To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

FS Policy Manger 13 Proxy -Software updates

tomczaki
tomczaki W/ Alumni Posts: 19 Security Scout

Hello

My F-SecurePM infractructure after upgrade to PM13 is, central FSPM13.00 serwer and few FSPMProxy13 serwers (CentOS) at Branch Offices (it is shown at admin guide https://help.f-secure.com/product.html#business/policy-manager/latest/en/concept_4EF977315A09441EAC0838F4A1C3A8F8-latest-en)

 

Question about Centralized management of Policy Manager Proxy and Software Updates

Branch Offcie (BO) has own FSPMProxy13, that is visible at new icon in Centrel FSPM13 tree. Hosts in Branch office have FSCSPrem13.00. In FSPM13 I've set AutomaticUpdates for hosts in this BO to local FSPMProxy13, Software Updates set to 'From AUA configuration' (= local FSPMProxy13).

 

So if for this hosts setting 'Download software updates from Policy  Manager' is set to 'Always' or 'If possible' then clients will download this updates using FSPMProxy13 or directly from FSPM13 (Central PM) ???

 

Here is help from explain setting 'Download software updates from Policy  Manager'

This setting defines if managed hosts should download software update packages for third-party software from Policy Manager.
 The default setting is to try to download the update package from Policy Manager first, and if the package is not available there, the host downloads it from the Internet. If you select “Always”, managed hosts do not connect to the Internet even if the update package is not available from Policy Manager. If you select “Never”, managed hosts always download the update packages from the Internet. This setting only applies to hosts connected to Policy Manager.

Object identifier: 1.3.6.1.4.1.2213.59.1.70.100

Comments

  • A_Grinkevitch
    A_Grinkevitch W/ Partner, W/ Staff, W/ Product Leadership Posts: 169 W/ Product Leadership

    Hello tomczaki,

    Clients download Software updates from the Policy Manager Proxy (in your case local FSPMProxy13), but Software updates DB is downloaded directly from the Master Policy Manager.

     

    Alexander

  • tomczaki
    tomczaki W/ Alumni Posts: 19 Security Scout

    Software updates DB - is it just a list of Updates that FSPMS/FSPMProxy can download and Clients can install ?

     

    I've done Report at local FSPMProxy13, and there is no Download updates, no Distributet updates, no Used Space

    Mayby I set something wrong?

    Clients, PMS, PMProxy are in 13.00 version. Software Updates are enable and set to If possible, instal Critical updates, Dayly, at 12:00, Force restart. In advanced wiev - Communication - Use HTTP - From AUA config. in AUA is one Policy manager Proxy http://IP_Addres_local_FSPMProxy13, Enabled, 443

    is it OK?

     

  • A_Grinkevitch
    A_Grinkevitch W/ Partner, W/ Staff, W/ Product Leadership Posts: 169 W/ Product Leadership

    Software updates DB - yes, exactly what Clients can install.

     

    Your configuration seems to be ok. Empty counters also may be explained: for instance software on your hosts did not have critical updates since proxy installation. To make sure configuration is ok, you can check c:\ProgramData\F-Secure\Logs\fsoftupd\fssua.log and search for "Preparing to download patches from Policy Manager".

    If you see that there were deployments and updates were downloaded from the internet, please collect fsdaigs from PM, PMProxy and Client computers - I will check for the reason.

     

  • tomczaki
    tomczaki W/ Alumni Posts: 19 Security Scout

    in FSPMServer -> Automatic Updates (Settings)  should be checked "Use HTTP Proxy"  User defined/or From browser?

    In Remote Offices I dont have/dont use any proxies to internet connection

  • A_Grinkevitch
    A_Grinkevitch W/ Partner, W/ Staff, W/ Product Leadership Posts: 169 W/ Product Leadership

    You can use any you wish. AFAIK, AUA falls back to direct connection if connection via HTTP proxy fails. In case remote offices, I'd prefer From browser - it will avoid unnecessary attempt to use HTTP proxies.

     

  • tomczaki
    tomczaki W/ Alumni Posts: 19 Security Scout

    I've got some probelm with getting AV updates on hosts from PMProxy. I'm testing diffrent configurations with local PMProxy13, hosts have settings:

    1st - Use HTTP Proxy: NO, uncheck

    2d- Use HTTP Proxy: From Browser

    both don't have check two fields Allow falling back to PMS/FSecure Update

     

    and this hosts have  virus definition version 2017-11-13_3 (just after upgrade to FSCSPremium13)

    - How to check this hosts from where they try to download AV updates

    - How to check date of downloaded signatures at local PMProxy13?. Report shows Installation packages 82MB, Software Updater 2017-11-15, Downloaded 7GB, Distributed 29GB

  • tomczaki
    tomczaki W/ Alumni Posts: 19 Security Scout

    another questions,

    - on clients (windows) where are logs from connection to PMProxy, FSecure update, PMServer?

    - on PMProxy (linux) where are clinet conection logs?

  • A_Grinkevitch
    A_Grinkevitch W/ Partner, W/ Staff, W/ Product Leadership Posts: 169 W/ Product Leadership

    Each end-point logs AUA activity to the file c:\ProgramData\F-Secure\Logs\FSAUA\fsaua.log. It has entries like:

    Connecting to http://PMProxy13/guts2/ (no http proxy)
    Update check completed successfully. No updates are available.

     

     

    Policy Manager Proxy reports own status to the Policy Manager, select your PMProxy13 host in the domain tree, switch Status page to the Advanced view and find F-Secure Policy Manager Proxy -> Statistics -> Virus definitions. It contains DB version on PMP host, release date of last update and used disk space (separately for old BackWeb protocol and new GUTS2).

    You can also check downloaded content at PMP host c:\Program Files (x86)\F-Secure\Management Server 5\data\guts2\updates at Windows or /var/opt/f-secure/fspms/data/guts2/updates at Linux.

    If you notice old DB versions or empty folders, check for the reason in fspms-download-updates.log (c:\Program Files (x86)\F-Secure\Management Server 5\logs or /var/opt/f-secure/fspms/logs).

     

    Notice: GUTS2 updates are downloaded on-demand, so if clients did not request updates, PM does not download them.

     

     

    Policy-status related activities on end-points are logged to c:\ProgramData\F-Secure\Logs\fspmsupport\nrb.log

     

    Client requests at PM/PMP side are logged to request.log (c:\Program Files (x86)\F-Secure\Management Server 5\logs or /var/opt/f-secure/fspms/logs).

  • tomczaki
    tomczaki W/ Alumni Posts: 19 Security Scout

    I don't find file: FSAUA\fsaua.log - win10

     

    ive got logs

    [ 1612]Fri Nov 17 09:23:02 2017(2):  Connection to PMS denied without PMProxy by policy (1)
    [ 1612]Fri Nov 17 09:23:02 2017(3):  Update check failed. There was an error connecting http://IP_PMS/guts2/ (Unspecified error) - becouse I deny that traffic
    [10144]Fri Nov 17 09:23:02 2017(3):  Connecting to http://IP_PMSPROXY13_local/guts2/ (no http proxy)
    [ 1612]Fri Nov 17 09:23:03 2017(3):  Update check failed. There was an error connecting http://IP_PMSPROXY13_local/guts2/ (Connection refused)

     

    Then in PMS I've change PMProxy IP addres format to http://IP_PMSPROXY13_local:443

    logs

    [11160]Fri Nov 17 09:33:28 2017(3):  Connecting to http://IP_PMSPROXY13_local:443/guts2/ (no http proxy)
    [ 1612]Fri Nov 17 09:33:28 2017(3):  Update check failed. There was an error connecting http://IP_PMSPROXY13_local:443/guts2/ (Connection lost)

     

    Updates doesen't work

  • tomczaki
    tomczaki W/ Alumni Posts: 19 Security Scout

    we have found the porblem

    http://IP_PMSPROXY13_local:443 -works

    http://IP_PMSPROXY13_local - doesen't work, no FS Page

     

    run script at PMSPROXY13_local

    /opt/f-secure/fspms/bin/fspms-config

    and in: Configure the ports for the Policy Manager Proxy

                   Host module HTTP [2]: 'empty was'

     

    so I change it to 80, any else settings save without any changes.

    success. hosts are connecting to PMProxy20171117 aua nie działało w 10a po upgrade1.JPGhttp port: 220171117 aktualizacje na hostach z pmproxy_local nie działa w 11f po upgrade do pmproxy13_31_już ok.jpglog

  • A_Grinkevitch
    A_Grinkevitch W/ Partner, W/ Staff, W/ Product Leadership Posts: 169 W/ Product Leadership

    If file c:\ProgramData\F-Secure\Logs\FSAUA\fsaua.log does not exist on your Win10, seems that F-Secure Automatic Update Agent was not ever started on that host.

    Connection refused means that the port you are trying to connect is not actually open. So, either you are connecting to the wrong IP address, or to the wrong port. Please check value of HttpPortNum in the registry key HKLM\SOFTWARE\Wow6432Node\Data Fellows\F-Secure\Management Server 5 (Windows) or hostModulePort in the /etc/opt/f-secure/fspms/fspms.conf (Linux) at your PMSPROXY13. If it is not 80, you must specify it in the PM Proxy address, for example: http://IP_PMSPROXY13_local:88
    Also, please make sure that PMP services has started. For that please check fspms-stderrout.log in the logs folder and see if last event is "cff.PolicyManagerProxyStarter:main: Started @... ms", otherwise check same log for errors.

    443 is HTTPS port and that is the reason why HTTP connection to this port fails.

  • A_Grinkevitch
    A_Grinkevitch W/ Partner, W/ Staff, W/ Product Leadership Posts: 169 W/ Product Leadership

    Indeed, problem was in HTTP port, it was listening on 2, but connection attempts were to port 80. Great that you fixed your environment!

This discussion has been closed.