After upgrade to Policy Manager 15.00 or 15.01, Client Security or Email and Server Security hosts show disconnected status or are missing in console (error 12175)

Issue:

After upgrading to Policy Manager 15.x, Client Security or Server Security hosts show disconnected status or are missing in the Policy Manager Console.

AsyncSendRequest SSL fail: 12175 is logged in the pmpselectorplugin.log or nrb.log:

I: UpdatablePmCertVerifier::RenewCertificates: Renewing certificates from 192.168.98.247:9443 with HTTP proxy ''
*E: UpdatablePmCertVerifier::RenewCertificates: Failed to download certificate bodies (FsHttpRequest::Error_Certificate, AsyncSendRequest SSL fail: 12175 [0x80000000])
.W: PmpSelectorPlugin::Run: Policy Manager unavailable

Visible symptoms:

The host is not able to receive policy updates from the Policy Manager Server
Policy Manager Console Centralized management status page shows Policy counter on the host and on the server do not match (policy in use is not the latest)
The host is shown in disconnected status in the Policy Manager Console domain tree
AUA.log on the host shows it is able to connect to the Policy Manager Server using HTTP to download updates

Resolution:

Policy Manager 15.x dropped the support for weak cipher suites (TLSv1 and TLSv1.1) for TLS protocol. This may result in connectivity issues with outdated Windows hosts that are missing e.g. KB3042058 updates from May 2015. Hosts with Windows 7, 8, 8.1, Server 2008 R2, Server 2012 or Server 2012 R2 are affected by this issue.

The download links and more information, including prerequisites for KB3042058 are available here. The update adds additional cipher suites to the default list on affected systems and improves cipher suite priority order.

The easiest way to verify if the host is able to use the Policy Manager Server SSL connector or not, is to load the Policy Manager Server page via HTTPS (port 443 in default config) with Microsoft Internet Explorer from the managed host.

Open Microsoft Internet Explorer
Go to address https://<YourPolicyManagerServerAddress>:443

If the connection works, you should see a message that tells you the Policy Manager Server is installed and is working fine.

Microsoft Internet Explorer browser is used because it is the only browser using the same secure channel library as the clients under Windows to establish a secure connection with the Policy Manager Server. Other browsers might establish that secure connection with an integrated library to the Policy Manager even without KB3042058.

If the issue is spotted on a newer Windows operating system, you will need to verify whether the cipher suites supported on the Policy Manager Server, are supported on the host. You can do the following to find out:

To fetch list of cipher suites supported for Policy Manager Server, install Nmap and run the following on a host where Policy Manager Server is reachable:

nmap --script ssl-enum-ciphers -p <HTTPS port for Host Module> <Policy Manager Server hostname or IP address>

To fetch a list of cipher suites supported on the host, run the following in Windows PowerShell on Server 2016 and newer:

Get-TlsCipherSuite

Sometimes 'schannel' library is attempting to use TLS 1.0 even with the KB3042058 update installed. It was discovered that this can happen if the Windows Server is running in an Active Directory role. Making any changes to SSL Cipher Suite Order Group Policy setting as described in More Information at https://support.microsoft.com/en-us/help/3042058/microsoft-security-advisory-update-to-default-cipher-suite-priority-or#section-2 and rebooting the server fixes this, even if SSL Cipher Suite Order Group Policy setting value is later reset to default.

If you are unable to install the cipher suites Windows update on the host or fix the SSL Cipher Suite Order Group Policy setting, a workaround would be to allow TLSv1 and TLSv1.1 for the Policy Manager Server by using these steps:

Stop the Policy Manager Server service using command prompt command:
- For Policy Manager 15: net stop fsms
- For Policy Manager 16: net stop wspms
Open Regedit and navigate to:
- Policy Manager 15: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Data Fellows\F-Secure\Management Server 5\
- Policy Manager 16: HKLM\SOFTWARE\WithSecure\Policy Manager\Policy Manager Server\
Open the additional_java_args string and add: -DenableVistaInteroperability=true
Start the Policy Manager Server service using command prompt command:
- For Policy Manager 15: net start fsms
- For Policy Manager 16: net start wspms

Now hosts using TLSv1 and TLSv1.1 will be again able to connect to the Policy Manager Server and download policies.

Article no: 000025934