To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

How to manually set the WithSecure Client Security Update server

rdpk07
rdpk07 W/ Member Posts: 8 Security Scout

Hello all,

How to manually set the WithSecure Client Security Update server to to lets say 'guts2.fsapi.com' for example?

Kind regards,

rdpk07

Tagged:

Answers

  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 508 Moderator

    Hi @rdpk07 ,

    Thank you for contacting WithSecure Community.

    Did you mean to change to a different Policy Manager Server address ?

    Or do you want the hosts to retrieve updates from a different proxy ?

  • LiselotteP
    LiselotteP W/ Staff, W/ Community Manager Posts: 266 Community Manager

    Hi @rdpk07, were you able to solve this query? Do let us know if you need any help!

  • rdpk07
    rdpk07 W/ Member Posts: 8 Security Scout
    edited November 2023

    Hello @JamesC,

    I would like to manually set the update server of an installed WithSecure Client Security to 'guts2.fsapi.com' WithSecure update server!

  • Sethu Laks
    Sethu Laks W/ Partner, W/ Staff, W/ Moderator Posts: 216 Moderator
    edited November 2023

    Hi @rdpk07

    According to our R&D team, the Client Security is designed to retrieve definitions from the Policy Manager (PM) or Policy Manager Proxy (PMP). In most cases, overriding the guts2 address should not be necessary. However, if you have valid reasons to do so, here's how you can handle it depending on the version you are using:

    For version 15.x, you can utilize the guts2ServerUrl. To add the additional java arg in the PM machine, navigate to HKEY_LOCAL_MACHINE\SOFTWARE(Wow6432Node)\Data Fellows\F-Secure\Management Server 5\additional_java_args and include the following: -Dguts2ServerUrl=https://guts2.fsapi.com/

    For PM version 16.x, the recommended property to use is wsGuts2RootServerUrl. Create the following string registry key: \HKEY_LOCAL_MACHINE\SOFTWARE\WithSecure\Policy Manager\Policy Manager Server\additional_java_args specify the Java system properties in the following format with the value:

    -DwsGuts2RootServerUrl=https://guts2.fsapi.com/

    • It's important to note that in the latest version (16.x), wsGuts2ServerUrl serves a slightly different purpose. It allows you to specify an alternative WithSecure GUTS2 server for fetching updates. If you switch your Policy Manager/Policy Manager Proxy to Beta/CI, you should use this property in combination with wsGuts2RootServerUrl. Clients will continue to use the default value for internet fallback unless specified otherwise.

    If you need to specify an upstream PM/PMP for this property, make sure to format it as 'https://<PM or PMP address>/ws-guts2'.

    I hope this information helps clarify the usage of these properties. If you have any further questions or concerns, please let us know.

    Best regards,
    Sethu
    Community Moderator | Technical Support Engineer
    WithSecure™ https://www.withsecure.com/en/home

  • rdpk07
    rdpk07 W/ Member Posts: 8 Security Scout

    Hello Sethu,

    This is the current situation with the WithSecure Client Security 16.00 client:

    I can't find in registry any registry value set to https://guts2.fsapi.com

    Where does the WithSecure Client Security stores the value of the Update server?

  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 508 Moderator

    Hi @rdpk07

    Thank you for the reply.

    May I know the reason you want to change this ? Is this host in an offline environment or isolated host ?

  • rdpk07
    rdpk07 W/ Member Posts: 8 Security Scout

    Hi @JamesC,

    Thank you for your reply.

    The host is an online environment.

    There is installed Policy Manager 15.20, but for some reason the WithSecure Client Security Update server was set automatically to https://guts2.fsapi.com after the installation of WithSecure Client Security 16.00.

    So I was wondering where does WithSecure Client Security 16.00 keeps the string value of the Update server.

  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 508 Moderator

    Hi @rdpk07 ,

    Are you trying to understand why it has different server than your Policy Manager Server , and disable the fallback to GUTS2 ?

    So to answer your previous question, the settings settings are not stored locally on Client Security registry.

    They are stored in our settings service, which is stored on the Policy Manager and duplicated on the local machine in the service files.

    Even if you change the setting locally on the machine, it will return back once machine is connected to Policy Manager, so there is no point to try to find the setting value on the machine.

    But give me some time as I am checking with our product developer.

  • AleksandrG
    AleksandrG W/ Staff, W/ Product Leadership Posts: 75 W/ Product Leadership

    Hi @rdpk07,

    Client Security requires Policy Manager of the same version or newer to function properly. By design Policy Manager will not allow you to import Client Security installation package of the unsupported version, but if you somehow succeed to upgrade the client before the server (i.e. by exporting CS MSI from another Policy Manager instance), that might explain why Client Security 16.00 is not connecting to Policy Manager 15.20 and thus falls back to the https://guts2.fsapi.com

    If the Policy Manager is already upgraded to the 16th version, but client still refuses to connect it, worth checking another possible misconfiguration reason: it is now required to have Policy Manager server address defined at the Root domain level.

  • rdpk07
    rdpk07 W/ Member Posts: 8 Security Scout

    Hello @AleksandrG,

    That's the case - I've exported CS MSI from another Policy Manager 16 instance.

    I want to know where does the CS 16 takes the falls back value of https://guts2.fsapi.com and where it is stored - in a registry key or in .ini file or whatever else?

  • AleksandrG
    AleksandrG W/ Staff, W/ Product Leadership Posts: 75 W/ Product Leadership

    @rdpk07, by upgrading CS before the PM you actually lost the client manageability and you must upgrade the Policy Manager to restore it back.

    Default value is hardcoded and can be overridden from the Policy Manager only using the wsGuts2RootServerUrl Java system property (explained by @Sethu Laks earlier). But again, to pass it to the managed client you must upgrade Policy Manager upgrade to the latest version for at least 2 reasons:

    • 15.x versions do not support wsGuts2RootServerUrl override
    • Managed clients are checking PM/PMP version for the compatibility before making any other calls, thus won't receive the override

  • rdpk07
    rdpk07 W/ Member Posts: 8 Security Scout
    edited November 2023

    Hello @AleksandrG,

    Sometimes I have the following problem:

    Let's say I have installed PM 16. After that I export CS 16 MSI from PM 16. After that I install the CS 16 MSI on the same machine.

    When I start CS 16 and go to Settings > Update, the Update server points to: wait.pmp-selector.local/ws-guts2

    So I was wondering if I want to change the Update server to https://guts2.fsapi.com , how to do that or how to change the Update server to https://localhost/ws-guts2!

  • Sethu Laks
    Sethu Laks W/ Partner, W/ Staff, W/ Moderator Posts: 216 Moderator

    Hi @rdpk07

    »after that install the CS16 MSI to the same machine on which is installed the PM16,«

    Did you install both the Client Security 16 and Policy Manager Server 16.01 on the same machine? It is crucial to note that the Policy Manager Server is officially supported only on server editions. You can refer to the system requirement information for further details here.

    »I was wondering how to change the Policy manager server to point to http://localhost/ws-guts2/or to https://guts2.fsapi.com/ ?«

    Firstly, please ensure that the WithSecure Policy Manager Server address is correct/accurate and updated in the policy manager server prior to exporting the Client Security MSI.

    If you have already updated the correct PMS (Policy Manager Server) address, you should be able to view the PMS address during the export MSI process from Policy Manager.

    Moreover, please ensure that the host communication ports (usually TCP 80 and 443 by default) are actively listening.

    If none of the previously mentioned solutions resolved your issue, we kindly request that you provide us with the wsdiag logs for further investigation. To facilitate this process, please contact our WithSecure support team and provide them with the wsdiag logs for a more in-depth analysis of the situation.

    Best regards,
    Sethu
    Community Moderator | Technical Support Engineer
    WithSecure™ https://www.withsecure.com/en/home