Hi,

Behind the SSL there are a lot of cipher suites to be used. Probably you should review your ssl configuration and see if you configure the cipher suites in order to be compatible with your client.

One way to see what cipher suites SA offer and NC accept you can tcpdump the traffic in the external interface and see as SSLDump.

Or you can put your url in https://www.ssllabs.com/ssltest/ and check what cipher suits you SA offers but you will not see what NC try to use.

Regards,

I tried to test this in our lab and I did not have any issues connecting with NC 8.0.

I checked the cipher suites supported and it showed the following from the SA perspective.

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA

Is it possible you have a load balancer in front of the SA device which is terminating the ssl connection?

No, no load balancer.  We do have the MAGs clustered, but I don't see how that would matter.  The NC encryption settings are set to ESP AES128/MD5, with fallback to SSL. I'm guessing it was having issues with ESP.  Is our setting too low?  Did you try the list from Microsoft?  I cut and pasted that list to notepad, took out the line breaks, etc.

I'm going to try and test again on a different machine to see where the issue is exactly.

If ESP failed, it will fall over to SSL mode.  This means it would follow the cipher suites the browser supports.  I made the changes to my machine GP and pushed the update.  I am not seeing any issues connecting via NC.  Are you able to connect to the SA via web browser?

Yes, no issues there, it was just with Network Connect.  I'm about to retest this, we'll see what happens.

Definitely not working.  We're running 8.0R6 (build 32195) of the MAG 4610.  Network Connect will not connect, just keeps retrying.  This is on a totally different Windows 7 box from when I posted before.  Same results.  (My mistake on the version, I wasn't in the office at the time so I was guessing)

I've tried changing our profile on the MAG to use higher encryption for ESP, and even disabled ESP and used SSL only.  Nothing worked.  I also uninstalled Network Connect and then reinstalled after every change.  No go.  It just won't work when applying Microsoft's settings, at least not for us on the version we are on.

Do you have a open case yet?  I would like to look at the debug logs from the client machine.  If you can connect via the browser, then there may be another reason why NC is not connecting.  

NC client is leveraging the IE browser to make the initial connection to the SA.  I would assume this connection is fine if you can connect via the browser.  Even if ESP failed, you should still be able to connect via SSL.

Well, it has to be this reason as when I remove the policy it works again.  That's no coincidence.  And it did it on two different Windows 7 computers.  I can easily duplicate this.  I didn't open a ticket as this was just a test for us - I just wanted to see if anyone else ran into this in testing.  My worry is that a Microsoft patch will end up breaking NC in the future.  Were you testing on the same firmware as us?