Michigan Endpoint Management User Group

 View Only
  • 1.  Challenges with 7.5 CEM Internet Gateway

    Posted Jun 16, 2014 04:04 PM

    I've made the move from ITMS 7.1 to 7.5 SP1 (on our DEV system).   For the most part the upgrade went smooth.   My site servers and agents have all upgraded.  I've got agent communication now running over HTTPS and site server codebases migrated to HTTPS.   I also have Cloud Enabled Management (CEM) agent connectivity working with a few exceptions.

    When an Internernet agent (Windows 7 x64) is connected to SMP over CEM, the agent is

    1) unable to register with a task server

    2) Unable to download packages from the PS I assigned to the Default Internet Site.

    In the agent logs, it appears the agent is attempting to register with the TS and PS using the internal FQDN which of course it cannot do.  My understanding is that all communication would be tunneled via the Internet Gateway.   Even if the agent could resolve the name of the internal server to an IP, it wouldn't do any good since those servers are on the inside network.  Its possible the agent logs show the internal name even though the communication itself is being tunneled via the gateway.  however, since its not working, I don't think that is the case.

    I found one KB on an earlier version of 7.5 which seems to explain this issue but it was suposedly "fixed" although I'm not sure what that fix entaled.

    For those that have made the jump to 7.5 with CEM, did you run into this issue?

    Joe



  • 2.  RE: Challenges with 7.5 CEM Internet Gateway

    Posted Jun 16, 2014 05:04 PM

    Update:  I took a network packet trace and don't see any evidence of DNS requests from the agent for the internal FQDN.  So it appears everything is tunneling through the gateway as expected but failing for some reason.  Since its all SSL, the packet trace doesn't tell me much more.  The (modified) logs from the agent look like this (names changed to protect the innocent):

    <event date='06/16/2014 15:55:49.4120000 -04:00' severity='4' hostName='*--MY_COMPUTERNAME--*' source='HttpConnection' module='AeXNetComms.dll' process='AeXNSAgent.exe' pid='3040' thread='5916' tickCount='24858525' >
      <![CDATA[Tunnel connection using IP: *--MY_EXTERNAL_IP--*, Port: 443]]>
    </event>
    <event date='06/16/2014 15:55:49.9270000 -04:00' severity='4' hostName='*--MY_COMPUTERNAME--*' source='Client Task Agent' module='client task agent.dll' process='AeXNSAgent.exe' pid='3040' thread='5916' tickCount='24859040' >
      <![CDATA[Registering with Task Server list:]]>
    </event>
    <event date='06/16/2014 15:55:49.9270000 -04:00' severity='4' hostName='*--MY_COMPUTERNAME--*' source='Client Task Agent' module='client task agent.dll' process='AeXNSAgent.exe' pid='3040' thread='5916' tickCount='24859040' >
      <![CDATA[ Task Server: [AMTROWALTWF02.*--MY_INTERNAL_DOMAIN--*.com], Active: [false], Http: [80], Https: [443], Value: [0], Shares: [5000]]]>
    </event>
    <event date='06/16/2014 15:55:49.9430000 -04:00' severity='4' hostName='*--MY_COMPUTERNAME--*' source='Client Task Agent' module='client task agent.dll' process='AeXNSAgent.exe' pid='3040' thread='5916' tickCount='24859055' >
      <![CDATA[Attempting to register on Task Server [AMTROWALTWF02.*--MY_INTERNAL_DOMAIN--*.com] over [https].]]>
    </event>
    <event date='06/16/2014 15:55:52.4540000 -04:00' severity='1' hostName='*--MY_COMPUTERNAME--*' source='NetworkOperation' module='AeXNetComms.dll' process='AeXNSAgent.exe' pid='3040' thread='5916' tickCount='24861567' >
      <![CDATA[Operation 'Connect' failed.
    Protocol: http
    Host: *--MY_EXTERNAL_CEM_HOSTNAME--*
    Port: 443
    Path: /
    Http status: 0
    Secure: Yes
    Id: {63630F08-F04A-4A98-95D7-29B328525771}
    Error type: Connection error
    Error result: 0x80072751
    Error code: 0
    Error note: Unable to connect via secure gateway
    Error message: A socket operation was attempted to an unreachable host]]>
    </event>
    <event date='06/16/2014 15:55:52.4700000 -04:00' severity='2' hostName='*--MY_COMPUTERNAME--*' source='Client Task Agent' module='client task agent.dll' process='AeXNSAgent.exe' pid='3040' thread='5916' tickCount='24861582' >
      <![CDATA[Failed to call web interface by url [https://AMTROWALTWF02.*--MY_INTERNAL_DOMAIN--*.com:443/Altiris/ClientTaskServer/Register.aspx?resourceGuid=0051fc4c-87e0-4f9f-a030-0d9ba4d3feb4&crc=0007000500000C51&lastResort=true], error [0x80072751, A socket operation was attempted to an unreachable host.].]]>
    </event>
    <event date='06/16/2014 15:55:52.4850000 -04:00' severity='2' hostName='*--MY_COMPUTERNAME--*' source='Client Task Agent' module='client task agent.dll' process='AeXNSAgent.exe' pid='3040' thread='5916' tickCount='24861598' >
      <![CDATA[Could not register using "https://AMTROWALTWF02.*--MY_INTERNAL_DOMAIN--*.com:443/Altiris/ClientTaskServer/Register.aspx?resourceGuid=0051fc4c-87e0-4f9f-a030-0d9ba4d3feb4&crc=0007000500000C51&lastResort=true"]]>
    </event>
    <event date='06/16/2014 15:55:52.5010000 -04:00' severity='4' hostName='*--MY_COMPUTERNAME--*' source='Client Task Agent' module='client task agent.dll' process='AeXNSAgent.exe' pid='3040' thread='5916' tickCount='24861614' >
      <![CDATA[An attempt to register on Task Server [AMTROWALTWF02.*--MY_INTERNAL_DOMAIN--*.com] over [https] completed with status [FAILED (may retry)].]]>



  • 3.  RE: Challenges with 7.5 CEM Internet Gateway
    Best Answer

    Posted Jun 16, 2014 05:17 PM

    Are you able to resolve the FQDN of the site server(s) from the CEM gateway?  Are you able to successfully connect over SSL to the site server(s) from the CEM gateway (you could also use telnet to verify)?  I know in my circumstance we have an internal only DNS server and our DMZ systems are not able to reach it.  I've had to add the FQDN and internal IP's for my site servers to the hosts file in order for the gateway to talk to them.

    Also another stupid question, you added the site servers to the list server list within the CEM gateway application itself and to the default internet site, correct?



  • 4.  RE: Challenges with 7.5 CEM Internet Gateway

    Posted Jun 16, 2014 10:59 PM

    Hello there,

     

    We are in exactly the same boat but I have a little different situation.  According to our logs, it looks like we are timing out while awaiting a response from a site server.   We are currently working to enable 443 between the site box and the gateway.  According to our talks with Sym, we come in on 443, wrap the traffic at the gateway, forward traffic to the NS over 4726 and Site Servers over 443. 

     

    I'll try to write back once we've done the firewall change.

    Thanks



  • 5.  RE: Challenges with 7.5 CEM Internet Gateway

    Broadcom Employee
    Posted Jun 17, 2014 04:46 AM

    Justin asked very basic and important question: "did you add the site servers to the list server list within the CEM gateway application itself and to the default internet site". At first sight issue description looks as if that step was missed.



  • 6.  RE: Challenges with 7.5 CEM Internet Gateway

    Posted Jun 17, 2014 01:42 PM

    Justin caught me, I missed the step of defining the site servers within the gateway.  I knew you had to add the SMP there but didn't realize each site server had to be added as well.  Reviewing the steps in the admin guide again, I see a comment that this is required even though it isn't included within the detailed steps.

    I still don't have it working but some new errors in the log are pointing to a CA trust issue which I should be able to work through.  Thanks all for the quick feedback!

    PowerShell_Guru, your understanding on the port requirements is correct.  Also, make sure your site servers are showing HTTPS in the lower right of the package server tab as one of the included codebases.  If not, review the implementation steps.  There are a number of steps needed to get to that point.



  • 7.  RE: Challenges with 7.5 CEM Internet Gateway

    Posted Jun 17, 2014 05:24 PM

    All appears to be working now.  A few notes to others troubleshooting this type of issue: I'm using an internal CA to issue certs to the SMP and site servers instead of public or self-signed certs.  In this case I've learned I should add the cert manually on the site server ahead of time, otherwise SMP with act as a CA and issue / activate a cert on any Internet facing site servers.  If your client does not have the SMP CA listed as a trusted authority (I skipped those steps since my intent was to use an internal CA), agent to site server communication will fail.