We are looking for confirmation on the cipher suites that can be configured on a UAG. We have TLS 1.0/1.1 disabled so we are only using TLS 1.2. According to Using PowerShell to Deploy VMware Unified Access Gateway and comparing to our UAG 3.0 these are the default cipher suites.
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
The connection server documentation (Default Global Policies for Security Protocols and Cipher Suites) states that the following ciphers are supported.
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
Our security team is requiring that we disable all AES 128 ciphers and only use elliptical curve (ECDHE) which leaves us with the following.
UAG
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Connection Server
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
We've also been told that GCM is preferred as it performs better than CBC. So in a perfect world we would only use TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 but it's not one of the listed protocols for the UAG. We've found that it can be configured on the UAG but it can't be the only cipher. So I could do the following on the UAG and Connection servers but I'm unsure if this actually works.
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Our connection servers are restricted to only use TLS 1.2 and the following cipher suites.
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TL;DR
Will the TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher suite work on a UAG?
Is it possible to only use TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 on the UAG and connection server or are a minimum of two needed?
Why do the UAG and Connection Servers support different ciphers?