How to configure TLS Protocol Levels in TSX Gateway

Mona Lippert-Winkel
2022-12-07

How to configure TLS protocol levels in TSX Gateway


TSX Gateway supports end-to-end encryption of remote sessions.
When the connection is established the client and the TSX Gateway server try to agree on used encryption type.

PCI standards require that TLS 1.0 (TLSv1) cannot longer be used for secure communication
(vulnarable to man-in-the-middle attacks), risking the integrity and authentication of data sent between the sever and the client.
TSLv1 is disabled per default in TSX Gateway since version 1.0.170.
All other TSL versions 1.1., 1.2 and 1.3 are enabled per default.

If you are running an older operating system or an outdated version of an RDP client, it can happen that the connection to TSX Gateway Server is refused, missing TLSv1.0 support might be the reason.
Possible error message:

If you want to enable TLSv1 in order to offer the connection from older RDP clients to the TSX Gateway server
you have to overwrite the according setting in the config file.
How to adapt the settings in the config file

1) Shut down TSX Gateway services.

2) In the installation folder of TSX Gateway (per default: C:\Program Files\Thinstuff\TSX Gateway)
you will find the config file - TsxTsGateWay.cfg
Open that file with text editor of your choice (eg notepad.exe)

3)
You will find following lines:
..
<cipher>ALL:+HIGH:!EXPORT:!LOW:!MEDIUM</cipher>
<config>
...

To enable TLSv1 you have to add the following line right after the <cipher> string.
<cipher>ALL:+HIGH:!EXPORT:!LOW:!MEDIUM</cipher>
<enableTLSv1>true</enableTLSv1>
...

4) It is mandatory to restart the server

Additional information

Of course this config file can also be used to disable other TLS versions - you have to add the according line
to overwrite the default behaviour of TSX Gateway:

Directly under

<cipher>ALL:+HIGH:!EXPORT:!LOW:!MEDIUM</cipher>
<enableTLSv1>false</enableTLSv1>
<enableTLSv1_1>false</enableTLSv1_1>
<enableTLSv1_2>true</enableTLSv1_2>
<enableTLSv1_3>true</enableTLSv1_3>

-- means TLSv1 and TSLv1.1 are disabled - only TLSv1.2 and TLSv1.3 are available

 

Tags: security package error, transport layer