ANS Documentation

Improve This Doc
  • Cloud
  • Domains and DNS management
  • Backup and High Availability
  • eCommerce Stacks
  • Security
  • Email
  • Monitoring and usage management
  • Networking
  • Operating systems
    • Linux
    • VMware ESXi
    • Windows
      • Active Directory
      • Common Issues
      • Exchange
      • FTP
      • IIS
      • MSSQL
      • Networking
      • TLS 1.2 in PowerShell
      • RDP
      • Windows Server 2016
      • SSL/TLS and Schannel
      • Windows Administration
  • Webcelerator
  • MyUKFast
  • Home >
  • Operating systems >
  • Windows >
  • SSL/TLS and Schannel >
  • TLS Support for Windows Software

TLS Support for Windows Software¶

This section lists some things to be aware of before making changes to the Schannel security provider on Windows operating systems.

Schannel SSP configuration changes will affect the whole operating system. In other words, if you remove Schannel protocols in order to harden your web application, and that web application connects to a SQL instance on the same server, the Schannel changes will affect both the web application and the SQL instance.

TLS Support for Microsoft SQL Server¶

Microsoft SQL Server has it’s own set of compatibility considerations when it comes to SSL/TLS security.

A list of the SQL versions along with minimum patch requirements to support TLS 1.2 can be found at the external link below:

TLS1.2 Support for Microsoft SQL

TLS support for Microsoft Exchange Server¶

Modern versions of Exchange will fully support TLS 1.2, providing, of course, that the Exchange environment has the necessary Cumulative Updates applied, and meets the minimum patch level.

You can read further information from the Microsoft Exchange Team’s 3-part blog on TLS guidance, here.

TLS support for the Remote Desktop Services¶

There are some things to be aware of when it comes to RDS Farms.

The Remote Desktop Protocol (RDP) on Windows Servers 2012 R2 and newer fully supports TLS 1.2 encryption. If using an older operating system, such as Server 2008 R2, then you may need to apply Windows patches to enable RDP to use TLS 1.1 and TLS 1.2.

RDS Connection Broker TLS Compatibility¶

Administrators may find that when TLS 1.0 is disabled on the server running the Connection Broker role, the RDMS service can’t start, and therefore users are not able to log into the Farm.

The reason for this is that, by default, the Connection Broker role will use a local Windows Internal Database (WID) to store session information. The WID does not currently support anything above TLS 1.0. This means that disabling this protocol will break connection broker and RDMS functionality.

More information on this can be found at the external link here.

The only way to migrate away from using the WID, is to configure the RDS deployment to use the connection broker in High Availability mode. This requires using a dedicated SQL Server to hold the Connection Broker information instead.

Next Article > TLS Considerations for .NET Client connections

  • Useful Links
  • SMB
  • Enterprise
  • Channel
  • Public Sector
  • ANS Data Centres
  • About ANS
  • Careers
  • Blog
  • Get in touch
  •  
  • Sales 0800 458 4545
  • Support 0800 230 0032
  • Get in touch

© ANS Group Limited | Terms and Conditions | Corporate Guidance | Sitemap
ANS Group Limited, registered in England and Wales, company registration number 03176761, registered office 1 Archway, Birley Fields, Manchester M15 5QJ