Secure Mobile Access 12.4 Administration Guide

Configuring SSL Encryption

The appliance uses SSL encryption and other cryptographic algorithms—or ciphers—to secure data transfer. When configuring the encryption settings for the appliance, you must enable at least one cipher to be used in conjunction with SSL to secure your network traffic. The default settings are typically sufficient for most deployments.

Secure Mobile Access has been enhanced to support TLS 1.3 for incoming and outgoing connections, which is the latest and more secure TLS version.

TLS 1.0 and TLS 1.1 are no longer supported for user sessions and supported only for outgoing connections to internal resources.

If you have configured TLS transport protocol as “Any TLS version” or “TLS version 1.2 or 1.1” in prior version of SMA, upgrading to SMA 12.4 is prevented. To upgrade to SMA 12.4, select “TLS version 1.2 only” in AMC and proceed with the upgrade process.

To configure SSL encryption settings

  1. In the AMC, navigate to System Configuration > SSL Settings.

  2. Click the Edit link in the SSL Encryption section.

    The SSL Encryption page displays.

    All security levels use only US government-recommended (FIPS 140-2 compliant) encryption. FIPS is a government standard specifying best practices for implementing cryptographic software. This configures the appliance to use only the TLS protocol and enables only FIPS-compliant ciphers.

  3. In the Security Level section, select the version of TLS transport protocol that the appliance will use.

    By default, the TLS transport protocol is set as Secure.

    1. Modern: Supports TLS 1.3 only. Provides the highest level of security without providing backward compatibility for older clients.
      1. Modern TLS transport protocol supports the following ciphers/suites.
        • TLS_AES_128_GCM_SHA256
        • TLS_AES_256_GCM_SHA384
    2. Secure: Supports only secure protocols (TLS 1.2 and higher) and ciphers. Recommended for most systems, provides the best balance of security and compatibility.
      1. Secure TLS transport protocol supports the following ciphers/suites.
        • TLS_AES_128_GCM_SHA256
        • TLS_AES_256_GCM_SHA384
        • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

        • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

        • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

        • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

    3. Legacy : Adds support for older ciphers that are no longer considered secure (TLS 1.2 and higher).

      The Legacy security level includes support for ciphers that are insecure, but are included only for compatibility with older browsers and clients.

      1. Legacy TLS transport protocol supports the following ciphers/suites.
        • TLS_AES_128_GCM_SHA256
        • TLS_AES_256_GCM_SHA384

        • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

        • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

        • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

        • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

        • TLS_RSA_WITH_AES_256_CBC_SHA

        • TLS_RSA_WITH_AES_128_CBC_SHA

        In case, if you want to use a different security level for connections to internal systems such as authentication servers (AD/LDAP), SMTP servers, and so on:

    1. In the Advanced section, select Use a different security level for connections to internal systems checkbox.
    2. In the Internal security level dropdown, select any one of the following:
      1. Modern: Supports TLS 1.3 only. Provides the highest level of security without providing backward compatibility for older clients.
        • Modern TLS transport protocol supports the following ciphers/suites.
          • TLS_AES_128_GCM_SHA256
          • TLS_AES_256_GCM_SHA384

      2. Secure: Supports only secure protocols (TLS 1.2 and higher) and ciphers. Recommended for most systems, provides the best balance of security and compatibility.
        • Secure TLS transport protocol supports the following ciphers/suites.
          • TLS_AES_128_GCM_SHA256
          • TLS_AES_256_GCM_SHA384

          • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

          • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

          • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

          • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

      3. Legacy: Adds support for older ciphers that are no longer considered secure (TLS 1.2 and higher).

        The Legacy security level includes support for ciphers that are insecure, but are included only for compatibility with older browsers and clients.

        • Legacy TLS transport protocol supports the following ciphers/suites.
          • TLS_AES_128_GCM_SHA256
          • TLS_AES_256_GCM_SHA384

          • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

          • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

          • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

          • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

          • TLS_RSA_WITH_AES_256_CBC_SHA

          • TLS_RSA_WITH_AES_128_CBC_SHA

      4. Obsolete: If your TLS version is 1.1 or 1.0, however it is not recommended to use TLS 1.0 and 1.1 version.
  4. Select the ciphers that the access services (Web proxy, network proxy, and network tunnel) on the appliance will accept for SSL connections.

    • Provide the highest level of security: Prefer 256-bit ciphers
    • Allow the highest level of performance and capacity: Prefer 128-bit ciphers
  5. Click Save.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.