To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

policy manager can not be accessed in fsecure 12.4 (administration module - a connection with the se

noknowhow W/ Alumni Posts: 7 Security Scout

I have problems in acessing the policy manager. I tried to reconfigure port as shown, restarted the services but the problem persists. Any Ideas ?




  • Ben
    Ben W/ Alumni Posts: 664 Cybercrime Crusader


    can you confirm that port 8087 is not used by any other service?
    Did you try changing the port already?

  • noknowhow
    noknowhow W/ Alumni Posts: 7 Security Scout

    same problem here on different portdx.png

  • noknowhow
    noknowhow W/ Alumni Posts: 7 Security Scout

    sorry for the long replie time .. been busy on other customers,

    Yes, stated above and again below i can confirm that the ports are not in use and i tried as well changin g them from former 8085 to 8087. A quick try on 80 and 81 for the administartion module also archieved nothing.

  • MJ-perComp
    MJ-perComp W/ Alumni Posts: 669 Firewall Master

    Having an other look at your screenshots, all look nice, except that I do not see
    1) if the firewall is open for 8085 (8087)
    2) You status it rying to connect to DC01 instead of the port is not bound to the external IP.
    So rerun the setup and chose "change settings" to allow administration from other PC.

    Remenber these:
    12.40 is introducing https so by default you need 80, 443, 8080 and 8081

    80 and 443 ar for Host-> Server communication. Ports must be open at Firewall of the Server

    8080 is by default limited to local access and is used for PMC -> PMS communication
    8081 is WebReporting

    So please try to connect to these ports using a standard browser with proxy settings = none.
    e.g. https://<ip of server>:443. What is the output?


    Changing port 443 is a bit tricky, as Clients need to learn about that change through the policy, which they might expect to receive on Port 443. Try to stick with that port.

  • Vad
    Vad W/ Alumni Posts: 1,069 Cybercrime Crusader

    Hello Matthias, noknowhow,


    Small correction. Default HTTPS port is 443.


    Best regards,


  • MJ-perComp
    MJ-perComp W/ Alumni Posts: 669 Firewall Master
    changed that to 443. thanks for the correction.
  • A_Grinkevitch
    A_Grinkevitch W/ Partner, W/ Staff, W/ Product Leadership Posts: 169 Threat Terminator

    Hello noknowhow,

    Could you please check jetty.request.log in c:\Program Files (x86)\F-Secure\Management Server 5\logs\

    Requests from the Status monitor should be logged like: - - [date:time +offset] "GET https://localhost:8087/fspms/version HTTP/1.1" 200 11 "-" "FSMS_STATUS_QUERY" - - [date:time +offset] "GET https://localhost:8083/web-reporting/version HTTP/1.1" 302 0 "-" "FSMS_STATUS_QUERY" - - [date:time +offset] "GET /fsms/fsmsh.dll/?FSMSCommand=GetVersion HTTP/1.1" 200 - "-" "FSMS_STATUS_QUERY" - -[date:time +offset] "GET /fsms/fsmsh.dll/?FSMSCommand=GetVersion HTTP/1.1" 200 - "-" "FSMS_STATUS_QUERY"


    Please copy-paste it here.

    Also you can check what is the status code for the https://localhost:8087/fspms/version request (200 in my example) and check other logs for exceptions happened same time. If this entry does not exist in the log, that might be firewall issue.

    Also, one idea is to set RestrictLocalhost to 0 in the registry (with PMS service restart) and try again. Status monitor might reach Policy Manager via external interface while according to your registry only connections from localhost are allowed.

  • Rob-K
    Rob-K W/ Alumni Posts: 33 Junior Protector



    try a telnet on the specified port when the PM services are not running.

    If you get a connection the port is already used by a differnet application



    telnet fqdn portnumber




  • noknowhow
    noknowhow W/ Alumni Posts: 7 Security Scout

    as a result i get in the last jetty_2017_11_05.request.log.1 some lines like the following 2 lines - - [05/Nov/2017:23:07:58 +0100] "GET https://dc01.elora.intern:8082/host-module/fsms/fsmsh.dll?FSMSCommand=GetPackage&Type=4&Identity0=50a2937c-9e70-e211-a059-008cfa3d08ea&Counter=11 HTTP/1.1" 304 0 "-" "F-Secure Network Request Broker" - - [05/Nov/2017:23:07:58 +0100] "POST https://dc01.elora.intern:8082/host-module/fsms/fsmsh.dll?FSMSCommand=UploadPackage&Type=5&Identity0=50a2937c-9e70-e211-a059-008cfa3d08ea HTTP/1.1" 200 8 "-" "F-Secure Network Request Broker"


    i switched to 8085 meanwhile and even restarted the whole maschine ...

    doing a https://localhost:8085/fspms/version comes up with a nearly white page showing only

    as i updated from version 12.4 to 13 ... but still output of polcy manager is
    the same as above

    Administation Module
    HTTP Pport : 8085
    Status : a connection with the server cant be established


  • noknowhow
    noknowhow W/ Alumni Posts: 7 Security Scout

    doing https://<ip of server>:443. the output directs me to the login of the Outlook Web access ... as required while using https://<ip of server>:8085 comes up with a login for f-secure. after login

    F-Secure Policy Manager Server

    Wenn diese Meldung angezeigt wird, ist F-Secure Policy Manager Server installiert und funktioniert ordnungsgemäß. Sie können nun über die F-Secure Policy Manager-Konsole eine Verbindung herstellen.

    Der Host-Schnittstellenstatus von F-Secure Policy Manager Server kann hier überprüft werden.

    Berichte können mithilfe der F-Secure Policy Manager Web-Berichterstellung angezeigt werden.

    Der öffentliche Schlüssel der F-Secure Policy Manager Server-Verwaltung, mit dem die Gültigkeit verteilter Richtlinien überprüft wird, kann hier heruntergeladen werden


    which means Roughly translated ... it works ... ehrn clicking the report function it comes up with a report on the Web Reporting Port i defined with 8083 showing the status of all pcs connected and the aproximmate details


    but still no polciy manger when trying to log in is keeps saying connection can not be established.

    I deactivated the windows firewall but no changes, Interesting is that the corresponding msg window states "Cant connect to dc01.elora.intern:8080". Where he gets the 8080 from ?


    As port 8080 always has been in use by other applications we definded the ports at installation as shown in the screenshot above and it worked for some time.


  • noknowhow
    noknowhow W/ Alumni Posts: 7 Security Scout

    Well it seems to be solved somehow... have to check if everything works.
    In the polcymanager login I added a new host (modifed an exisiting) that reads https://localhost:8085

    at least i get the policy manager window and it seems as if i am able to distribute rules.

    But still 2017-11-06 17_09_58- - Remotedesktopverbindung.png


    and the really funny thing about it is that it worked for sometime just with https://localhost




  • A_Grinkevitch
    A_Grinkevitch W/ Partner, W/ Staff, W/ Product Leadership Posts: 169 Threat Terminator

    Hello noknowhow,

    Did you try my previous suggestion to set RestrictLocalhost to 0? You show screenshot where Status Monitor tries to connect PM via dc01…, while according to registry screenshot PM’s admin port listens on localhost interface only. Unfortunately I do not have your FSMS_STATUS_QUERY entries from request logs, so cannot say for sure if that is the exact reason.

    Another question: why does Status Monitor connects to PM via dc01… but not localhost as should be by default. Did you change the Status Monitor’s configuration manually? As PMC now connects fine, if my assumption is right and you do not need to run PMC on remote hosts, it is enough to change computer name in the Status Monitor’s configuration to localhost. Even without touching RestrictLocalhost it should connect to all ports successfully.

    As for port 8080: Policy Manager Consoles uses default admin port to connect PM even though connection string does not have it. So, if you change port to non-default at PMS, you have to change it in PMC’s connection URL as well. Everything works transparently with default ports, but agree, not that obvious if using non-defaults. I’ll talk with dev team and discuss if it possible to improve the logic…

This discussion has been closed.