F-Secure Policy Manager 13.11 and Proxy 13.11

Hi Guys,

I'm facing a small problem with my Policy Manager and my Proxies.

Currently I have a Policy Manager at Site A and I have then installed two Proxies at site B and C.

Regarding the proxies I went through this guide: https://help.f-secure.com/product.html?business/policy-manager/13.10/en/task_6653FE3CB6EA48B6B73DF0497F1190CB-13.10-en located the admin.pub file which I exported from my Policy Manager server.

So far so good.

When I now open the Policy Manager and checks the "Pending" tab, then I can see the new Proxy servers from Site B and C are pending. It also shows a new icon I haven't seen before (see photo - the two circles).

Nothing happens and they stay in there. So something tells me that the Policy Manager does have contact to the Proxy (I know they have because the normal installation for the F-Secure Server Premium went fine), but it just doesn't want to import it?

On my Policy Manager I did also set up Procies asking my clients on Site B and C to connect to the Proxy server, but it looks like it states the proxy is not pressent - see log beneath:

F-Secure Web Console

[ 8084]Wed May 23 12:17:10 2018(2):  Connecting to http://PolicyManager:80 (http://ProxyA, no HTTP proxy)...
[ 7668]Wed May 23 12:17:14 2018(3):  Database 'hydrawin' version '1527067574' db_size '14541368', free '7814410240'
[ 7668]Wed May 23 12:17:14 2018(3):  Downloaded 'F-Secure Hydra Update 2018-05-23_01' - 'hydrawin' version '1527067574' from PolicyManager, 14541368 bytes (1490 bytes downloaded)
[ 8084]Wed May 23 12:17:14 2018(2):  Update check completed successfully.
[ 7920]Wed May 23 12:18:24 2018(3):  Installation of 'F-Secure Hydra Update 2018-05-23_01' : Success
[ 8084]Wed May 23 12:47:10 2018(2):  Connecting to http://PolicyManager:80 (http://ProxyA, no HTTP proxy)...
[ 8084]Wed May 23 12:47:10 2018(2):  Update check completed successfully. No updates are available.

I did also from both the Policy Manager Server and from the Proxies verify that I can access the webinterface and check the "Health" so I know for sure the connection is okay.

What am I missing here?

Find more posts tagged with

Comments

A_Grinkevitch

> So please clearify - it is still working even though it doesn't get imported?

Yes, PMP is fully functioning, but you can not change settings, see its status and receive alerts at the PMC.

> So, why is it failing at my Proxy server - as you can see in the logs it goes straight for my Main Policy Manager?

Everything is fine with your configuration. AUA tries to fetch updates from all combinations of specified PM, PMP, HTTP Proxy addresses and on success, it is not that obvious from the log where did client successfully connect to. But on failure, description is more informative. For instance, if I switch network interface at the host with two specified PMPs, the order of AUA attempts will be the following:

Connecting to http://PM:80 (http://PMProxyA:80, http://HTTPProxy:3128/)...
Update check failed. There was an error connecting http://PM:80 via update proxy http://PMProxyA:80 via http proxy http://HTTPProxy:3128/ (DNS lookup failure)
Connecting to http://PM:80 (http://PMProxyA:80, no HTTP proxy)...
Update check failed. There was an error connecting http://PM:80 via update proxy http://PMProxyA:80 (Connection failed)
Connecting to http://PM:80 (http://PMProxyB:80, http://HTTPProxy:3128/)...
Update check failed. There was an error connecting http://PM:80 via update proxy http://PMProxyB:80 via http proxy http://HTTPProxy:3128/ (DNS lookup failure)
Connecting to http://PM:80 (http://PMProxyB:80, no HTTP proxy)...
Update check failed. There was an error connecting http://PM:80 via update proxy http://PMProxyB:80 (Connection failed)
Connecting to http://PM:80 (no BW proxy, http://HTTPProxy:3128/)...
Update check failed. There was an error connecting http://PM:80 via http proxy http://HTTPProxy:3128/ (DNS lookup failure)
Connecting to http://PM:80 (no BW proxy, no HTTP proxy)...
Update check failed. There was an error connecting http://PM:80 (Connection failed)
Connecting to fsbwserver.f-secure.com (http://PMProxyA:80, http://HTTPProxy:3128/)...
Update check failed. There was an error connecting fsbwserver.f-secure.com via update proxy http://PMProxyA:80 via http proxy http://HTTPProxy:3128/ (DNS lookup failure)
Connecting to fsbwserver.f-secure.com (http://PMProxyA:80, no HTTP proxy)...
Update check failed. There was an error connecting fsbwserver.f-secure.com via update proxy http://PMProxyA:80 (Connection failed)
Connecting to fsbwserver.f-secure.com (http://PMProxyB:80, http://HTTPProxy:3128/)...
Update check failed. There was an error connecting fsbwserver.f-secure.com via update proxy http://PMProxyB:80 via http proxy http://HTTPProxy:3128/ (DNS lookup failure)
Connecting to fsbwserver.f-secure.com (http://PMProxyB:80, no HTTP proxy)...
Update check failed. There was an error connecting fsbwserver.f-secure.com via update proxy http://PMProxyB:80 (Connection failed)
Connecting to fsbwserver.f-secure.com (no BW proxy, http://HTTPProxy:3128/)...
Update check failed. There was an error connecting fsbwserver.f-secure.com via http proxy http://HTTPProxy:3128/ (DNS lookup failure)
Connecting to fsbwserver.f-secure.com (no BW proxy, no HTTP proxy)...
Update check failed. There was an error connecting fsbwserver.f-secure.com (DNS lookup failure)

YoinkZ

Hi A-Grinkevitch,

So please clearify - it is still working even though it doesn't get imported? I need the Proxies to be on the same domain. My "Endpoint" protection on the same server got imported without any issues, so that is OK.

As you can see here:

On the Policy for Site A, I've asked the klients to look at Proxy A and if it fails then it can connect to "Main Policy Manager". So, why is it failing at my Proxy server - as you can see in the logs it goes straight for my Main Policy Manager?

A_Grinkevitch

Hi YoinkZ,

New icon in circles is the PMP icon. As you see them in the PMC, it means PMPs are up and running. Note that PMP and Server Security running at the same host are reported to the Policy Manager twice – that allows admin to separate infrastructure (PMP) and service (SS) hosts in the domain tree.
As for import problem: it might happen if you are using AD sync rules and wish to import PMP hosts to the synced domain. They will be excluded from that domain by design and will appear back in the Pending list… You must use separate non-synced domain for PMP hosts.
Log entry “Connecting to http://PolicyManager:80 (http://ProxyA, no HTTP proxy)” says that host is connecting to http://ProxyA to fetch updates. In case you specify several PMPs, host will try all of those one by one and will continue working with the first successful one. If you wish to use Proxy B at Site B, you must set it to the top of the list or even keep only one PMP record. If you wish to have the same PMP table for all sites, it is possible to specify one entry with the common name (i.e. Proxy) and at local DNS forward requests to the local PMP instances: Proxy -> ProxyA at Site A, Proxy -> Proxy B at Site B, etc.
As a positive side effect - roaming clients will also use nearest PMP: for example, notebook from Site A will connect to the Proxy B once plugged to the network at Site B.

Best regards,
Alexander