Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

In IIS redirect browser clients that do not support TLS 1.2 to another site

Posted on 2016-11-07
3
Medium Priority
?
347 Views
Last Modified: 2016-11-08
I looking into disabling TLS 1.0 and 1.1 on our public IIS web servers but want a way to warn users that are running browser clients that don't support TLS 1.2. I was hoping IIS would have a way to redirect these users to another site hosted on a server that did support lower TLS versions that the site they were trying to go to has a few minimal requirements. I am not sure if this is possible though since the server should refuse the connection before it has a chance to redirect the client.  

If that is the case and there is no way to do this directly on the IIS server hosting the site then are there any revers proxy solutions or WAF like solutions that could provide this kind of service?
0
Comment
Question by:KPERS
3 Comments
 
LVL 29

Expert Comment

by:Dan McFadden
ID: 41878602
Unfortunately IIS cannot detect if a client browser supports a specific version of SSL/TLS.  Typically in this situation, the client browser tells the server the maximum version of the protocol(s) it supports and if the client cannot connect, the client generates and error.

You could do some check in code, but you would have to have a server where the older protocols are enabled, check the incoming protocol level and redirect to the appropriate destination server.

But I have a few questions...

1. What older OS/Browser combination are you attempting to support
2. Have you analyzed your http logs to see what browsers and OSes are hitting your site?

Dan
0
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 41878625
I would not advice this approach to detect and it is also not natively in the IIS as shared. The cipher list is based on preference and if you really want to have best of both worlds to support legacy clients the renegotiation can be done already as it is. Try the IISCrypto tool to set the baseline on the using the best practice. https://www.nartac.com/Products/IISCrypto

I rather you have the ideal case of supporting TLS1.2 and disabling all weak cipher instead and not try to balance to support the weaker cipher. The issue is that, if you negotiate an insecure connection, then the attackers can hijack it and take over the session. This is counter effective and would be a TLS failure.

I suggest instead to have a application aware proxy for IIS - check this out using F5 device which may have an iRule in play which redirects and also prompts with information-instruction on how to enable TLS1.2 within their browser. As of the forum they are displaying a friendly informative error page telling them why they couldn't access the site.
https://devcentral.f5.com/questions/how-do-i-restrict-tls-negotiation-to-minimum-tls-v12
0
 

Author Comment

by:KPERS
ID: 41878976
Dan to answer your question I was not intending to support these older clients and operating systems but wanted a way better way to handle non-compatible clients by either sending them to a separate page informing them of the situation and way to get in compliance so they then would be able to then access the intended page if that was possible. Worse case I would like to be able to put up a warning banner on the actual site letting them know they are out of compliance and warn them they will not be able to connect after a specific date and provide them a link to the same page I spoke of before but still give them access to the main site for a few months.

The banner of course will have to be a developer solution but was hoping I could create a rule in IIS or using a proxy solution like btan recommended to just send the client to a helper page util they are in compliance.

I did check and there are a decent amount of users sill coming in on IE8 so flat out disabling this with no alternate option will be our last option.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
Worried about if Apple can protect your documents, photos, and everything else that gets stored in iCloud? Read on to find out what Apple really uses to make things secure.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses
Course of the Month11 days, 2 hours left to enroll

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question