Communication encryption and certificates
Communication between Ivanti Workspace Control Agents and Relay Servers and between Relay Servers is encrypted using Transport Layer Security (TLS), version 1.0, 1.1 or 1.2. The latest version of TLS provides the best security mechanism. IWC communication will negotiate the highest possible TLS versions.
By default, .NET Framework 4.7 and later versions is configured to use TLS 1.2 but it also allows connections using TLS 1.1 or TLS 1.0.
When using FIPS (Federal Information Processing Standard), TLS 1.0 and TLS 1.1 are not allowed. The minimum secure transport protocol supported should be configured to TLS 1.2.
The communication between a Relay Server that is connected to the Datastore is based on the type of Database that is used. Assuming we are talking about Microsoft SQL, the communication will occur over 1433 by default.
Different databases communicate over different ports. For more details, see Communication Model.
The goal of the (TLS) protocol is to provide privacy, server authentication and data integrity between two communicating applications.
A self-signed certificate can be used for the TLS connection between the Relay Server and the Agents. The default Certificate signing algorithm used is SHA1RSA.
To increase the level of security, IWC supports the use of Certificate Authority (CA) signed certificates, which Ivanti recommends. These are certificates generated by a trusted authority.
Self-signed certificates are not compliant with FIPS. Also, Ivanti recommends to use self-signed certificates only for testing purposes, not in a production environment.
For the connection between an Agent and a Relay Server and between Relay Servers, custom certificates can be used. To use custom certificates, the certificate can be configured using relayserver.exe/ config on your relay servers.
Additionally, the Administration > Agents node of the Console can be used to disallow the use of self-signed certificates for Agent > Relay Server. To disallow the use of self-signed certificates between Relay Servers, relayserver.exe/ config can be used.