000036373 - Agent communication fails due to proxy server configuration on endpoints in RSA NetWitness Endpoint

Document created by RSA Customer Support Employee on May 22, 2018Last modified by RSA Customer Support Employee on May 28, 2018
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000036373
Applies ToRSA Product Set: NetWitness Endpoint, ECAT
RSA Product/Service Type: Agents
RSA Version/Condition: 4.3, 4.4
IssueThe agent shows UDP communication to the CS and may or may not be present in the UI, and may show Online but never seems to take any updates, has virtually nothing in the Agent Logs, and does not have any real data.

One of the most obvious tells that this is a proxy issue is that the Console Server does not actually receive TCP traffic on port 443 to the CS; without this traffic detected there is no data to be sent to the server.
CauseThis is caused by the presence of proxy settings on the agent machine that are redirecting traffic to a proxy server, either real(in which case we may see TCP traffic to the proxy but not leaving the proxy to the CS) or false(traffic to a proxy that does not exist, or the setting is somehow misconfigured).

Since UDP generally ignores proxy traffic, UDP traffic may still reach the Console Server.
Resolution
Identification of Proxy Settings


  1. Run the following command in order to confirm the presence of proxy settings:
    • netsh winhttp show proxy
    • If you see anything other than Direct access (no proxy server) or simply none, then you have a proxy setting set on the system
  2. This setting is also updated in the following registry key, which MUST be checked regardless of what netsh describes:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    • Look inside the WinHTTPSettings value; if its default, then it should have a value that looks like this:Default settings for WinHTTPSettings image
  3. Any setting that looks even slightly different than the above WinHTTPSetting output, or that shows a proxy setting, will prevent connectivity to the endpoint

Proxy Setting

There are two ways to handle the proxy issues, the one chosen should be determined based on the environment:
First, if the proxy is not necessary, see the solution below for removing it properly. If the proxy must remain, see the solution in the workaround section.
  1. Delete the proxy setting in netsh by running:
    • netsh winhttp reset proxy
  2. Confirm AFTER making the previous setting change that the WinHTTPSettings in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections is default values, see the image above for the default value. If this value is not default, modify to default value.
  3. Reboot the endpoint machine to reset the proxy settings and confirm the communication is working normally to the CS. This should normally resolve immediately.
WorkaroundConfiguring the proxy settings:

  1. Open the agent packager and switch to the Advanced tab
  2. In the proxy settings list add the proxy settings in the format outlined below for ALL proxy servers:
    • <protocol>:<hostname_or_ip>:<port>
    • Ex. https:10.10.10.10:8080
  3. IMPORTANT: Add the IP address or hostname of the Console server to the Exclusions list below the proxy settings:
    • Ex. 10.10.10.80
  4. Install the new agent on all endpoints with relevant proxy settings and confirm the machine gets added to the UI

Attachments

    Outcomes