Configure TLS 1.2 on Windows clients accessing Azure Stack Edge Pro device

APPLIES TO: Yes for Pro GPU SKUAzure Stack Edge Pro - GPUYes for Pro 2 SKUAzure Stack Edge Pro 2Yes for Pro R SKUAzure Stack Edge Pro RYes for Mini R SKUAzure Stack Edge Mini R                  

If you are using a Windows client to access your Azure Stack Edge Pro device, you are required to configure TLS 1.2 on your client. This article provides resources and guidelines to configure TLS 1.2 on your Windows client.

The guidelines provided here are based on testing performed on a client running Windows Server 2016.

Prerequisites

Before you begin, make sure that you have access to a Windows Server client that can connect to your Azure Stack Edge device. The client should be running Windows Server 2016 or later.

Configure TLS 1.2 for current PowerShell session

Use the following steps to configure TLS 1.2 on your client.

  1. Run PowerShell as administrator.

  2. To set TLS 1.2 for the current PowerShell session, type:

    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
    

Configure TLS 1.2 on client

To set system-wide TLS 1.2 for your environment, follow these steps:

  1. To enable TLS 1.2 on the clients, use the guidelines in these documents:

  2. Configure Cipher Suites.

    • Specifically Configuring TLS Cipher Suite Order

    • Make sure that you list your current cipher suites and prepend any missing from the following list:

      • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
      • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

    You can also add these cipher suites by directly editing the registry settings. The variable $HklmSoftwarePath should be defined $HklmSoftwarePath = 'HKLM:\SOFTWARE'

    New-ItemProperty -Path "$HklmSoftwarePath\Policies\Microsoft\Cryptography\Configuration\SSL\00010002" -Name "Functions"  -PropertyType String -Value ("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384")
    
  3. Set elliptical curves. Make sure that you list your current elliptical curves and prepend any missing from the following list:

    • P-256
    • P-384

    You can also add these elliptical curves by directly editing the registry settings.

    New-ItemProperty -Path "$HklmSoftwarePath\Policies\Microsoft\Cryptography\Configuration\SSL\00010002" -Name "EccCurves" -PropertyType MultiString -Value @("NistP256", "NistP384")
    
  4. Set min RSA key exchange size to 2048.

Next step