You won't be able to just do an agent update either, because of the client/core certificate mismatch. If you need FIPS 142, we generally recommend that you enable it at the beginning of a Endpoint Manager deployment.

When you enable FIPS, the core server rebuilds all agent configurations so that they include the new security certificate. This takes a few minutes. If you have a lot of agent configurations, it will take longer.

The old core certificate is backed up here. The folder name includes the backup date.

C:\Program Files\LANDesk\Shared Files\Keys\Backup (<backup date and time>)

If you disable FIPS after enabling it, and later re-enable FIPS, the core will reuse the certificate you created the first time you enabled FIPS. In this case you wouldn't have to redeploy agent configurations a second time.

To enable FIPS on the core server

1.On the core server, open the Ivanti Management Console.

2.Click Configure > Services.

3.On the General tab, select FIPS 140-2 is enabled for this core server.

4.Carefully read the confirmation dialog box reminding you that you won't be able to manage clients until you update their agent configurations. If you're sure you're ready, click Yes.

Updating FIPS agent configurations on Windows devices

Once the core server finishes rebuilding agent configurations with the new security certificate, edit your Windows agent configurations and make sure they're using your FIPS-enabled CSA. After that, you'll need to redeploy agents to all of your managed devices, including non-Windows devices.

To select the CSA used by an agent configuration

1.Click Tools > Configuration > Agent configuration.

2.On the Client connectivity page, click Configure.

3.Select an existing setting and click Edit or create a new one.

4.On the Cloud Services Appliance page, select Enable cloud Services Appliance communication and select the CSA you want this client connectivity setting to use.

5.Click Save and then click Close.

6.On the Client Connectivity page, make sure the client connectivity setting you configured is selected.

7.Deploy the updated agent to managed devices.

Verifying FIPS 140-2 mode is working

You can verify FIPS 140-2 mode is active by checking log files on the core server, CSA, and managed Windows devices.

On the core server, check the BrokerService.exe log file, which tracks communication between the core and the CSA. Look for FIPS Mode: 1 entries, which indicate FIPS is enabled. A value of 0 means it's disabled.

C:\Program Files\LANDesk\ManagementSuite\log\BrokerService.log

On managed Windows devices, check the ProxyHost.exe log file, which tracks communication between the managed device and the CSA. Look for FIPS Mode: 1 entries , which indicate FIPS is enabled.

C:\Program Files\LANDesk\LDClient\proxyhost.log

Also, on managed Windows devices check the Ivanti Remote Control agent status by double-clicking it in the system tray. At the bottom of the dialog box, FIPS 140-2 mode enabled appears if FIPS 140-2 is enabled.

On the CSA, check /var/log/messages.