TLS Configuration Requirements for Automox
TLS Configuration Requirements
Automox requires secure Transport Layer Security (TLS) configurations to protect communication between the Automox agent and the cloud console. This document details supported protocols, cipher suites, and system requirements for maintaining connectivity.
Supported Protocols and Cryptography
To align with industry best practices and AWS security policies, Automox supports TLS 1.2 and TLS 1.3. Systems must use cryptographic primitives that provide forward secrecy and authenticated encryption.
Technical Standards
- Protocols: TLS 1.2, TLS 1.3
- Hashing Algorithms: SHA256, SHA384
- Keys:
- RSA
- ECDSA (where dual-stack certificates are supported)
- Key Exchange: ECDHE (Elliptic Curve Diffie-Hellman Ephemeral)
- Encryption Algorithms: AES-GCM, ChaCha20-Poly1305
Legacy algorithms, including static RSA key exchange and deprecated hashing functions, are unsupported for agent-to-console communication.
System Requirements
Administrators must ensure managed endpoints meet these cryptographic requirements to prevent connection failures.
Supported Configuration Reference
|
Component |
Requirement |
|---|---|
|
Operating Systems |
|
|
PowerShell Version |
|
|
Key Exchange |
ECDHE must be enabled in SCHANNEL |
|
Cipher Policy |
Must support at least one suite from AWS CloudFront TLSv1.2_2019 or newer |
Registry Configuration Paths
Windows TLS behavior is controlled by these registry keys:
- ECDH Key Exchange:
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\ECDH - SSL Cipher Order:
HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002 - Enable strong cryptography for .NET applications (including PowerShell)
HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319
For detailed guidance on configuring these registry paths or troubleshooting environment issues, see the Automox documentation:
For manual configuration, administrators can use the IIS Crypto tool by Nartac Software. It offers a graphical interface to manage SCHANNEL registry keys, enable TLS 1.2 and 1.3, disable insecure cryptographic methods, and reorder cipher suites.
Connectivity Validation
All agent operations require successful TLS negotiation. Verify connectivity by testing outbound HTTPS requests to the primary Automox infrastructure endpoints.
Validation Endpoints
|
Endpoint |
Expected Result |
Note |
|---|---|---|
|
|
Success |
Primary API communication |
|
|
Success (403 Forbidden) |
A 403 response confirms a successful TLS handshake |
Manual Validation (PowerShell)
To verify that a system can establish a secure connection with the required TLS protocols, run this command in PowerShell. The script uses .NET sockets to confirm the negotiated protocol version:
Test-AutomoxConnectivity.ps1
#!/usr/bin/env pwsh
<#
.SYNOPSIS
Tests connectivity to Automox endpoints and verifies TLS 1.2+ configuration.
.DESCRIPTION
This script checks if the client computer can successfully connect to Automox endpoints
and verifies that PowerShell is configured to use TLS 1.2 or higher.
.EXAMPLE
.\Test-AutomoxConnectivity.ps1
#>[CmdletBinding()]
param()
#region Functions
# Helper function to display color-coded test results
function Write-Result {
param([string]$Test, [bool]$Pass, [string]$Message)
$status = if ($Pass) { "PASS" } else { "FAIL" }
$color = if ($Pass) { "Green" } else { "Red" }
Write-Host "[$status] " -ForegroundColor $color -NoNewline
Write-Host "$Test`: $Message"}
# Tests HTTP/HTTPS connectivity to an endpoint
# Can optionally force a specific TLS version for testing
# Returns $true if the response code matches expected codes, $false otherwise
function Test-Endpoint {
param([string]$Url, [int[]]$ExpectedCodes, [System.Net.SecurityProtocolType]$ForceTLS)
# Store original TLS setting to restore later
$original = [Net.ServicePointManager]::SecurityProtocol
try {
# If ForceTLS parameter was provided, temporarily override the TLS setting
if ($PSBoundParameters.ContainsKey('ForceTLS')) {
[Net.ServicePointManager]::SecurityProtocol = $ForceTLS
}
# Attempt to connect to the endpoint
$response = Invoke-WebRequest -Uri $Url -Method Get -UseBasicParsing -ErrorAction Stop
return $response.StatusCode -in $ExpectedCodes
} catch {
# Some endpoints return errors but still establish connection (e.g., 403 for CDN)
if ($_.Exception.Response) {
$code = [int]$_.Exception.Response.StatusCode
return $code -in $ExpectedCodes
}
return $false
} finally {
# Always restore original TLS setting
[Net.ServicePointManager]::SecurityProtocol = $original
}
}
#endregion
#region Main Script
# Display header
Write-Host "`n================================================" -ForegroundColor Cyan
Write-Host " Automox Connectivity Test" -ForegroundColor Cyan
Write-Host "================================================`n" -ForegroundColor Cyan
#region Smoke Test - Verify basic network connectivity before detailed testing
Write-Host "=== Network Smoke Test ===" -ForegroundColor Cyan
$endpoints = @("api.automox.com", "storage-cdn.prod.automox.com")
$smokePass = $true
# Test DNS resolution for both Automox endpoints
foreach ($endpoint in $endpoints) {
try {
$ips = [System.Net.Dns]::GetHostAddresses($endpoint)
Write-Result "DNS: $endpoint" $true "Resolved to $($ips[0].IPAddressToString)" } catch {
Write-Result "DNS: $endpoint" $false "Failed to resolve" $smokePass = $false
}
}
# Test basic TCP connectivity on port 443 (HTTPS)
try {
$tcp = New-Object System.Net.Sockets.TcpClient
$connect = $tcp.ConnectAsync("api.automox.com", 443)
if ($connect.Wait(5000) -and $tcp.Connected) {
Write-Result "TCP: api.automox.com:443" $true "Connection successful" $tcp.Close()
} else {
Write-Result "TCP: api.automox.com:443" $false "Connection timeout" $smokePass = $false
}
$tcp.Dispose()
} catch {
Write-Result "TCP: api.automox.com:443" $false "Connection failed" $smokePass = $false
}
# If smoke test fails, abort - no point testing TLS if basic connectivity is broken
if (-not $smokePass) {
Write-Host "`nSMOKE TEST FAILED - Check internet, DNS, and firewall settings" -ForegroundColor Red
exit 2
}
#endregion
#region TLS Configuration Check - Verify PowerShell defaults to TLS 1.2 or higher
Write-Host "`n=== TLS Configuration ===" -ForegroundColor Cyan
# Get the default TLS protocols configured for this PowerShell session
$protocols = [Net.ServicePointManager]::SecurityProtocol
# Check if TLS 1.2 and 1.3 are enabled using bitwise AND
$hasTLS12 = $protocols -band [Net.SecurityProtocolType]::Tls12
$hasTLS13 = try { $protocols -band [Net.SecurityProtocolType]::Tls13 } catch { $false }
# Automox requires at least TLS 1.2
$isSecure = $hasTLS12 -or $hasTLS13
# Display current TLS configuration
Write-Host "Default: $protocols"Write-Host " TLS 1.2: $(if ($hasTLS12) { 'Enabled' } else { 'Disabled' })" -ForegroundColor $(if ($hasTLS12) { 'Green' } else { 'Red' })
Write-Host " TLS 1.3: $(if ($hasTLS13) { 'Enabled' } else { 'Disabled' })" -ForegroundColor $(if ($hasTLS13) { 'Green' } else { 'Gray' })
Write-Result "TLS 1.2+ Available" $isSecure $(if ($isSecure) { "Ready for Automox" } else { "Not configured" })
#endregion
#region Connectivity Testing - Test endpoints with different TLS configurations
# Define test cases: first with default config, then forcing specific TLS versions
$testCases = @(
@{ Label = "Default Config"; TLS = $null } # Test with system defaults
@{ Label = "TLS 1.2 Forced"; TLS = [Net.SecurityProtocolType]::Tls12 } # Force TLS 1.2 only
)
# Add TLS 1.3 test if the PowerShell version supports it
try {
$tls13 = [Net.SecurityProtocolType]::Tls13
$testCases += @{ Label = "TLS 1.3 Forced"; TLS = $tls13 }
} catch { }
# Store results from each test case
$results = @{}
# Run connectivity tests for each configuration
foreach ($test in $testCases) {
Write-Host "`n=== Testing: $($test.Label) ===" -ForegroundColor Cyan
# Set up parameters for both endpoints
# API expects HTTP 200, CDN expects HTTP 403 (no direct access without path)
$apiParams = @{ Url = "https://api.automox.com"; ExpectedCodes = @(200) }
$cdnParams = @{ Url = "https://storage-cdn.prod.automox.com"; ExpectedCodes = @(403) }
# If this test case specifies a TLS version, add it to the parameters
if ($test.TLS) {
$apiParams['ForceTLS'] = $test.TLS
$cdnParams['ForceTLS'] = $test.TLS
}
# Test both endpoints
$apiSuccess = Test-Endpoint @apiParams
$cdnSuccess = Test-Endpoint @cdnParams
# Display results
Write-Result "api.automox.com" $apiSuccess $(if ($apiSuccess) { "Connected" } else { "Failed" })
Write-Result "storage-cdn.prod.automox.com" $cdnSuccess $(if ($cdnSuccess) { "Connected" } else { "Failed" })
# Store results for summary
$results[$test.Label] = @{ API = $apiSuccess; CDN = $cdnSuccess }
}
#endregion
#region Summary - Display quick overview of all test results
Write-Host "`n=== Summary ===" -ForegroundColor Cyan
foreach ($test in $testCases) {
$label = $test.Label
$r = $results[$label]
$pass = $r.API -and $r.CDN # Both endpoints must pass
Write-Host "$label`: " -NoNewline
Write-Host $(if ($pass) { "PASS" } else { "FAIL" }) -ForegroundColor $(if ($pass) { "Green" } else { "Red" })
}
#endregion
#region Recommendation - Provide actionable guidance based on test results
Write-Host "`n=== Recommendation ===" -ForegroundColor Cyan
# Determine what worked and what didn't
$defaultWorks = $results["Default Config"].API -and $results["Default Config"].CDN
$tls12Works = $results["TLS 1.2 Forced"].API -and $results["TLS 1.2 Forced"].CDN
# Scenario 1: Everything works with default config - system is properly configured
if ($isSecure -and $defaultWorks) {
Write-Host "System properly configured for TLS and Automox connection!" -ForegroundColor Green
exit 0
# Scenario 2: Default config lacks TLS 1.2+, but TLS 1.2 works when forced
# This means the system CAN do TLS 1.2, it's just not configured as the default
} elseif (-not $isSecure -and $tls12Works) {
Write-Host "ACTION REQUIRED: Update system TLS configuration" -ForegroundColor Red
Write-Host "" Write-Host "Your system supports TLS 1.2 but doesn't use it by default." -ForegroundColor Yellow
Write-Host "Automox requires TLS 1.2+ to be enabled by default." -ForegroundColor Yellow
Write-Host "" Write-Host "To fix:" -ForegroundColor White
Write-Host " 1. Install latest Windows updates" -ForegroundColor White
Write-Host " 2. Install .NET Framework 4.7 or higher" -ForegroundColor White
Write-Host " 3. Configure registry settings for TLS 1.2" -ForegroundColor White
Write-Host "" Write-Host "Details: https://help.automox.com/hc/en-us/articles/31580534058132-Proxy-Blocks-Downloads-from-Automox-Due-to-TLS-Setting#h_01JK6PFYMRZT1VYNBHM07HD6GM" -ForegroundColor Cyan
exit 1
# Scenario 3: Even TLS 1.2 doesn't work - likely firewall/network issue
} elseif (-not $tls12Works) {
Write-Host "CRITICAL: Cannot connect even with TLS 1.2" -ForegroundColor Red
Write-Host "Check firewall, proxy, or network restrictions" -ForegroundColor Yellow
exit 1
# Scenario 4: Unknown issue - shouldn't normally hit this
} else {
Write-Host "Configuration issues detected - review results above" -ForegroundColor Yellow
exit 1
}
#endregion
#endregionImplementation and Remediation
Automated Remediation
Automox offers automated tools to evaluate and enforce TLS standards across your environment via the Automox Worklet Catalog.
Warning: Changing TLS standards and cipher suite order can affect Windows applications relying on SCHANNEL. Test thoroughly in a lab before broad deployment.
Manual Remediation
For manual updates, follow the Automox Knowledge Base article: Force PowerShell to Use TLS 1.2. It explains how to adjust registry and session settings to prioritize secure protocols in PowerShell and .NET Framework.
Note: These requirements align with AWS TLS standards and improve Automox platform security.
