F-Secure Proxy for Software Updater won't work

PCBS
PCBS W/ Alumni Posts: 6 Security Scout

Hi there,

while it was quite easy to make the F-Secure Proxy work for antivirus updates, I cannot make it work for Software Updates.

I cannot find a good "how-to" on the documentation.

I'm on a AD domain, with the F-Secure proxy installed on a server. I've tried to import the proxy certificate to my clients machines (and it's been well imported) but even with this the clients won't download Software Updates from the proxy. (both port 80 and 443 opened on the server). I've tried to set "Always" download from the F-Secure Proxy but the downloads fail.

If someone can give me the settings he is using to make it work, that would be awesome.

Thanks

Best Answer

  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 498 Moderator
    edited April 2021 Answer ✓

    Hi,

    You need to do the following to setup F-Secure Endpoint Proxy to offer Software Update:

    1. Install F-Secure Policy Manager Proxy with reference to the steps documented in the following:


    https://community.f-secure.com/psb-en/kb/articles/5675-using-f-secure-endpoint-proxy-with-a-computer-protection-profile


    2. If proxy server is required to reach the Internet, you need to add the following in the config file, C:\Program Files (x86)\F-Secure\Management Server 5\data\fspms.proxy.config:


    http_proxy=<the proxy server address, for example, http://myproxy:3128, etc.>


    3. Run the following command in command prompt window, to replace the default certificate with your trusted CA certificate:


    "C:\Program Files (x86)\F-Secure\Management Server 5\jre\bin\keytool" -importkeystore 

    -destkeystore "C:\Program Files (x86)\F-Secure\Management Server 5\data\fspms.jks" 

    -deststorepass superPASSWORD -destalias fspms -destkeypass superPASSWORD 

    -srckeystore <the file path for the trusted CA certificate, *.p12 file> -srcstoretype PKCS12 -srcstorepass <the certificate password for the *.p12 file> -srcalias <alias for the certificate, *.p12 file>


    4. Open registry editor

    5. Navigate to the registry, HKLM\SOFTWARE\Wow6432Node\DataFellows\F-Secure\Management Server

    6. Add the following to the string value, additional_java_args


    -DpsbProxyMode=true


    7. Check that the DWORD value, HttpsPortNum is 443. If it is not, change it to 443.

    8. Restart F-Secure Policy Manager Proxy and F-Secure Policy Manager Update Server service

Answers

  • PCBS
    PCBS W/ Alumni Posts: 6 Security Scout

    Well thanks for that but I'm stuck at the "replace the default certificate with your trusted CA certificate" step.

    I don't know where to get my 'trusted CA certificate". Can you help me with that ?

    Thanks

  • MonikaL
    MonikaL W/ Alumni Posts: 206 W/ Former Staff

    Hi,

    The PSB client uses the Windows certificate store. You may do the following to install the trusted certificate on the PSB client:

    1. Run mmc in the command prompt window.

    2. Press "File" on the top left

    3. Press on option "Add/Remove snap-in..."

    4. Select "certificates" on the left side menu

    5. Press add and select "Computer account"

    6. Click Next and then Finish

    7. Click OK

    8. Then navigate on left side tree/menu to Console Root → Certificates → Trusted Root Certification Authorities → Certificates

    9. Right-click on "Certificates" and press "All tasks" → "Import"

    10. Follow the the on-screen instructions to import the trusted certificate.

  • PCBS
    PCBS W/ Alumni Posts: 6 Security Scout

    Hi MonikaL,

    I've already imported the certificate from my F-Secure proxy server to my clients computers using a GPO. I can see the certificate on the cert repository on my clients computers. Unfortunately it doesn't do anything.


  • A_Grinkevitch
    A_Grinkevitch W/ Partner, W/ Staff, W/ Product Leadership Posts: 169 W/ Product Leadership

    Hi,

    Please try to open PMP https welcome page in any browser using the name exactly as specified in Issued to or Subject Alternative Name certificate properties. If you see the security warning, please share it here. If not, the same client should be able to use this PMP.

  • PCBS
    PCBS W/ Alumni Posts: 6 Security Scout

    Hi,

    this is what I get when I connect to the proxy https welcome page :

    Below is the certlm.msc, as you can see the cert I've retrieved from the proxy is present on the store :


  • A_Grinkevitch
    A_Grinkevitch W/ Partner, W/ Staff, W/ Product Leadership Posts: 169 W/ Product Leadership

    Hi,

    Could you please check the reason in the certificate details? If the message says something about the inability to check the certificate issuer, you need to import PMP's CA certificate to the trust store instead of the server certificate and in this case, you get the whole trust chain.

    I could not find a corresponding KB article for the PMP running in PSB mode, thus I'll share the article for the Policy Manager explaining each step, where certificates are handled in the same way (note that the PMP in PM mode behaves in a bit another way):

    So, follow these steps:

    • if needed use certAdditionalDns to specify the subject alternative name and force the certificate renewal after that
    • export a CA certificate at the PMP host
    • import this CA certificate via GPO to all managed hosts
    • retry the PMP welcome page after these steps


  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 498 Moderator

    Hi,

    Just following on this - Did the last steps manage to resolve your certificate issues ?

  • PCBS
    PCBS W/ Alumni Posts: 6 Security Scout

    This is what I get when I try to open the https welcome page.

    here is the screenshot from the certlm.msc on the same machine. As you can see, the cert from the server

    is present in the store.

  • PCBS
    PCBS W/ Alumni Posts: 6 Security Scout

    Hi there,

    I've ended up not using a https option because none of the provided solution would work with PSB and the Software Updater Proxy.

    Thanks for all the hard work

  • A_Grinkevitch
    A_Grinkevitch W/ Partner, W/ Staff, W/ Product Leadership Posts: 169 W/ Product Leadership

    Hi,

    Chrome usually shows the NET::ERR_CERT_AUTHORITY_INVALID error if the CA Root certificate is not in the Trusted Root Certification Authorities store. I do not see F-Secure Policy Manager CA at your certlm.msc screenshot, so I assume that is the case.

    In order to set a trust relationship, you should get something like this:


    So you need to accomplish following steps:

    • export a CA certificate at the PMP host
    • import this CA certificate via GPO to all managed hosts


    Regards,

    Alex

This discussion has been closed.