Kaseya Community

Locking down SSL and Cipher suites on VSA - 9.4

  • We recently replaced a firewall which prompted running an external scan against our Network.  This uncovered vulnerable cipher suites in our current Kaseya 9.4 VSA.  A Google search lead me to editing KaseyaEdgeServices.config from instructions for version 9.3 and experience lead me to run IISCrypto.  Using the recommended KaseyaEdgeServices.config did not seem to remove all the vulnerable Cipher Suites and disabling TLS 1.0 through IIS Crypto broke communications between the VSA and the database...so I reset everything to default.

    Is there a knowledge base article on properly removing vulnerable setting from VSA 9.4  and/or is 9.5 more secure or easier to lock down?   Things have stabilized enough we will probably bite the bullet and move to 9.5 soon but I suspect the issue will still be there.

    TIA for any insight you can offer.

    Ken

  • KB: helpdesk.kaseya.com/.../115001229112

    You'll need customize config from support -- i have yet to test this but it worked the last time we did it, and it got reset when we updated VSA.     I just got this config file from support earlier last week (although it does NOT disable TLS -- unsure if you can without affecting the edge/iis interactions) :

    {

       "Kaseya":

       {

           "Application":

           {

               "ListenPorts": [ 80, 443, 5721 ],

               "RedirectHttpToHttps": true,

               "VerboseLogging": false

           },

           "Library":

           {

               "Edge":

               {

                   "TlsService":

                   {

                       "DisableSSLv3_0": true,

                       "DisableTLSv1_0": false,

                       "DisableTLSv1_1": false,

                       "DisableTLSv1_2": false,

                       "CipherList": "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256"

                   }

               }

           }

       }

    }

  • Thanks Chris,

    It still only rates a B from SSL Labs but our external scanner doesn't report any available exploits any more.  I appreciate the help.

    Ken

  • We used the KB artical helpdesk.kaseya.com/.../115001229112

    And it broke the on-prem VSA.  Had to open a ticket with Kaseya and they had to redo the SSL cert and a few other things.  Appears three kaseya services no longer were able to start once we put the new config file in production and had to revert back.  Even reverting back, the services did not start and the VSA was inoperable.

    Had to open a second case with Kaseya for them to review the first case and update the KB doc to include this possible issue.

    Am in waiting mode now for them to review.

  • Yes, i found with ours that TLSv1.0 is needed to communicate with the database so it cannot be disabled.  In the config provided in that script you would need to change it to "DisableTLSv1_0": false,