HTTPS Monitor and SSL Certificate Expiration Date Monitor reports down status when TLS 1.0 disabled on monitored IIS server

Version 3

    I did change on IIS server to comply last security recommendations. There is Data Security Standard (DSS) version 3.1 from PCI Council which says that SSL and TLS 1.0 can no longer be used after June 30, 2016.

     

    I used Nartac software free tool named "IIS Crypto", which provide nice GUI to configure security protocols on Windows server.

    2016-02-1511_48_02-IssCrypto.png

     

    After this change SAM SSL based monitors went down - SSL Certificate Expiration Date Monitor reported error  "Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host" and HTTPS monitor reported "The underlying connection was closed: An unexpected error occurred on a send".

     

    2016-02-1511_53_30-AppDown.png

     

    I found recommandation to set this registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319

    "SchUseStrongCrypto"=dword:00000001

     

    I did it and restarted "Solarwinds Job Engine v2" service, but result was the same as before.

     

    Then I found Microsoft Security Advisory 2960358   https://technet.microsoft.com/library/security/2960358

    ... according it I downloaded patch matching my configuration - Windows Server 2008 R2 x64 and Microsoft .NET Framework 4.5.2 - that was KB2954853.

     

    I also prepared registry patch file strongcrypto4-enable.reg  - which change registry key SchUseStrongCrypto for both 32 and 64 bit processes (eg. IIS AppInsight uses 64bit  process but my other  templates runs in standard 32 bit worker process on Orion server).

     

    So in the end after changes on Orion poller server ...  registry using the strongcrypto4-enable.reg file and installation of KB from Microsoft #2960358 article and restart of Orion server my SSL monitors went again into green UP status.

     

    Hope it helps