Issue:
After upgrading or installing WithSecure Client Security/Server Security 14.x or newer, you encounter issues with communication. Symptoms include:
- the host is unable to connect to WithSecure Policy Manager Server
- the host is not visible on the "Import host" list in WithSecure Policy Manager Console.
However, the hosts might be able to download updates.
Resolution:
Note: Make sure that the WithSecure Policy Manager Server address is correct and that the host communication ports (default: TCP 80 and 443) are listening.
Test the connectivity between the clients and Policy Manager:
- Try to connect to the WithSecure Policy Manager Server's address via a web browser from one of the hosts (http://pms-server.local:80 and https://pm-server.local:443). If the connection is set up correctly, you will receive a web page from the WithSecure Policy Manager Server indicating so. If there is no page loaded, check that the host communication ports to the Policy Manager Server are allowed in your firewall.
- Make sure that you have configured the WithSecure Policy Manager Server IP address and/or hostname correctly and that the ports configured for host modules are correct.
On the host running WithSecure Client Security/Server Security, the following log contains details on the connection status with the WithSecure Policy Manager Server. You can use it to troubleshoot connection issues:
C:\ProgramData\F-Secure\Log\BusinessSuite\PmpSelectorPlugin.log
Below is an example of a failed connection:
I: Connecting to wait.pmp-selector.local
I: Update check failed, error=210 (unable to resolve host)
I: Connection failed
W: ServerFinder::Ping: Ping to {host: 10.10.10.10, http: 82, https: 443} aborted. There are no valid certificates
I: UpdatablePmCertVerifier::RenewCertificates: Renewing certificates from 10.10.10.10
E: UpdatablePmCertVerifier::RenewCertificates: Failed to download certificate bodies. AsyncSendRequest failed: 12002
W: CosmosUpdater::Run: No servers responded. Policy Manager unavailable.
Error 12002 means ERROR_WINHTTP_TIMEOUT > Client Security/Server Security cannot connect to Policy Manager to fetch this list.
A complete list of Microsoft Windows HTTP Services errors is available here.
Below is an example of a working connection:
I: UpdatablePmCertVerifier::RenewCertificates: Renewing certificates from 10.11.10.10
I: UpdatablePmCertVerifier::RenewCertificates: 2 certificate(s) renewed successfully; expire in 86170 seconds
If you have confirmed the communication to work between the client computer and the Policy Manager Server, and you have made sure that the Policy Manager address and ports are configured correctly, make sure that the date and time are configured correctly on the client device.
If the date and time are incorrectly set, the certificate download from the Policy Manager Server will fail. The date and time can be easily incorrectly set in an offline environment, since the Network Time Protocol (NTP) can't be used to set the date and time.
Check the PmpSelectorPlugin.log again for the following:
W: ServerFinder::Ping: Ping aborted: there are no valid certificates
I: UpdatablePmCertVerifier::RenewCertificates: Renewing certificates from 192.168.1.100:443 with HTTP proxy ''
W: UpdatablePmCertVerifier::StoreCertificates: Certificates renewal yielded no fresh certificates
In the above example the client tries to download the certificate from the Policy Manager Server, but since the client's date and time are in the future compared to the Policy Manager Server, the client thinks no fresh certificate is available.
Article no: 000010321