Disable Old Windows SSL/TLS Features

Enreach Info
Enreach Info
  • Updated
Note: If you have used the script listed here, please contact the support BEFORE installing SwyxWare 11.38.

Summary

To support the next generation clients, SwyxWare offers a REST API for authentication which is used by Swyx Mobile for iOS/Android and Swyx Desktop for Mac. This API uses the Transport Layer Security (TLS) implementation built into the Windows operating system. 

Microsoft allows an administrator to restrict the supported TLS protocols and and ciphers to improve security. This article links to information from Microsoft about these setting and offer a script to help administrators to make these settings. 

Information

For the next generation client, SwyxWare offers a REST API for authentication on port 9101. To allow Swyx Mobile for iOS/Android and Swyx Desktop for macOS to connect to SwyxWare via Remote Connector this API has to be accessible from the internet. SwyxWare supports HTTPS on this API. 

SwyxWare does not use an own TLS implementation, but relies on the Windows-built-in functionality which is also used by IIS. Microsoft allows to restrict various TLS protocol versions and ciphers to improve TLS security. See this Microsoft Support Article about how to configure these restrictions:

https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings

To make it easier to configure these settings, this article provides a PowerShell script you can execute on every system where SwyxWare is installed.

Note: These settings apply to all software running on the Windows Server which rely on the Windows built-in TLS implementation, not only SwyxWare. If you're using other software next to SwyxWare on the same system make sure that this software keeps working correctly after you apply these settings.

 

Note: If you've configured SwyxWare to use TLS for sending voice mails and welcome emails, make sure that the mail server SwyxWare is talking to is compatible with the restricted TLS settings.

 

Remote Connector 

The Remote connector tunnel between Swyx Mobile and SwyxWare does not rely on the Windows TLS implementation and uses a restricted set of protocols and ciphers only (TLS 1.2, Ephemeral Diffie Hellman key agreement, RSA authentication, AES 256). The tunnel connection is secured using client and server certificates which are user and SwyxWare installation specific and which are retrieved by the Swyx Mobile and Swyx Desktop for macOS client using the above mentioned REST API.

 

Recommendations

  • Apply the TLS restrictions either using the provided script or manually as described by Microsoft 
  • After changing the TLS settings test all software running on your server to ensure that it continues to work correctly.
  • Keep the Windows operating system up-to-date by 
    • Installing all Windows updates recommended by Microsoft
    • Following Microsoft security advisories
  • Keep SwyxWare up-to-date by
    • Installing updates provided by Swyx
  • If possible, purchase and install a TLS certificate for the public REST API SwyxWare offers. See here for details about installing such a certificate.

 

 

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.