Edit

Share via

Configure TLS 1.2 on Windows clients accessing Azure Stack Edge Pro device

  • How-to

APPLIES TO: Yes for Pro GPU SKUAzure Stack Edge Pro - GPUYes for Pro 2 SKUAzure Stack Edge Pro 2Yes for Pro R SKUAzure Stack Edge Pro RYes for Mini R SKUAzure Stack Edge Mini R                  

If you use a Windows client to access your Azure Stack Edge Pro device, you're required to configure Transport Layer Security (TLS) 1.2 on your client. This article provides resources and guidelines to configure TLS 1.2 on your Windows client.

The guidelines provided here are based on testing performed on a client running Windows Server 2016.

Prerequisites

Before you begin, make sure that you have access to a Windows Server client that can connect to your Azure Stack Edge device. The client should be running Windows Server 2016 or later.

Configure TLS 1.2 for the current PowerShell session

Use the following steps to configure TLS 1.2 on your client:

  1. Run PowerShell as administrator.

  2. To set TLS 1.2 for the current PowerShell session, type:

    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

Configure TLS 1.2 on the client machine

Use the following steps to set system-wide TLS 1.2 for your environment:

  1. To enable TLS 1.2 on the clients, use guidelines in the following articles:

  2. Configure Cipher Suites.

    • Specifically Configuring TLS Cipher Suite Order

    • Make sure to list your current cipher suites and prepend any missing from the following list:

      • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
      • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

    You can also add these cipher suites by directly editing the registry settings. The variable $HklmSoftwarePath should be defined $HklmSoftwarePath = 'HKLM:\SOFTWARE'

    New-ItemProperty -Path "$HklmSoftwarePath\Policies\Microsoft\Cryptography\Configuration\SSL\00010002" -Name "Functions"  -PropertyType String -Value ("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384")

  3. Set elliptical curves. Make sure that you list your current elliptical curves and prepend any missing from the following list:

    • P-256
    • P-384

    You can also add these elliptical curves by directly editing the registry settings.

    New-ItemProperty -Path "$HklmSoftwarePath\Policies\Microsoft\Cryptography\Configuration\SSL\00010002" -Name "EccCurves" -PropertyType MultiString -Value @("NistP256", "NistP384")

  4. Set min RSA key exchange size to 2048.

Next step

Connect to Azure Resource Manager