How To Enable #TLS 1.2 Protocol In System Center Data Protection Manager #DPM #SCDPM #TLS1.2

Introduction

Last year, Microsoft announced Transport Layer Security (TLS) 1.2 protocol support for System Center 2012 R2 and System Center 2016. This of course includes support for System Center Semi-Annual Channel (SAC 1801 and SAC 1807) or later.

TLS is a secure protocol for communication, and TLS 1.2 support has recently been made a mandate across Microsoft products. What that means is that wherever a product leverages TLS, TLS 1.2 should be supported. You can read more about Transport Layer Security (TLS) here.

In between, TLS version 1.3 was recently defined in RFC 8446 in August 2018. It is based on the earlier TLS 1.2 specification. You can read about the major differences between TLS 1.2 and TLS 1.3 here. The million dollar question is, if Microsoft will support TLS 1.3 in the near future? as of this writing, no information has been publicly announced yet.

In case of DPM, the impact is when backups are sent to cloud (Azure Backup), and when Certificate based authentication is leveraged for installing the agent in a Workgroup or untrusted Domain, and in certain cases while protecting SQL Servers.

In this article, I will describe all the steps needed to enable TLS 1.2 support for System Center Data Protection Manager.

TLS 1.2 Prerequisites for SC DPM

The following are prerequisites for supporting TLS 1.2 for System Center Data Protection Manager:

  1. .NET version 4.6 should be installed on all the machines – DPM server and Protected Servers. .NET version 4.7 is supported on Windows Server 2019. You can use the following PowerShell command to determine if .NET is installed: Get-WindowsFeature NET* 
  2. Install the required SQL server TLS 1.2 supporting update. You can follow the instructions described here to know whether you need this update or not. This update is required for the DPM database and for all SQL servers that you intend to protect.
  3. Install SQL Server 2012 Native Client 11.0 on the DPM Management Server. You can download Microsoft® SQL Server® 2012 Native Client 11.0 from here. Please note that Microsoft SQL Server 2012 Native Client 11.0 is installed by default when you install SQL Server 2016 (13.x).
  4. Make sure you are running DPM Server that supports TLS 1.2. DPM team added TLS version 1.2 support starting with DPM 2012 R2 Update Rollup 14, DPM 2016 Update Rollup 4 including DPM SAC 1801 and SAC 1807.
  5. System Center components including SC DPM now generate both SHA1 and SHA2 self-signed certificates. In case CA signed certificates are used for Workgroup machines or untrusted Domain, please ensure that they are either SHA1 or SHA2. In other words, TLS 1.2 supports only SHA1 and SHA2 certificates. Hence all the certificates must be updated to be SHA1 or SHA2.

Enable TLS 1.2 Protocol in SC DPM

The following steps are required to enable TLS 1.2 support for System Center Data Protection Manager:

  1. First, we need to harden all systems to use only TLS 1.2 protocol. To do so, we need disable all the SCHANNEL protocol except for TLS 1.2, so that only TLS 1.2 protocol is used for communication between DPM server and the protected server(s). This setting is done in the registry on all protected systems including DPM server. To automate this process, you can use the following PowerShell script in Admin mode to do the setting accordingly by modifying the required values in the registry: .\Enable-TLS1.2.ps1 -Verbose

  2. After we enabled TLS 1.2 protocol on all systems, we need to configure DPM to use only TLS 1.2. Please note that this setting should be done in the registry on the DPM management server and all other servers on which DPM agents are installed (i.e. Hyper-V hosts, File Servers, SQL, SharePoint, Exchange, Clients, etc). To automate this process, you can use the following PowerShell script in Admin mode to set DPM to use only TLS 1.2 protocol by modifying the required values in the registry:
  3. Finally, you need to restart the system (DPM and protected server).

Validate TLS 1.2 Protection with SC DPM

DPM Agent can be installed on the Protected Server either directly from the DPM server for the servers in the domain, or using Certificate Based Authentication for computers in a Workgroup or Untrusted Domain. If TLS 1.2 is not set properly on the DPM server and on the protected server (system-wide), then DPM will throw an error with access denied message similar to below. As you can see the error message is misleading 🙂

For all kinds of workloads backed up by DPM TLS 1.2 enabled (i.e. SQL, SharePoint, Exchange, File Servers, Hyper-V hosts, Hyper-V VMs, Clients, System State, BMR), you can do the following:

  1. Attaching the Protected Server in Workgroup / Untrusted Domain to DPM (Please note that VMware VM backup is not supported with DPM TLS 1.2).
  2. While Creating Protection Groups, all data sources on the Protected Server are displayed.
  3. Protecting different kinds of workloads to disk, to tape, and to cloud. However, to enable Data Protection Manager to work together with TLS 1.2 to back up to Azure Backup, you need to enable these steps on the Data Protection Manager server only.
  4. Recovering different kinds of workloads at Original Location, Alternate Location, recover cloud recovery points, and use an External DPM Server.

Finally, DPM 1807 included a set of bug fixes. One of the issue was addressed about DPM updates not working when Transport Layer Security (TLS) 1.2 is enabled. So if you are still using DPM 1801, I recommend to upgrade to the latest SAC 1807 release.

Until then… Stay protected and secure with DPM!

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Pro

Advertisements
About Charbel Nemnom 399 Articles
Charbel Nemnom is a Cloud Solutions Architect and Microsoft Most Valuable Professional (MVP), totally fan of the latest's IT platform solutions, accomplished hands-on technical professional with over 17 years of broad IT Infrastructure experience serving on and guiding technical teams to optimize performance of mission-critical enterprise systems. Excellent communicator adept at identifying business needs and bridging the gap between functional groups and technology to foster targeted and innovative IT project development. Well respected by peers through demonstrating passion for technology and performance improvement. Extensive practical knowledge of complex systems builds, network design and virtualization.

Be the first to comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.