ePOSQL

How To Reorder Cipher Suites On SQL Server Before Upgrade ePO Server

After running McAfee ePolicy Orchestrator Pre-Installation tool on ePO server 5.3.1, I got the following error message that needed to be address prior to upgrade to ePO 5.9.1:

NameDescription Status Result
SQL Server system RSA compatibility Check whether SQL Server is compatible with RSA BSAFE upgrade to 6.2.1 which will allow to make connection with McAfee ePO with new RSA 2048-bit keys support. This check might take a little time. Failed Cipher suite order is not correct. Use Group Policy Editor to change it.See McAfee KB87731 for more information.

The solution to this issue is reordering the cipher suites following McAfee KB87731 article which point to two Microsoft articles.

Reordering the ciphers manually was challenging, as the instruction provided on both Microsoft articles below are not very clear to me on how to reorder the ciphers using Windows group police:

On my first attempt to reorder the ciphers I broke the SSL connection to my SQL server. After couple of rollbacks during the upgrade of ePO I was able to identify the issue, it was with the way I reorder the ciphers. Looking for a solution I stumble on a tool called IIS Crypto. IIS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2008, 2012, 2016 and 2019.

The tool is very simple to use and I will show how to use it to reorder the ciphers with very little effort.

Note: This process requires a reboot of the SQL server, it is important to schedule a reboot.

How to reorder ciphers using IIS Crypto GUI

  • Download the tool from Nartac.
    cipher-02
  • Next click on save file.
    cipher-03
  • Once the tool is downloaded, double click on the executable.
    cipher-04
  • On the next windows click “Run”.
    cipher-05
  • Accept the license agreement.
    cipher-06
  • Next on the left side, click on Cipher Suites.
    cipher-07
  • Next click on Best Practices.
    cipher-08
  • Follow by selecting “Reboot” and then click “Apply”
    Note: This process requires a reboot of the SQL server, it is important to schedule a reboot.
    cipher-09

Once the SQL server is rebooted test the connectivity to the database. If you are not sure how to test connectivity to the database using .udl file, go to this article “How To Test Connectivity To The Database Using UDL file“.

This concludes the procedure on how to reorder the ciphers suites on SQL server. If you have any questions or comments please let me know.

Leave a Reply

Your email address will not be published. Required fields are marked *