UCCX 10.6 Pages Does not Load in IE11 After the Installation of Microsoft KB3161608/KB3161606

Introduction

This document describes the scenarios that can result in Cisco Unified Contact Center Express (UCCX) and/or Finesse webpages not loading, depending upon which version of UCCX 10.6 is installed.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

• Windows administration
• UCCX administration and configuration

Components Used

The information in this document is based on these software versions:

•  Cisco Unified Contact Center Express 10.6(1)
• Cisco Unified Contact Center Express 10.6(1) SU1
• Windows 7 or 8
• Internet Explorer 11

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Scenario 1

• UCCX 10.6(1) base version with either Secure Hash Algorithm (SHA)1 or SHA256 certificate
• Internet Explorer (IE) 11 for Windows 7 or 8
• Install KB3161608 on Windows 7 or KB3161606 on Windows 8

Result

When you navigate to either the UCCX Web Admin or Finesse login page in IE11 results in this message being displayed "This page can’t be displayed”.

Scenario 2

• UCCX 10.6(1) SU1 with either SHA1 or SHA256 certificate
• IE11 for Windows 7 or 8
• Install KB3161608 on Windows 7 or KB3161606 on Windows 8

Result

This scenario results into this:

• UCCX Web Admin page gets loaded and allows you to log in successfully.
• Finesse login page gets loaded and allows the user to enter the credentials. However, Finesse prompts the user to accept the 7443 certificates but the page doesn't load with the same message - “This page can’t be displayed”.

Analysis

The KB's are actually a pack of updates that installs this one in particular KB3161639 Update to add new cipher suites to Internet Explorer and Microsoft Edge in Windows. As you look more closely at this KB, these two Transport Layer Security (TLS) cipher suites are added to the list of ones used by IE: TLS_DHE_RSA_WITH_AES_128_CBC_SHA and TLS_DHE_RSA_WITH_AES_256_CBC_SHA.

In Firefox these can be disabled through this procedure:

1. Navigate to about:config.
2. Search for security.ssl3.dhe in that.
3. Double click on security.ssl3.dhe_rsa_aes_256_sha and security.ssl3.dhe_rsa_aes_128_sha to set them to false.

However with IE11 there is no workaround that can be done through the browser. Instead, an administrator modifies the local or domain group policy to exclude the ciphers in the SSL configuration.

In order to modify the local policy through gpedit.msc Windows module, navigate to Computer Configuration >Administrative Tools >Network >SSL Configuration Settings >SSL Cipher Suite Order.

If the suite order is set to Disabled or Not Configured then the default order is used and block access to UCCX/Finesse. Instead, this should be set to Enabled and the cipher suite order should be modified to exclude the two ciphers mentioned above. Note the restriction that the list of ciphers are to be used, as they cannot exceed 1023 characters in length. The cipher list known to work with UCCX/Finesse 10.6 is as these:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_CK_DES_192_EDE3_CBC_WITH_MD5

The other option is to remove KB3161608 or KB3161606 from all machines that need to access Finesse or UCCX Web Admin.

This issue does not present in UCCX 10.6(1) SU2 or 11.0 as the logjam vulnerability was fixed in these versions. There is a defect associated with this issue, CSCuv89545 , which is resolved in UCCX 10.6 SU1 ES02 and SU2. A related defect, CSCuu82538 , is resolved in virtual machines running Red Hat Enterprise 6 as the guest OS.

Note: A similar update for Windows 10 (KB3163018) also causes this issue to occur in UCCX version 10.6 and 10.6 SU1 when using IE11. However, Windows 10 is not a supported operating system for these versions of UCCX and should not be used. When Windows 10 is used, the issue can be resolved if you use Firefox, upgrade UCCX to version 10.6 SU2 or remove the KB update