000038683 - RSA NetWitness Endpoint Agents are not reflected on UI

Document created by RSA Customer Support Employee on Apr 6, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038683
Applies ToRSA Product Set: RSA NetWitness Platform
RSA Product/Service Type: Endpoint Log Hybrid
RSA Version/Condition: 11.3.x and 11.4.x
Platform: CentOS 7
IssueEndpoint Agents are not reflected on UI  under Investigate >>> Hosts although NWEAgent Service is running  
 
CauseMost properly the connection on Port TCP/443 is not established, either there is blockage point in the path between the Agent and the server or we do have a mismatch in TLS and Ciphers options.
ResolutionFirst of all, we need to test the connectivity between the Endpoint Agents and the server on both ports TCP/443 and UDP/444, so use Testnet utility and for more details follow the steps in Article 000038661.

In case there was error similar to the below, it means that the port is open but still the connection is not established.
 

C:\Windows\System32>NWEAgent.exe/testnet

C:\Windows\System32>
**************************************************
* NetWitness Endpoint Agent                      *
* © 2019 RSA Security LLC., All rights reserved. *
**************************************************
Compiled on Apr  1 2019 10:47:28.

- Found service certificate...
- Found service config...
- Service master server 192.168.2.132:443, UDP:444...
- Found service assigned server 192.168.2.133:443, UDP:444...
- Attempting connection with basic socket...
- Resolved address...
SUCCESS: Connected with basic socket.
- Attempting connection with WinHTTP...
ERROR: TestHttpsConnection: Could not connect, and no proxy was found. (Error =
0, Code = 500)

- Attempting UDP beacon test...
- Resolved address...
SUCCESS: Got expected UDP reply.


Next step is to verify that both the Agent and Server can agree on an SSL Protocol (TLSv1.2, TLSv1.3...) and Cipher Suite.

Server Side

  • The Endpoint Server is configured to run in FIPS mode and accept only TLSv1.2 
  • For the Ciphers, they are listed in /etc/nginx/conf.d/nginx.conf


[root@EndpointLogHybrid ~]# cat /etc/nginx/conf.d/nginx.conf | grep -i ssl_ciphers
    ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;


Agent Side

Download any Third-party tool to list the enabled TLS version and Ciphers such as https://www.nartac.com/Products/IISCrypto/Download

TLS Options

Ciphers

In the above example, we can see that ECDHE family was disabled.

After enabled them and used the Testnet utility it shows that the connection is established successfully 
 

C:\Windows\System32>NWEAgent.exe/testnet

C:\Windows\System32>
**************************************************
* NetWitness Endpoint Agent                      *
* © 2019 RSA Security LLC., All rights reserved. *
**************************************************
Compiled on Dec 10 2019 03:54:23.

- Found service certificate...
- Found service config...
- Service master server 192.168.2.132:443, UDP port 444...
- Found service assigned server 192.168.2.133:443, UDP port 444...
- Attempting connection with basic socket...
- Resolved address...
SUCCESS: Connected with basic socket.
- Attempting connection with WinHTTP...
SUCCESS: Connected over HTTPS with WinHTTP. Server reply : {"serviceId":"9a9e82e
6-0104-4e42-a9fd-75537854a534","serviceName":"endpoint-server","marketingVersion
":"11.4.0.0"}
- Attempting UDP beacon test...
- Resolved address...
SUCCESS: Got expected UDP reply.

Attachments

    Outcomes