Issue:
The symptoms include
- Clients are unable to download updates from the Policy Manager Server
- Clients are unable to upload status information to the Policy Manager Server and will eventually show up in Policy Manager Console as disconnected hosts
However, clients might still be able to download updates because in the default configuration, fallback to WithSecure update servers is allowed.
A couple of logfiles on the endpoint help to establish, if the client is having a connection problem due to the firewall blocking access on the server.
Examples are for Client Security 14 but also apply for Server Security 14 and later. Policy Manager Server here is pms.acme.com listening on default ports 80 and 443.
C:\ProgramData\F-Secure\Log\AUA\Aua.log
2019-10-02 12:07:25.311 [15d4.1d50] I: Connecting to pms.acme.com:80/guts22019-10-02 12:07:46.349 [15d4.1d50] I: Update check failed, error=110 (connection timed out)
Same is also visible in this log file:
2019-10-02 12:17:37.502 [15d4.1d68] I: UpdatablePmCertVerifier::RenewCertificates: Renewing certificates from pms.acme.com:443 with HTTP proxy ''2019-10-02 12:17:58.535 [15d4.1d68] *E: UpdatablePmCertVerifier::RenewCertificates: Failed to download certificate bodies (FsHttpRequest::Error_Timeout, AsyncSendRequest failed: 12002)2019-10-02 12:18:07.536 [15d4.1d68] I: UpdatablePmCertVerifier::RenewCertificates: Renewing certificates from pms.acme.com:443 with HTTP proxy ''
Error 12002 translates to
12002 ERROR_INTERNET_TIMEOUT The request has timed out.
Resolution:
WithSecure Server Security uses the Windows Firewall. It is likely that the ports that the HTTP and HTTPS services are using are blocked in the firewall on the server where Policy Manager Server is installed in. This would cause the clients to be unable to be in contact with the Policy Manager Server.
To resolve the issue, create a firewall rule allowing inbound HTTP and HTTPS traffic to the server where Policy Manager Server is installed.
You can find instructions how to create firewall rules in Policy Manager 14 in this guide.
Things to consider:
- Make sure, the firewall rule is enabled. This is the first checkbox in the Firewall rules table
- Make sure, the Server profile containing the rule is assigned as the "Server host profile". In the example below, the profile is called Server (cloned)
- The other rules in the profiles in this screenshot are also activated but this is is not needed to meet client Policy Manager Server communication requirements
- As this particular rule is only required for the server host running Policy Manager Server, we have selected the server before making the change (the server called here DC1-PETERF)
Article no: 000016843
