Security improvements: Deprecation and end of life (EOL) notices
Discontinued support for older VPN security protocols
On April 6, 2018, the modp768 encryption method for both Phase 1 Diffie-Hellman (DH) group and Phase 2 PFS group will be removed from the Skytap VPN Settings. After April 6, no new VPNs can be configured to use the modp768 DH group.
On May 4, 2018, VPNs that still use the modp768 DH group will be disabled.
If you have existing VPNs that use the modp768 DH group, you must reconfigure them. We strongly recommend that you use the modp1536 DH group.
Additional VPN changes
Also on May 4, 2018, the modp1024 DH group, the md5 Phase 1 hash algorithm, and the hmac_md5 authentication algorithm will be deprecated. Though it will still be possible to create new VPNs with these protocols, we strongly recommend that you use modp1536 DH group, sha1 hash algorithm, and hmac_sha1 authentication algorithm.
- For information about adding new VPNs, see Creating a VPN connection
- For information about editing existing VPNs, see Editing an existing VPN connection
Discontinued support for TLS v1.0
Skytap support for TLS v1.0 ends on June 6, 2017. To continue connecting to Skytap, you must ensure that your browser security, automation, scripts, and custom applications can support TLS v1.1 or v1.2. Skytap has created a temporary test domain, cloudtest.skytap.com, that you can use to test connection security.
Skytap uses Transport Layer Security (TLS) to secure the connection between your local browser and https://cloud.skytap.com. If you use a recent version of Chrome, Firefox, Safari, Microsoft Edge, or Internet Explorer 11 to access cloud.skytap.com, this change is unlikely to affect you (TLS v1.1 and v1.2 are supported by these browsers by default).
If you or your customers use Microsoft Internet Explorer 9 or 10, you won’t be able to access https://cloud.skytap.com or shared environments after June 6, 2017, unless you do one of the following:
Change the Internet Explorer browser settings to enable support for TLS v1.1 and v1.2:
- In Internet Explorer 9 or Internet Explorer 10, navigate to Tools > Internet Options > Advanced.
- Check the boxes for Use TLS 1.1 and Use TLS 1.2.
For more detailed information, see the Microsoft Developer blog post about TLS support for Internet Explorer.
Skytap-supported browsers (Chrome, Firefox, Safari, Microsoft Edge, or Internet Explorer 11) are not affected by this upgrade. TLS v1.1 and v1.2 are supported on these browsers by default.
Automation, scripting, and custom application security
If you use automation, scripting, or custom applications to interact with https://cloud.skytap.com, make sure your tooling supports TLS v1.1 or v1.2, and that it can negotiate a TLS handshake without 3DES ciphers. For example, Python v2.7.8 and older are not compatible with TLS v1.1 encryption.
In PowerShell scripts, add
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 to enable TLS v1.2 for your session.
Testing the secure connection to Skytap
Skytap has created a new temporary domain, cloudtest.skytap.com, that is already configured with the new TLS profile. We strongly recommend that you test your browser, scripts, and automation at cloudtest.skytap.com, which uses the same live production resources as https://cloud.skytap.com. Note that any changes you make on cloudtest.skytap.com will also appear on https://cloud.skytap.com.
The temporary domain, cloudtest.skytap.com, will be retired on June 6, 2017, when https://cloud.skytap.com is fully updated to use the new TLS profile.
Legacy TLS connections to Skytap
Skytap will add a second temporary domain, legacy.skytap.com, to provide temporary support for legacy TLS v1.0. This domain will become available on June 1, 2017 and will be retired on July 5, 2017, 30 days after cloud.skytap.com is fully updated to use the new TLS profile.
Discontinued support for the SmartClient Java applet
- Support for the legacy, SmartClient Java applet is discontinued. SmartClient provided access to VM desktops from older, unsupported browsers. SmartClient has been replaced by the HTML5-based Secure Remote Access (SRA) browser client, which provides access to VM desktops from all Skytap-supported browsers.
The following changes occurred due to phased out support for TLS v1.0.
Discontinued support for select macOS (Mac OS X) Remote Desktop clients
- Support for Microsoft Remote Desktop Connection Client for Mac is discontinued.
- Additionally, macOS users can no longer access VMs over SmartRDP using Microsoft Remote Desktop, version 8.0.0 or older.
Use Microsoft Remote Desktop, version 8.0.0 or newer.
Discontinued support for TLS v1.0 in older Microsoft Remote Desktop Connection Clients (Windows 7 and Windows Server 2008 R2)
- Microsoft Remote Desktop Clients on Windows 7 and Windows Server 2008 R2 can no longer access VMs over SmartRDP unless a Windows Update is installed. To download the update, see Update to add RDS support for TLS 1.1 and TLS 1.2 in Windows 7 or Windows Server 2008 R2.
Discontinued support for Internet Explorer 9 and Internet Explorer 10
- Microsoft has ended support for Internet Explorer 9 and Internet Explorer 10. Skytap will no longer test these browsers or fix bugs related to them.