How to get an A+ from Qualys SSLLabs on your Horizon UAG deployment.

Monday, August 13, 2018

image


So after a recent deployment of VMware’s Universal Access Gateway appliance (v3.3.0), it seems that out of the box, this appliance gets a B grade from SSLLABS.COM.  Obviously you want to make sure you get an A rating from a security perspective so here are the steps we took to achieve an A+ rating on the Qualys SSL server test.

image

If you log into the AUG and go to Advanced System Settings, the first option you can change is the Honor Cipher Order.  This selection by default will get you a B grade giving you the following warning message in the report.

Changing the Honor Cipher Order to YES will get rid of this Forward Secrecy grade cap.

Image

The next issue is the weak cipher suites as noted in the grade cap below.

You can also change those in the UI right above Honor Cipher Order by pasting the following line. (be sure to remove line break)

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

If you follow these two steps on each of your UAGs in the environment, you will have successfully bumped your Qualys grade from a B to an A+.

Thanks to my client (you know who you are) who helped me to figure this out.

-CARLO

Previous
Next Post »