|Applies To||RSA Product Set: NetWitness Endpoint, ECAT|
RSA Product/Service Type: Agents
RSA Version/Condition: 4.3, 4.4
|Issue||The agent shows UDP communication to the CS and may or may not be present in the UI, and may show Online but never seems to take any updates, has virtually nothing in the Agent Logs, and does not have any real data.|
One of the most obvious tells that this is a proxy issue is that the Console Server does not actually receive TCP traffic on port 443 to the CS; without this traffic detected there is no data to be sent to the server.
There is an additional issue where the agent "loses" the proxy/exception settings that were specified in the agent packager if communication drops. This is fixed in the 188.8.131.52 version of the Endpoint agent.
|Cause||This is caused by the presence of proxy settings on the agent machine that are redirecting traffic to a proxy server, either real(in which case we may see TCP traffic to the proxy but not leaving the proxy to the CS) or false(traffic to a proxy that does not exist, or the setting is somehow misconfigured).|
Since UDP generally ignores proxy traffic, UDP traffic may still reach the Console Server.
Identification of Proxy Settings
- Run the following command in order to confirm the presence of proxy settings:
- netsh winhttp show proxy
- If you see anything other than Direct access (no proxy server) or simply none, then you have a proxy setting set on the system
- This setting is also updated in the following registry key, which MUST be checked regardless of what netsh describes:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
- Look inside the WinHTTPSettings value; if its default, then it should have a value that looks like this:
- Any setting that looks even slightly different than the above WinHTTPSetting output, or that shows a proxy setting, will prevent connectivity to the endpoint
There are two ways to handle the proxy issues, the one chosen should be determined based on the environment:
First, if the proxy is not necessary, see the solution below for removing it properly. If the proxy must remain, see the solution in the workaround section.
- Delete the proxy setting in netsh by running:
- netsh winhttp reset proxy
- Confirm AFTER making the previous setting change that the WinHTTPSettings in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections is default values, see the image above for the default value. If this value is not default, modify to default value.
- Reboot the endpoint machine to reset the proxy settings and confirm the communication is working normally to the CS. This should normally resolve immediately.
|Workaround||Configuring the proxy settings:|
- Open the agent packager and switch to the Advanced tab
- In the proxy settings list add the proxy settings in the format outlined below for ALL proxy servers:
- Ex. https=10.10.10.10:8080
- IMPORTANT: Add the IP address or hostname of the Console server to the Exclusions list below the proxy settings:
- Install the new agent on all endpoints with relevant proxy settings and confirm the machine gets added to the UI