Incoming SSL configuration
For Ivanti Neurons for MDM, cipher suites and protocols configuration is done in the Sentry profile on Ivanti Neurons for MDM.
Use the Incoming SSL Configuration page to configure ciphers and protocols for incoming traffic from device to Ivanti Standalone Sentry. You can do the following:
•View the Available and Selected protocols and cipher suites.
•Setup custom protocol and cipher suite configuration.
Ivanti Standalone Sentry includes a set of cipher suites and protocols. A default set of cipher suites and protocols are available in the Selected column. You can customize the Selected list of ciphers and protocols to match the security and system needs for your enterprise.
The available and default set of cipher suites and protocols may be updated in a release. Some cipher suites and protocols may be added, while others may be removed. Cipher suites and protocols may be removed if the platform no longer supports these cipher suites and protocols.
If you are set up to use the default cipher suites and protocols, these will be updated to the latest defaults when you upgrade to a new version of Ivanti Standalone Sentry. If you are set up to use a custom list of Selected cipher suites and protocols, the custom list is preserved when you upgrade your Ivanti Standalone Sentry. However, any cipher suites or protocols that were removed will also be removed from the Selected and Available columns. New cipher suites and protocols will be added to the Available column.
Making changes to the selected list of cipher suites may impact the performance and security of traffic through Standalone Sentry. Therefore, before making any changes to the Selected cipher suites, Ivanti recommends that you understand both the performance and security impact of the changes.
The Incoming SSL Configuration page allows you to customize the default cipher suites and protocols settings to match the security and system needs of your enterprise. The custom configuration is preserved when you upgrade to the next version of Ivanti Standalone Sentry.
Load balancers and ciphers
If you use a load balancer to perform HTTPS/GET checks against your Sentry and your Sentry uses strong ciphers, do the following:
•Make sure the ciphers enabled in your HTTPS/GET check match one of the Sentry strong ciphers.
•If you cannot change the ciphers that your HTTPS/GET check uses, you can change your check to use HTTP/GET to accomplish the same monitoring.
Supported protocols
•TLSv1.2 (selected by default)
•TLSv1.1
•TLSv1
•SSLv2Hello
•SSLv2Hello is a pseudo-protocol that allows Java to initiate the handshake with an SSLv2 'hello message.' This does not cause the use of the SSLv2 protocol, which is not supported by Java. SSLv2Hello requires that TLSv1 protocol is also selected.
SSLv2Hello is required by some load balancers and SSL off loaders for proper functioning. If your environment does not need it, it is recommended to remove this from the protocol list for improved security.
Customizing protocols and cipher suites configuration
You can customize which protocols and cipher suites are used with Ivanti Standalone Sentry.
Procedure
| 1. | In Ivanti Standalone Sentry System Manager, go to Settings > Services > Sentry > Incoming SSL Configuration. |
The Use Default Cipher Suites and Protocols (recommended) option is selected by default.
| 2. | Select the Use Custom Configuration option. |
| 3. | Move protocols and cipher suites from the Available to Selected column or vice-versa as necessary. |
The default cipher suites and protocols are colored blue.
| 4. | Click Apply to apply the changes. |
When Use Default Cipher Suites and Protocols (recommended) is selected, the cipher suites and protocols can be moved between the Available and Selected columns. However, the configuration is not changed. You must also select the Use Custom Configuration option to make changes to the default configuration.
Switching back to default configuration
If you have customized the protocol and cipher configuration for Ivanti Standalone Sentry, you can switch back to the default configuration.
Procedure
| 1. | In Ivanti Standalone Sentry System Manager, go to Settings > Services > Sentry > Cipher Suites & Protocols. |
| 2. | In the Global Setting section, select Use Default Cipher Suites and Protocols (recommended). |
| 3. | Click Apply to apply the changes. |
The cipher suites and protocols are reset to the default settings.
Clicking on Reset to Default resets the Available and Selected columns to default settings. However, the default settings will not be applied. To apply the default settings, you must select Use Default Cipher Suites and Protocols (recommended), and then click Apply.