- Gopanel 1 9 1 – Manage Web Servers 1 8 Bit
- Gopanel 1 9 1 – Manage Web Servers 1 8 0
- Gopanel 1 9 1 – Manage Web Servers 1 8 Download
- Gopanel 1 9 1 – Manage Web Servers 1 8 Free
The deployment server is just a Splunk Enterprise instance that has been configured to manage the update process across sets of other Splunk Enterprise instances. Depending on the number of instances it's deploying updates to, the deployment server instance might need to be dedicated exclusively to managing updates. GoPanel is the most intuitive OSX App to manage web servers, an alternative to existing control panel softwares you install on your Unix based servers for web hosting. Easy to install and configure Apache, php, mysql, ftp, domains and emails on your server goPanel APP lets you easily connect and manage UNLIMITED linux servers.
Download file - goPanel22.5.0TNT.zip. Download WampServer for free. A Windows Web development environment for Apache, MySQL, PHP databases. WampServer is a Web development platform on Windows that allows you to create dynamic Web applications with Apache2, PHP, MySQL and MariaDB. WampServer automatically installs everything you need to intuitively develope Web applications. GoPanel is an Mac OS X app that helps manage web servers. The app is meant for people who work with cloud-based Linux-powered sites and other kinds of virtual servers. GoPanel is similar to how hosted management solutions work – some examples being cPanel, Plesk, and DirectAdmin.
Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices. Radium 3 0 2 – multi network radio player.
Note:
This blogpost assumes all Web Application Proxies, AD FS servers and Azure AD Connect installations run Windows Server 2016.
This blogpost assumes all Web Application Proxies, AD FS servers and Azure AD Connect installations run Windows Server 2016.
Hardening provides additional layers to defense in depth approaches. It changes the default behavior of products and services to make them more resilient to unauthorized changes and compromise.
Reasons why
Protocols, cipher suites and hashing algorithms are used to encrypt communications in every Hybrid Identity implementation. Typically, ciphers and algorithms to use are based on a negotiation between both ends of a communications channel. The purpose is to use the most secure protocols, cipher suites and hashing algorithms that both ends support. To use the strongest ciphers and algorithms it’s important to disable the ciphers and algorithms you no longer want to see used.
Microsoft recommends organizations to use strong protocols, cipher suites and hashing algorithms. For Azure Active Directory, they are changing the negotiation settings on their systems regularly, to avoid downgrades in encryption standards.
Possible negative impact (What could go wrong?)
When the systems of an Hybrid Identity implementation are improperly hardened, there will be no communication between Azure Active Directory and the systems of the implementation, and/or between the systems of the Hybrid Identity implementation.
This may affect authentications directly when using Active Directory Federation Services (AD FS) or Pass-through Authentication as authentication method in the Hybrid Identity implementation. This may cause diminished functionality, when Password Hash Sync (PHS) is used as the authentication method. Also, this may cause certificates to expire, monitoring to halt and/or backups to fail. It may also mean admins will no longer be able to (remotely) manage the systems.
![Servers Servers](https://static.macupdate.com/screenshots/261903/m/gopanel-screenshot.png?v=1590082631)
When using the Remote Desktop Protocol (RDP) to manage the Windows Server installations of the Hybrid Identity implementation, the default security layer in RDP is set to Negotiate which supports both SSL (TLS 1.0) and the RDP Security Layer. Open Remote Desktop Session Host Configuration in Administrative Tools and double-click RDP-Tcp under the Connections group. If it is set to SSL (TLS 1.0) and you are running Windows Server 2008, make sure that you have installed TLS 1.1 and 1.2 support.
For Hybrid Identity implementations featuring Azure AD Connect’s Seamless Single Sign-on (3SO), do not disable RC4_HMAC_MD5 at this time, as this may break.
To disable weak protocols, cipher suites and hashing algorithms on Web Application Proxies, AD FS Servers and Windows Servers running Azure AD Connect, make sure to meet the following requirements:
System requirements
Make sure all systems in scope are installed with the latest cumulative Windows Updates. Also make sure you run the latest stable version of Azure AD Connect.
Privilege requirements
Make sure to sign in with an account that has privileges to create and/or change and link Group Policy objects to the Organizational Unit (OU) in which the systems in scope reside.
Who to communicate to
When intending to make changes to systems in the Hybrid Identity implementation, make sure to send a heads-up to these people and/or teams in your organization:
- Load balancers and networking guys and gals
- The Active Directory team
- The people responsible for backups, restores and disaster recovery
- The people going through the logs, using a SIEM and/or a TSCM solution
- The monitoring team
One of the challenges you can easily avoid through communications is that multiple persons and/or teams make changes to the configuration. When it breaks, you don’t want to roll-back a bunch of changes, just the one that broke it. Make sure you have the proper freeze/unfreeze moments to achieve that.
Encryption methods are comprised of:
- A protocol, like PCT, SSL and TLS
- A key exchange method, like ECDHE, DHE and RSA
- A cipher suite, like AES, MD5, RC4 and 3DES
Protocols
For the purpose of this blogpost, I’ll stick to disabling the following protocols:
- PCT v1.0
- SSL v2
- SSL v3
- TLS v1.0
- TLS v1.1
Note:
PCT v1.0 is disabled by default on Windows Server Operating Systems.
SSL v2 is disabled, by default, in Windows Server 2016, and later versions of Windows Server.
PCT v1.0 is disabled by default on Windows Server Operating Systems.
SSL v2 is disabled, by default, in Windows Server 2016, and later versions of Windows Server.
Cipher suites and hashing algorithms
For the purpose of this blogpost, I’ll stick to disabling the following ciphers suites and hashing algorithms:
- RC2
- RC4
- MD5
- 3DES
- DES
- NULL
- All cipher suites marked as EXPORT
Note:
NULL cipher suites provide no encryption.
NULL cipher suites provide no encryption.
Note:
The above list is a snapshot of weak ciphers and algorithms dating July 2019. Please consult the SSL Labs Documentation for actual guidance on weak ciphers and algorithms to disable for your organization.
The above list is a snapshot of weak ciphers and algorithms dating July 2019. Please consult the SSL Labs Documentation for actual guidance on weak ciphers and algorithms to disable for your organization.
For the purpose of this blogpost, I’ll stick with the following protocols, cipher suites and hashing algorithms, in the following negotiation order:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
This list provides a preference to Perfect Forwarding Secrecy (PFS) with the elliptic curve Diffie-Hellman key exchange (ECDHE_*) cipher suites.
As the systems in scope may or may not be of Active Directory Domain Services, may or may not run Server Core and may or may not allow downloading 3rd party tools, but in all cases you can disable weak protocols using Windows PowerShell with the following scripts:
Note:
As SSL v2 is disabled and removed from Windows Server 2016, and up, and SSL v3 is disabled by default in Windows Server 2016, and up, these protocols do not need to be disabled on Windows Server 2016, and newer versions of Windows Server.
As SSL v2 is disabled and removed from Windows Server 2016, and up, and SSL v3 is disabled by default in Windows Server 2016, and up, these protocols do not need to be disabled on Windows Server 2016, and newer versions of Windows Server.
Enable TLS 1.2
To enable TLS 1.2, run the following Windows PowerShell script in an elevated PowerShell window on each of the Windows Server installations in scope of the Hybrid Identity implementation:
Note:
The DisabledByDefault registry value doesn't mean that the protocol is disabled by default. It means the protocol isn’t advertised as available by default during negotiations, but is available if specifically requested.
The DisabledByDefault registry value doesn't mean that the protocol is disabled by default. It means the protocol isn’t advertised as available by default during negotiations, but is available if specifically requested.
$SChannelRegPath='HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols'
New-Item$SChannelRegPath'TLS 1.2Server'-Force
New-Item$SChannelRegPath'TLS 1.2Client'-Force
New-ItemProperty -Path $SChannelRegPath'TLS 1.2Server' `
-NameEnabled-Value1-PropertyTypeDWORD
-NameEnabled-Value1-PropertyTypeDWORD
New-ItemProperty -Path $SChannelRegPath'TLS 1.2Server' `
-NameDisabledByDefault-Value0-PropertyTypeDWORD
-NameDisabledByDefault-Value0-PropertyTypeDWORD
New-ItemProperty -Path $SChannelRegPath'TLS 1.2Client' `
-NameEnabled-Value1-PropertyTypeDWORD
-NameEnabled-Value1-PropertyTypeDWORD
New-ItemProperty -Path $SChannelRegPath'TLS 1.2Client' `
-NameDisabledByDefault-Value0-PropertyTypeDWORD
-NameDisabledByDefault-Value0-PropertyTypeDWORD
Configuring .Net applications to use TLS 1.1 and TLS 1.2
Now, we need to configure .Net applications to use either TLS 1.1 or TLS 1.2. This is important for built-in Windows functionality and 3rd party applications and services. Run the following Windows PowerShell script in the same elevated PowerShell window as the previous one:
Spot maps 1 3 2 – map your network. $RegPath1='HKLM:SOFTWAREWOW6432NodeMicrosoft.NETFrameworkv4.0.30319'
Mockups 3 5 4 – collaborative wireframing for app development. New-ItemProperty-path$RegPath1 `
-nameSystemDefaultTlsVersions-value1-PropertyTypeDWORD
-nameSystemDefaultTlsVersions-value1-PropertyTypeDWORD
New-ItemProperty -path $RegPath1 `
-nameSchUseStrongCrypto-value1-PropertyTypeDWORD
-nameSchUseStrongCrypto-value1-PropertyTypeDWORD
$RegPath2='HKLM:SOFTWAREMicrosoft.NETFrameworkv4.0.30319'
New-ItemProperty-path$RegPath2 `
-nameSystemDefaultTlsVersions-value1-PropertyTypeDWORD
-nameSystemDefaultTlsVersions-value1-PropertyTypeDWORD
New-ItemProperty -path $RegPath2 `
-nameSchUseStrongCrypto-value1-PropertyTypeDWORD
-nameSchUseStrongCrypto-value1-PropertyTypeDWORD
Disable TLS 1.0 and TLS 1.1
To disable TLS 1.0 and TLS 1.1, run the following Windows PowerShell script in the same elevated PowerShell window as the previous Windows PowerShell script on each of the Windows Server installations in scope of the Hybrid Identity implementation:
New-Item$SChannelRegPath-Name 'TLS 1.0'
New-Item$SChannelRegPath'TLS 1.0'-NameSERVER
New-ItemProperty -Path $SChannelRegPath'TLS 1.0SERVER'`
-NameEnabled-Value0-PropertyTypeDWORD
-NameEnabled-Value0-PropertyTypeDWORD
New-Item$SChannelRegPath'TLS 1.1Server' –force
New-Item$SChannelRegPath'TLS 1.1Client' –force
New-ItemProperty -Path $SChannelRegPath'TLS 1.1Server' `
-NameEnabled-Value 0 -PropertyTypeDWORD
-NameEnabled-Value 0 -PropertyTypeDWORD
New-ItemProperty -Path $SChannelRegPath'TLS 1.1Server' `
-NameDisabledByDefault-Value0-PropertyTypeDWORD
-NameDisabledByDefault-Value0-PropertyTypeDWORD
New-ItemProperty -Path $SChannelRegPath'TLS 1.1Client' `
-NameEnabled-Value 0 -PropertyTypeDWORD
-NameEnabled-Value 0 -PropertyTypeDWORD
New-ItemProperty -Path $SChannelRegPath'TLS 1.1Client' `
-NameDisabledByDefault-Value0-PropertyTypeDWORD
-NameDisabledByDefault-Value0-PropertyTypeDWORD
Restart each server after these configuration changes.
The systems in scope may or may not be of Active Directory Domain Services, may or may not run Server Core and may or may not allow downloading 3rd party tools. In all cases you can disable weak cipher suites and hashing algorithms by disabling individual TLS cipher suites using Windows PowerShell.
Note:
The below lines of PowerShell do not change the negotiation order of the cipher suites and hashing algorithms. It merely disables individual combinations of unwanted cipher suites and hashing algorithms. This also eliminates the need to keep up with the cipher suites in Windows Server between Windows Server version releases and even between updates.
A win-win situation if you’d ask me!
The below lines of PowerShell do not change the negotiation order of the cipher suites and hashing algorithms. It merely disables individual combinations of unwanted cipher suites and hashing algorithms. This also eliminates the need to keep up with the cipher suites in Windows Server between Windows Server version releases and even between updates.
A win-win situation if you’d ask me!
Tip!
To get an overview of the current negotiation order, use the following line of PowerShell:
To get an overview of the current negotiation order, use the following line of PowerShell:
Get-TlsCipherSuite|Format-TableName
Use the following lines on Windows Server 2016 installations to remove weak cipher suites and hashing algorithms:
Disable-TlsCipherSuite-Name'TLS_DHE_RSA_WITH_AES_256_CBC_SHA'
Disable-TlsCipherSuite-Name'TLS_DHE_RSA_WITH_AES_128_CBC_SHA'
Disable-TlsCipherSuite-Name'TLS_RSA_WITH_AES_256_GCM_SHA384'
Disable-TlsCipherSuite-Name'TLS_RSA_WITH_AES_128_GCM_SHA256'
Disable-TlsCipherSuite-Name'TLS_RSA_WITH_AES_256_CBC_SHA256'
Disable-TlsCipherSuite-Name'TLS_RSA_WITH_AES_128_CBC_SHA256'
Disable-TlsCipherSuite-Name'TLS_RSA_WITH_AES_256_CBC_SHA'
Disable-TlsCipherSuite-Name'TLS_RSA_WITH_AES_128_CBC_SHA'
Disable-TlsCipherSuite-Name'TLS_RSA_WITH_3DES_EDE_CBC_SHA'
Disable-TlsCipherSuite-Name'TLS_DHE_DSS_WITH_AES_256_CBC_SHA256'
Disable-TlsCipherSuite-Name'TLS_DHE_DSS_WITH_AES_128_CBC_SHA256'
Disable-TlsCipherSuite-Name'TLS_DHE_DSS_WITH_AES_256_CBC_SHA'
Disable-TlsCipherSuite-Name'TLS_DHE_DSS_WITH_AES_128_CBC_SHA'
Disable-TlsCipherSuite-Name'TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA'
Disable-TlsCipherSuite-Name'TLS_RSA_WITH_RC4_128_SHA'
Disable-TlsCipherSuite-Name'TLS_RSA_WITH_RC4_128_MD5'
Disable-TlsCipherSuite-Name'TLS_RSA_WITH_NULL_SHA256'
Disable-TlsCipherSuite-Name'TLS_RSA_WITH_NULL_SHA'
Disable-TlsCipherSuite-Name'TLS_PSK_WITH_AES_256_GCM_SHA384'
Disable-TlsCipherSuite-Name'TLS_PSK_WITH_AES_128_GCM_SHA256'
Disable-TlsCipherSuite-Name'TLS_PSK_WITH_AES_256_CBC_SHA384'
Disable-TlsCipherSuite-Name'TLS_PSK_WITH_AES_128_CBC_SHA256'
Disable-TlsCipherSuite-Name'TLS_PSK_WITH_NULL_SHA384'
Disable-TlsCipherSuite-Name'TLS_PSK_WITH_NULL_SHA256'
Disable-TlsCipherSuite-Name'TLS_DHE_RSA_WITH_AES_128_CBC_SHA'
Disable-TlsCipherSuite-Name'TLS_RSA_WITH_AES_256_GCM_SHA384'
Disable-TlsCipherSuite-Name'TLS_RSA_WITH_AES_128_GCM_SHA256'
Disable-TlsCipherSuite-Name'TLS_RSA_WITH_AES_256_CBC_SHA256'
Disable-TlsCipherSuite-Name'TLS_RSA_WITH_AES_128_CBC_SHA256'
Disable-TlsCipherSuite-Name'TLS_RSA_WITH_AES_256_CBC_SHA'
Disable-TlsCipherSuite-Name'TLS_RSA_WITH_AES_128_CBC_SHA'
Disable-TlsCipherSuite-Name'TLS_RSA_WITH_3DES_EDE_CBC_SHA'
Disable-TlsCipherSuite-Name'TLS_DHE_DSS_WITH_AES_256_CBC_SHA256'
Disable-TlsCipherSuite-Name'TLS_DHE_DSS_WITH_AES_128_CBC_SHA256'
Disable-TlsCipherSuite-Name'TLS_DHE_DSS_WITH_AES_256_CBC_SHA'
Disable-TlsCipherSuite-Name'TLS_DHE_DSS_WITH_AES_128_CBC_SHA'
Disable-TlsCipherSuite-Name'TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA'
Disable-TlsCipherSuite-Name'TLS_RSA_WITH_RC4_128_SHA'
Disable-TlsCipherSuite-Name'TLS_RSA_WITH_RC4_128_MD5'
Disable-TlsCipherSuite-Name'TLS_RSA_WITH_NULL_SHA256'
Disable-TlsCipherSuite-Name'TLS_RSA_WITH_NULL_SHA'
Disable-TlsCipherSuite-Name'TLS_PSK_WITH_AES_256_GCM_SHA384'
Disable-TlsCipherSuite-Name'TLS_PSK_WITH_AES_128_GCM_SHA256'
Disable-TlsCipherSuite-Name'TLS_PSK_WITH_AES_256_CBC_SHA384'
Disable-TlsCipherSuite-Name'TLS_PSK_WITH_AES_128_CBC_SHA256'
Disable-TlsCipherSuite-Name'TLS_PSK_WITH_NULL_SHA384'
Disable-TlsCipherSuite-Name'TLS_PSK_WITH_NULL_SHA256'
After hardening it’s time to test the hardening. Everyone should sign off (not literally, unless that’s procedure) on the correct working of the Windows Servers running Azure AD Connect. Does authentication to cloud applications still work? Does rolling over the certificate still work? Does monitoring still work? Can we still make back-ups? Can we still restore the backups we make?
Typically, hardening is rolled out to one Windows Server. When testing the hardening of the functionality behind the load balancer, make sure that the load balancer points you to the hardened system, not another one. In an environment with a Staging Mode Azure AD Connect installation, the hardening can be performed on this Windows Server installation and tested with the normal Staging Mode (imports only) synchronization cycles. When hardening is approved upon, the actively synchronizing Azure AD Connect installation can be switched, or hardened, too.
Note:
The registry changes are step 2 of two steps to harden protocols, cipher suites and hashing algorithms of the Hybrid Identity implementation. Make sure to Enforce Azure AD Connect to use TLS 1.2 only on the Windows Servers running Azure AD Connect, before testing.
The registry changes are step 2 of two steps to harden protocols, cipher suites and hashing algorithms of the Hybrid Identity implementation. Make sure to Enforce Azure AD Connect to use TLS 1.2 only on the Windows Servers running Azure AD Connect, before testing.
Rolling Back Hardening
To roll back hardening, use the following lines of Windows PowerShell:
$SChannelRegPath='HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols'
Remove-Item –Name'TLS 1.0' –Path$SChannelRegPath
Remove-Item –Name'TLS 1.1' –Path$SChannelRegPath
Remove-Item –Name'TLS 1.2' –Path$SChannelRegPath
Remove-Item –Name'TLS 1.1' –Path$SChannelRegPath
Remove-Item –Name'TLS 1.2' –Path$SChannelRegPath
Enable-TlsCipherSuite-Name'TLS_DHE_RSA_WITH_AES_256_CBC_SHA'
Enable-TlsCipherSuite-Name'TLS_DHE_RSA_WITH_AES_128_CBC_SHA'
Enable-TlsCipherSuite-Name'TLS_RSA_WITH_AES_256_GCM_SHA384'
Enable-TlsCipherSuite-Name'TLS_RSA_WITH_AES_128_GCM_SHA256'
Enable-TlsCipherSuite-Name'TLS_RSA_WITH_AES_256_CBC_SHA256'
Enable-TlsCipherSuite-Name'TLS_RSA_WITH_AES_128_CBC_SHA256'
Enable-TlsCipherSuite-Name'TLS_RSA_WITH_AES_256_CBC_SHA'
Enable-TlsCipherSuite-Name'TLS_RSA_WITH_AES_128_CBC_SHA'
Enable-TlsCipherSuite-Name'TLS_RSA_WITH_3DES_EDE_CBC_SHA'
Enable-TlsCipherSuite-Name'TLS_DHE_DSS_WITH_AES_256_CBC_SHA256'
Enable-TlsCipherSuite-Name'TLS_DHE_DSS_WITH_AES_128_CBC_SHA256'
Enable-TlsCipherSuite-Name'TLS_DHE_DSS_WITH_AES_256_CBC_SHA'
Enable-TlsCipherSuite-Name'TLS_DHE_DSS_WITH_AES_128_CBC_SHA'
Enable-TlsCipherSuite-Name'TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA'
Enable-TlsCipherSuite-Name'TLS_RSA_WITH_RC4_128_SHA'
Enable-TlsCipherSuite-Name'TLS_RSA_WITH_RC4_128_MD5'
Enable-TlsCipherSuite-Name'TLS_RSA_WITH_NULL_SHA256'
Enable-TlsCipherSuite-Name'TLS_RSA_WITH_NULL_SHA'
Enable-TlsCipherSuite-Name'TLS_PSK_WITH_AES_256_GCM_SHA384'
Enable-TlsCipherSuite-Name'TLS_PSK_WITH_AES_128_GCM_SHA256'
Enable-TlsCipherSuite-Name'TLS_PSK_WITH_AES_256_CBC_SHA384'
Enable-TlsCipherSuite-Name'TLS_PSK_WITH_AES_128_CBC_SHA256'
Enable-TlsCipherSuite-Name'TLS_PSK_WITH_NULL_SHA384'
Enable-TlsCipherSuite-Name'TLS_PSK_WITH_NULL_SHA256'
Enable-TlsCipherSuite-Name'TLS_DHE_RSA_WITH_AES_128_CBC_SHA'
Enable-TlsCipherSuite-Name'TLS_RSA_WITH_AES_256_GCM_SHA384'
Enable-TlsCipherSuite-Name'TLS_RSA_WITH_AES_128_GCM_SHA256'
Enable-TlsCipherSuite-Name'TLS_RSA_WITH_AES_256_CBC_SHA256'
Enable-TlsCipherSuite-Name'TLS_RSA_WITH_AES_128_CBC_SHA256'
Enable-TlsCipherSuite-Name'TLS_RSA_WITH_AES_256_CBC_SHA'
Enable-TlsCipherSuite-Name'TLS_RSA_WITH_AES_128_CBC_SHA'
Enable-TlsCipherSuite-Name'TLS_RSA_WITH_3DES_EDE_CBC_SHA'
Enable-TlsCipherSuite-Name'TLS_DHE_DSS_WITH_AES_256_CBC_SHA256'
Enable-TlsCipherSuite-Name'TLS_DHE_DSS_WITH_AES_128_CBC_SHA256'
Enable-TlsCipherSuite-Name'TLS_DHE_DSS_WITH_AES_256_CBC_SHA'
Enable-TlsCipherSuite-Name'TLS_DHE_DSS_WITH_AES_128_CBC_SHA'
Enable-TlsCipherSuite-Name'TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA'
Enable-TlsCipherSuite-Name'TLS_RSA_WITH_RC4_128_SHA'
Enable-TlsCipherSuite-Name'TLS_RSA_WITH_RC4_128_MD5'
Enable-TlsCipherSuite-Name'TLS_RSA_WITH_NULL_SHA256'
Enable-TlsCipherSuite-Name'TLS_RSA_WITH_NULL_SHA'
Enable-TlsCipherSuite-Name'TLS_PSK_WITH_AES_256_GCM_SHA384'
Enable-TlsCipherSuite-Name'TLS_PSK_WITH_AES_128_GCM_SHA256'
Enable-TlsCipherSuite-Name'TLS_PSK_WITH_AES_256_CBC_SHA384'
Enable-TlsCipherSuite-Name'TLS_PSK_WITH_AES_128_CBC_SHA256'
Enable-TlsCipherSuite-Name'TLS_PSK_WITH_NULL_SHA384'
Enable-TlsCipherSuite-Name'TLS_PSK_WITH_NULL_SHA256'
Get rid of old protocols, cipher suites and hashing algorithms in your Hybrid Identity implementation, so they cannot be used to negotiate the security of the connections down.
Further reading
Managing SSL/TLS Protocols and Cipher Suites for AD FS
245030 How to restrict cryptographic algorithms and protocols in Schannel.dll
187498 How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in IIS
Recommendations for TLS/SSL Cipher Hardening
How to Update Your Windows Server Cipher Suite for Better Security
A Cipher Best Practice: Configure IIS for SSL/TLS Protocol
245030 How to restrict cryptographic algorithms and protocols in Schannel.dll
187498 How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in IIS
Recommendations for TLS/SSL Cipher Hardening
How to Update Your Windows Server Cipher Suite for Better Security
A Cipher Best Practice: Configure IIS for SSL/TLS Protocol
Series Navigation
<< HOWTO: Enforce Azure AD Connect to use TLS 1.2 onlyHOWTO: Disable unnecessary AD FS endpoints >>Supported Operating Systems
WFM Back-end Components Support
Notes:- For Microsoft products with sub-versions such as R1/R2, all versions are supported except as noted for the specific product.
OS Family | Operating System | Release | Conditions |
---|---|---|---|
Windows | Windows Server 2008 | 8.0 - 8.5.1 | |
Windows | Windows Server 2012 | 8.5+ | |
Windows | Windows Server 2016 | 8.5.2+ | Starting with 8.5.210.01. |
WFM GUI/Configuration & Database Utilities I User Interface Support
Notes:- 7.6.1: 32-bit only. Support starts with WFM Configuration Utility 7.6.101.07 and WFM Database Utility 7.6.100.20.
- 8.0: not supported.
- 8.1+: 32-bit and 64-bit. Supported in all versions. Database Utility will also run on both x32- and x64-bit versions.
- 8.5.1: WFM Configuration Utility was removed from the product. WFM Database Utility will only run on x64-bit versions.
OS Family | Operating System | Release | Conditions |
---|---|---|---|
Windows | Windows 10 | 8.5.203 | WFM Database Utility Only |
Windows | Windows 7 | 7.6.1+ | |
Windows | Windows 8 | 8.5.1+ | Compatible, native mode on WFM Web and WFM Database Utility only. |
Windows | Windows Server 2008 | 8.0 - 8.5.1 | |
Windows | Windows Server 2012 | 8.5.1+ | WFM Database Utility Only |
Windows | Windows Server 2016 | 8.5.2+ | Note the following:
|
WFM Web Agent User Interface Support
OS Family | Operating System | Release | Conditions |
---|---|---|---|
Windows | Windows 10 | 8.5.2+ | Starting with 8.5.203. |
Windows | Windows 7 | 8.1 - 8.5.1 | |
Windows | Windows 8 | 8.5.1+ |
WFM Web Server Components Support
Notes:- An asterisk (*) indicates the oldest operating systems supported for the Genesys 7.x and Genesys 8.x Maintenance Interoperable Components, including AIX Power PC, HP-UX, and Solaris SPARC.
- For Microsoft products with sub-versions such as R1/R2, all versions are supported except as noted for the specific product.
- Genesys supports use of products on Oracle Linux, provided that the Oracle Linux distribution is 100% compatible with a Genesys-supported Red Hat distribution, and that the Oracle Unbreakable Enterprise Kernel is not used. Genesys will only support Oracle Linux based on testing and reproduction of any issues in the equivalent Red Hat Linux version; no investigation or testing will be performed on Oracle Linux itself. Support only applies to Oracle Linux versions 5.x and later.
OS Family | Operating System | Release | Conditions |
---|---|---|---|
AIX | AIX Power PC 64-bit (AIX 5L for POWER) 7.1 | 8.1 - 8.5.1 | |
Linux | Red Hat Enterprise Linux 6 | 8.1.1 | |
Linux | Red Hat Enterprise Linux 7 | 8.1.1+ | |
Solaris | Solaris SPARC 64-bit 10 | 7.2 - 8.5.212 | |
Windows | Windows 7 | 8.1 - 8.5.1 | |
Windows | Windows Server 2008 | 8.0 - 8.5.1 | |
Windows | Windows Server 2012 | 8.5+ | |
Windows | Windows Server 2016 | 8.5.2+ | Starting with 8.5.210.02. |
WFM Web Supervisor User Interface Support
OS Family | Operating System | Release | Conditions |
---|---|---|---|
Windows | Windows 10 | 8.5.2+ | Starting with 8.5.203. |
Windows | Windows 7 | 8.1 - 8.5.1 | |
Windows | Windows 8 | 8.5.1+ |
Supported Browsers
Component | Browser | Release | Conditions/Limitations |
---|---|---|---|
WFM Web Agent User Interface | Firefox ESR | 8.5.1 | Version 31 |
WFM Web Agent User Interface | Firefox ESR | 8.5.2+ | Note the following:
|
WFM Web Agent User Interface | Google Chrome | 8.1.3+ | Version 35+ |
WFM Web Agent User Interface | Microsoft Edge | 8.5.2+ | Starting with 8.5.217.13, version 84.0.552.40+ is supported. Note: Agent UI (Classic) is not supported. |
WFM Web Agent User Interface | Microsoft IE | 8.5.0+ | Version 11. Note: There is a known issue with the new (ARK) WFM Web Agent interface when using IE 11.0.40 and WFM Web 8.5.205.09. Please use a different version of IE, use a different browser altogether (e.g., Chrome or Firefox), use the “classic” view of WFM Web Agent or upgrade to WFM Web 8.5.206.09 (the issue is fixed in that release). |
WFM Web Supervisor User Interface | Firefox ESR | 8.5.1 | Version 31 |
WFM Web Supervisor User Interface | Firefox ESR | 8.5.2 | Version 60.4 |
WFM Web Supervisor User Interface | Google Chrome | 8.1.3 - 8.5.0 | WFM Web Supervisor will no longer work with Chrome 44 and above as those versions no longer support Java plug-ins. Customers running WFM Web Supervisor on Chrome 44 or above will need to change their browser to IE or Firefox. |
WFM Web Supervisor User Interface | Microsoft Edge | 8.5.2+ | Starting with 8.5.217.13, version 84.0.552.40+ is supported. |
WFM Web Supervisor User Interface | Microsoft IE | 8.5.0+ | Version 11 |
WFM Web Supervisor User Interface (new Forecast module only) | Firefox ESR | 8.5.2+ | Starting with 8.5.214, version 60.5+ is supported. |
WFM Web Supervisor User Interface (new Forecast module only) | Google Chrome | 8.5.2+ | Starting with 8.5.214, version 73+ is supported |
WFM Web Supervisor User Interface (new Forecast module only) | Microsoft Edge | 8.5.2+ | Starting with 8.5.217.13, version 84.0.552.40+ is supported. |
Supported Database/DB Clusters
- For Microsoft products with sub-versions such as R1/R2, all versions are supported except as noted for the specific product.
- Genesys supports Genesys products on the database patch levels up to the latest currently available patch sets.
Database | Release | Conditions/Limitations |
---|---|---|
IBM DB2 10 | 8.1.3 - 8.5.1 | |
IBM DB2 9.7 | 8.1.0 - 8.1.2 | |
MS SQL Server 2008 | 8.0+ | To support MS SQL DB replication functionality, the minimum required version is MSL SQL Server 2008 R2 Enterprise Edition. |
MS SQL Server 2012 | 8.1.3+ | |
MS SQL Server 2012 Cluster | 8.5.1+ | Also supports AlwaysOn Cluster with Synchronous Mirroring capability in 8.5.1 and later versions |
MS SQL Server 2014 | 8.5.1+ | |
MS SQL Server 2014 Cluster | 8.5.2+ | Starting with 8.5.207; also supports AlwaysOn Cluster with Synchronous Mirroring capability. |
MS SQL Server 2016 | 8.5.2+ | Starting with 8.5.210 |
MS SQL Server 2016 Cluster | 8.5.2+ | Starting with 8.5.210; also supports AlwaysOn Cluster with Synchronous Mirroring capability. |
Oracle 11g | 8.0+ | Oracle 11g Rel 1 and Rel 2 are supported. |
Oracle 11g RAC | 8.1+ | Oracle 11g Rel 1 and Rel 2 are supported. |
Oracle 12c R1 | 8.5.1 | |
Oracle 12c R1 RAC | 8.5.204 | Oracle 12c RAC with Dataguard is supported |
Oracle 12c R2 | 8.5.2+ | Starting with 8.5.214 |
Oracle 12c R2 RAC | 8.5.2+ | Starting with 8.5.214; Oracle 12c R2 RAC with Dataguard is supported. |
Oracle 18c | 8.5.2+ | Starting with 8.5.214 |
Oracle 18c RAC | 8.5.2+ | Starting with 8.5.214 |
Oracle 19c | 8.5.2+ | Starting with 8.5.214 |
Oracle 19c RAC | 8.5.2+ | Starting with 8.5.214 |
Supported Virtualization Platforms
See the global page that lists all Virtualization-related information.
IPV6 Support for Common Interfaces
Gopanel 1 9 1 – Manage Web Servers 1 8 Bit
- Release Support numbers refer to Workforce Management.
Component | Release | Interface | Conditions |
---|---|---|---|
Workforce Management | 8.1+ | Management Framework Configuration Server/Proxy | |
Workforce Management | no direct interface | Interaction Server | |
Workforce Management | no direct interface | License Server | |
Workforce Management | no direct interface | SIP Server/T-Server |
IPV6 Support for Additional Interfaces
- In the Interface column: (C) stands for Client and (S) stands for Server
- Release Support numbers refer to Workforce Management.
Gopanel 1 9 1 – Manage Web Servers 1 8 0
Component | Release | Interface | Conditions |
---|---|---|---|
Workforce Management | 8.1+ | WFM Builder (C) – Configuration Server/Proxy (S) | |
Workforce Management | 8.1+ | WFM Builder (C) – WFM Server (S) | |
Workforce Management | 8.1+ | WFM Configuration Utility (C) – WFM Server (S) | |
Workforce Management | 8.1+ | WFM Daemon (C) – Configuration Server/Proxy (S) | |
Workforce Management | 8.1+ | WFM Daemon (C) – WFM Server (S) | |
Workforce Management | 8.1+ | WFM Data Aggregator (C) – Configuration Server/Proxy (S) | |
Workforce Management | 8.1+ | WFM Data Aggregator (C) – Stat Server (S) | |
Workforce Management | 8.1+ | WFM Data Aggregator (C) – WFM Server (S) | |
Workforce Management | 8.1+ | WFM Server (C) – Configuration Server/Proxy (S) | |
Workforce Management | 8.1+ | WFM Server (C) – Message Server (S) | |
Workforce Management | 8.1+ | WFM Server (C) – WFM Builder (S) | |
Workforce Management | 8.1+ | WFM Server (C) – WFM Server (S) | |
Workforce Management | 8.1+ | WFM Web (C) – Configuration Server/Proxy (S) | |
Workforce Management | 8.1+ | WFM Web (C) – WFM Builder (S) | |
Workforce Management | 8.1+ | WFM Web (C) – WFM Data Aggregator (S) | |
Workforce Management | 8.1+ | WFM Web (C) – WFM Server (S) | |
Workforce Management | no support | WFM Builder (C) – Message Server (S) | |
Workforce Management | no support | WFM Daemon (C) – Message Server (S) | |
Workforce Management | no support | WFM Data Aggregator (C) – Message Server (S) | |
Workforce Management | no support | WFM Web (C) – Message Server (S) |
Gopanel 1 9 1 – Manage Web Servers 1 8 Download
Prerequisites
Gopanel 1 9 1 – Manage Web Servers 1 8 Free
Workforce Management - Prerequisites | |||
---|---|---|---|
Third-Party Component Prerequisites | Acquired by Customer | Provided by Genesys | Conditions/Limitations |
Third-Party Component Prerequisites | |||
Oracle Client 11 (latest) with Oracle NET and Oracle Provider for OLE DB | Yes | No | Release: 8.5.0 This is installation requirements for an Oracle datbase. Be aware of the following: 64-bit WFM servers require the 64-bit Oracle Client. WFM Database Utility and/or WFM Configuration Utility are 32-bit applications and therefore 32-bit Oracle Client needs to be installed on the host(s) that are running these components |
Oracle Client 11 (latest) with Oracle NET and Oracle Provider for OLE DB | Yes | No | Release: 8.1.3 This is installation requirements for an Oracle datbase. Be aware of the following: 64-bit WFM servers require the 64-bit Oracle Client. WFM Database Utility and/or WFM Configuration Utility are 32-bit applications and therefore 32-bit Oracle Client needs to be installed on the host(s) that are running these components |
Oracle Client 11 (latest) with Oracle NET and Oracle Provider for OLE DB | Yes | No | Release: 8.1.2 This is installation requirements for an Oracle database. Be aware of the following: 64-bit WFM servers require the 64-bit Oracle Client. WFM Database Utility and/or WFM Configuration Utility are 32-bit applications and therefore 32-bit Oracle Client needs to be installed on the host(s) that are running these components |
Oracle Client 11 (latest) with Oracle NET and Oracle Provider for OLE DB | Yes | No | Release: 8.1.1 This is installation requirements for an Oracle database. Be aware of the following: 64-bit WFM servers require the 64-bit Oracle Client. WFM Database Utility and/or WFM Configuration Utility are 32-bit applications and therefore 32-bit Oracle Client needs to be installed on the host(s) that are running these components |
Oracle Client 11 (latest) with Oracle NET and Oracle Provider for OLE DB | Yes | No | Release: 8.1.0 This is installation requirements for an Oracle datbase. Be aware of the following: 64-bit WFM servers require the 64-bit Oracle Client. WFM Database Utility and/or WFM Configuration Utility are 32-bit applications and therefore 32-bit Oracle Client needs to be installed on the host(s) that are running these components |
Oracle Client 11 or 12 (latest) with Oracle NET and Oracle Provider for OLE DB | Yes | No | Release: 8.5.2 This is installation requirements for Oracle database. Also, 64-bit WFM servers require the 64-bit Oracle Client |
Oracle Client 11 or 12 (latest) with Oracle NET and Oracle Provider for OLE DB | Yes | No | Release: 8.5.1 This is the installation requirements for the Oracledatabase. Be aware of the following: 64-bit WFM servers require the 64-bit Oracle Client. WFM Database Utility is a 32-bit applications and therefore 32-bit Oracle Client needs to be installed on the host(s) that are running this component |
WFM Database Utility: .NET Framework 2.0+ | Yes | No | Release: 8.5.0 |
WFM Database Utility: .NET Framework 2.0+ | Yes | No | Release: 8.1.3 |
WFM Database Utility: .NET Framework 2.0+ | Yes | No | Release: 8.1.0 |
WFM Database Utility: .NET Framework 2.0+ | Yes | No | Release: 8.1.2 |
WFM Database Utility: .NET Framework 2.0+ | Yes | No | Release: 8.1.1 |
WFM Database Utility: .NET Framework 2.0+ | Yes | No | Release: 8.5.1 |
WFM Web Server: Apache Tomcat 5.5 / 6.0 / 7.0 (with Sun Java JDK 5 starting with update 1 or Java JDK 6) or IBM WebSphere 6.1 / 7.0 | Yes | No | Release: 8.1.0 |
WFM Web Server: Apache Tomcat 6.0 / 7.0 (with Sun's Java JDK 6 or 7) or IBM WebSphere 7.0 / 8.0 | Yes | No | Release: 8.1.3 |
WFM Web Server: Apache Tomcat 6.0 / 7.0 (with Sun's Java JDK 6 or 7) or IBM WebSphere 7.0 / 8.0 | Yes | No | Release: 8.1.2 |
WFM Web Server: Apache Tomcat 6.0 / 7.0 (with Sun's Java JDK 6 or 7) or IBM WebSphere 7.0 / 8.0 | Yes | No | Release: 8.1.1 |
WFM Web Server: Apache Tomcat 6.0, 7.0 (with Sun's Java JDK 6 or 7) | Yes | No | Release: 8.5.0 |
WFM Web Server: Apache Tomcat 7.0/8.0 (with Oracle JDK 7 or 8) | Yes | No | Release: 8.5.1 |
WFM Web Server: Apache Tomcat 7.0/8.0 (with Oracle JDK 7 or 8) | Yes | No | Release: 8.5.2 |
WFM Web Server: Apache Tomcat 7.0/8.0/8.5/9.0 (with Oracle JDK 7, JDK 8, or JDK 10) | Yes | No | Release: 8.5.211 To deploy WFM Web Server with Java 10, minimum versions required for Tomcat 8 are 8.5 and 8.0. |
WFM Web Server: Apache Tomcat 7.0/8.0/8.5/9.0 (with Oracle JDK 8 or JDK 10) | Yes | No | Release: 8.5.212 To deploy WFM Web Server with Java 10 minimum versions required for Tomcat 8 are 8.5 and 8.0. |
WFM Web Server: Apache Tomcat 8.0/8.5/9.0 (with Oracle Java 8 Developer's Kit (JDK), Oracle Java 11 Developer's Kit (JDK), or OpenJDK 11) | Yes | No | Release: 8.5.214 To deploy WFM Web Server with Java 11, the minimum versions required for Tomcat 8 are 8.5 and 8.0. |
WFM Web Server: Apache Tomcat 8.5/9.0 (with Oracle Java 8 Developer's Kit (JDK), Oracle Java 11 Developer's Kit (JDK), or OpenJDK 11) | Yes | No | Release: 8.5.215+ Starting with 8.5.215.09. To deploy WFM Web Server with Java 11, the minimum versions required for Tomcat are 8.5.50 and 9.0.30. |
WFM Web Server: IBM WebSphere 7.0 / 8.0 | Yes | No | Release: 8.5.0 |
WFM Web Supervisors: Oracle JRE 7 or JRE 8 | Yes | No | Release: 8.5.1 |
WFM Web Supervisors: Oracle JRE 7 or JRE 8 | Yes | No | Release: 8.5.2 |
WFM Web Supervisors: Oracle JRE 7, JRE 8, JRE 9, or JRE 10 | Yes | No | Release: 8.5.211.00 |
WFM Web Supervisors: Oracle JRE 8, JRE 11, or openJDKJRE 11 | Yes | No | Release: 8.5.214+ |
WFM Web Supervisors: Sun Java JRE 6 starting with update 12 | Yes | No | Release: 8.1.0 |
WFM Web Supervisors: Sun Java JRE 6 starting with update 12 or JRE 7 | Yes | No | Release: 8.5.0 |
WFM Web Supervisors: Sun Java JRE 6 starting with update 12 or JRE 7 | Yes | No | Release: 8.1.3 |
WFM Web Supervisors: Sun Java JRE 6 starting with update 12 or JRE 7 | Yes | No | Release: 8.1.2 |
WFM Web Supervisors: Sun Java JRE 6 starting with update 12 or JRE 7 | Yes | No | Release: 8.1.1 |