UEM SSL Configuration

Use the UEM SSL Configuration page to configure the client role parameters for communication from Sentry to UEM. You can configure ciphers and protocols for outgoing traffic from Sentry to UEM.

Enabling Strict TLS settings for Standalone Sentry SSL connections to UEM.

Enabling Server Name Indication (SNI).

View the Available and Selected protocols and cipher suites. See Cipher Suites and Protocols.

Set up custom protocol and cipher suite configuration. See Cipher Suites and Protocols.

The EMM SSL Configuration page allows the administrator the flexibility to configure Ivanti Standalone Sentry to use cipher suites and protocols to match the security and system needs of your enterprise.

When mutual authentication is enabled between Ivanti EPMM and Sentry, then that Sentry is enabled with Strict TLS Configuration.

Enabling Strict TLS

You can enable strict TLS for outgoing traffic from Ivanti Standalone Sentry to UEM. Strict TLS is not enabled by default for the UEM server. However, it is enabled for Ivanti Neurons for MDM. When you enable strict TLS, the Java Trust Store is enabled by default. You can also use the custom trust store option to upload additional certificates that Ivanti Standalone Sentry must use.

Procedure

1. In the Ivanti Standalone Sentry System Manager, go to Settings > Services > Sentry > EMM SSL Configuration.
2. In the Strict TLS Settings section, check Enable Strict TLS.

Additional options are now available.

Item

Description

Enable Default Java Trust Store

Selected by default if strict TLS is enabled.

Certificates and Certificates Authorities in the Java Trust Store are used to trust the SSL connection to UEM.

Allow and Log untrusted servers

Select to allow Ivanti Standalone Sentry to connect to UEM that does not use a trusted certificate in Java or custom trust store.

Enable Custom Trust Store

Select to upload certificates to the Ivanti Standalone Sentry trust store. Ivanti Standalone Sentry uses the certificates in the custom store to trust UEM.

Generally used if UEM uses self-signed certificates.

3. Click Apply.
4. Click Yes.

The new TLS settings are applied and Ivanti Standalone Sentry restarts. It may take up to one minute for Ivanti Standalone Sentry to restart. Traffic is disrupted till Standalone is up and running again.

5. Click OK.

Enabling Server Name Indication (SNI)

Server Name Indication (SNI) is an extension to TLS. SNI allows multiple hostnames to be served over HTTPS from one IP address. By default, SNI is disabled on Ivanti Standalone Sentry for outgoing connections for the UEM server. However, SNI is enabled (read-only) for Ivanti Neurons for MDM UEM server. SNI allows a load balancer to direct incoming traffic to the correct UEM server based on the hostname provided by the client, in this case, Standalone Sentry. Some UEM servers may require that SNI is enabled in the client. Your Active Directory Federation Services (ADFS) may require SNI for all client communications.

If SNI is enabled for EMM SSL connections, in some cases health check may fail if the backend server does not also support SNI. The workaround is to disable health check for the impacted server.

Procedure

1. In Ivanti Standalone Sentry System Manager, go to Settings > Services > Sentry > EMM SSL Configuration.
2. Click Enable SNI.
3. Click Apply.

Cipher Suites and Protocols

Ivanti Standalone Sentry includes a set of cipher suites and protocols. A default set of cipher suites and protocols is available in the Selected column. You can customize the Selected list of ciphers and protocols to match the security and system needs for your enterprise.

The available and default set of cipher suites and protocols may be updated in a release. Some cipher suites and protocols may be added, while others may be removed. Cipher suites and protocols may be removed if the platform no longer supports these cipher suites and protocols.

If you are set up to use the default cipher suites and protocols, these will be updated to the latest defaults when you upgrade to a new version of Standalone Sentry. If you are set up to use a custom list of Selected cipher suites and protocols, the custom list is preserved when you upgrade your Standalone Sentry. However, any cipher suites or protocols that were removed will also be removed from the Selected and Available columns. New cipher suites and protocols will be added to the Available column.

Making changes to the selected list of cipher suites may impact the performance and security of traffic through Ivanti Standalone Sentry. Therefore, before making any changes to the Selected cipher suites, Ivanti recommends that you understand both the performance and security impact of the changes.

The following protocols are supported:

TLSv1.2 (Selected by default)

TLSv1.1

TSLv1

SSLv2Hello

SSLv2Hello is a pseudo-protocol that allows Java to initiate the handshake with an SSLv2 'hello message.' This does not cause the use of the SSLv2 protocol, which is not supported by Java. SSLv2Hello requires that TLSv1 protocol is also selected.

SSLv2Hello is required by some load balancers and SSL off loaders for proper functioning. If your environment does not need it, it is recommended to remove this from the protocol list for improved security.

Procedure

1. In Ivanti Standalone Sentry System Manager, go to Settings > Services > Sentry > EMM SSL Configuration. Ciphers and protocols are configured in the Sentry to Backend Ciphers, SNI, and Protocols Configuration section.

The Use Default Cipher Suites and Protocols (recommended) option is selected by default.

2. Select Use Custom Configuration.
3. Click Proceed to continue.
4. Select the protocols and cipher suites to move from the Available to Selected column or vice-versa as necessary.

The default cipher suites and protocols are colored blue.

5. Click Apply to save the changes.

When Use Default Cipher Suites and Protocols (recommended) is selected, the cipher suites and protocols can be moved between the Available and Selected columns. However, the configuration is not changed. You must also select the Use Custom Configuration option to make changes to the default configuration.

Switching back to default configuration

You can revert your settings to default configuration if you do not wish to use the custom configuration.

Procedure

1. In Ivanti Standalone Sentry System Manager, go to Settings > Services > Sentry > EMM SSL Configuration.
2. In the Sentry to EMM Ciphers, SNI, and Protocols Configuration section, select Use Default Cipher Suites and Protocols (recommended).
3. Click Apply to save the changes.

The cipher suites and protocols are reset to the default settings.

Clicking on Reset to Default resets the Available and Selected columns to default settings. However, the default settings will not be applied. To apply the default settings, you must select Use Default Cipher Suites and Protocols (recommended), and then click Apply.