Community
User Guides
Support
Community
Help Forums
English Forum
General
About our Community
General Discussion
News and Feedback
Products
F-Secure SAFE
F-Secure FREEDOME
F-Secure KEY
F-Secure SENSE Router
F-Secure ID PROTECTION
Other products
Beta programs
Feature Requests
Finnish Forum (Tukifoorumi)
Tuotteet Kotiin
F-Secure SAFE
F-Secure FREEDOME
F-Secure KEY
F-Secure SENSE Router
F-Secure ID PROTECTION
Muut tietoturvatuotteet
Support Articles
Language
English
Suomi
Deutsch
Français
日本語
Svenska
Dansk
Italiano
Nederlands
Norsk
Polski
中文 (繁體)
Products & Services
F-Secure TOTAL
F-Secure SAFE / Internet Security / Anti-Virus
F-Secure FREEDOME
F-Secure KEY
F-Secure SENSE Router
F-Secure ID PROTECTION
Other products
Common topics
User Guides
Support
Login
|
Register
After upgrade to Policy Manager 15.00 or 15.01, Client Security or Email and Server Security hosts show disconnected status or are missing in console (error 12175) - F-Secure Community
<main> <article class="userContent"> <h3 data-version="22" data-article="000025934" data-id="issue">Issue:</h3> <p></p><p>After upgrading to Policy Manager 15.x, Client Security or Server Security hosts show disconnected status or are missing in the Policy Manager Console.<br><br>AsyncSendRequest SSL fail: 12175 is logged in the pmpselectorplugin.log or nrb.log:<br><br><i>I: UpdatablePmCertVerifier::RenewCertificates: Renewing certificates from 192.168.98.247:9443 with HTTP proxy ''<br>*E: UpdatablePmCertVerifier::RenewCertificates: Failed to download certificate bodies (FsHttpRequest::Error_Certificate, AsyncSendRequest SSL fail: 12175 [0x80000000])<br>.W: PmpSelectorPlugin::Run: Policy Manager unavailable</i><br><br>Visible symptoms:</p> <ul><li>The host is not able to receive policy updates from the Policy Manager Server</li><li>Policy Manager Console <b>Centralized management </b>status page shows Policy counter on the host and on the server do not match (policy in use is not the latest)</li><li>The host is shown in disconnected status in the Policy Manager Console domain tree</li><li>AUA.log on the host shows it is able to connect to the Policy Manager Server using HTTP to download updates</li></ul><h3 data-id="resolution">Resolution:</h3> <p>F-Secure Policy Manager 15.x dropped the support for weak cipher suites (TLSv1 and TLSv1.1) for TLS protocol. This may result in connectivity issues with outdated Windows hosts that are missing e.g. KB3042058 updates from May 2015. Hosts with Windows 7, 8, 8.1, Server 2008 R2, Server 2012 or Server 2012 R2 are affected by this issue.<br><br>The download links and more information, including prerequisites for KB3042058 are available <a rel="nofollow" href="https://support.microsoft.com/en-us/help/3042058/microsoft-security-advisory-update-to-default-cipher-suite-priority-or#section-2">here</a>. The update adds additional cipher suites to the default list on affected systems and improves cipher suite priority order.<br><br>The easiest way to verify if the host is able to use the Policy Manager Server SSL connector or not, is to load the Policy Manager Server page via HTTPS (port 443 in default config) with Microsoft <b>Internet Explorer </b>from the managed host. <br></p><ol><li>Open Microsoft Internet Explorer</li><li>Go to address <a href="https://<YourPolicyManagerServerAddress>:443" rel="nofollow">https://<YourPolicyManagerServerAddress>:443</a> </li></ol> If the connection works, you should see a message that tells you the Policy Manager Server is installed and is working fine. <br><br>Microsoft Internet Explorer browser is used because it is the only browser using the same secure channel library as the F-Secure clients under Windows to establish a secure connection with the Policy Manager Server. Other browsers might establish that secure connection with an integrated library to the Policy Manager even without KB3042058.<br><br>If the issue is spotted on a newer Windows operating system, you will need to verify whether the cipher suites supported on the Policy Manager Server, are supported on the host. You can do the following to find out:<br><br>To fetch list of cipher suites supported for Policy Manager Server, install Nmap and run the following on a host where Policy Manager Server is reachable: <ul><li>nmap --script ssl-enum-ciphers -p <HTTPS port for Host Module> <Policy Manager Server hostname or IP address></li></ul> To fetch a list of cipher suites supported on the host, run the following in Windows PowerShell on Server 2016 and newer: <ul><li>Get-TlsCipherSuite</li></ul> Sometimes 'schannel' library is attempting to use TLS 1.0 even with the KB3042058 update installed. It was discovered that this can happen if the Windows Server is running in an Active Directory role. Making any changes to SSL Cipher Suite Order Group Policy setting as described in More Information at <a rel="nofollow" href="https://support.microsoft.com/en-us/help/3042058/microsoft-security-advisory-update-to-default-cipher-suite-priority-or#section-2">https://support.microsoft.com/en-us/help/3042058/microsoft-security-advisory-update-to-default-cipher-suite-priority-or#section-2</a> and rebooting the server fixes this, even if SSL Cipher Suite Order Group Policy setting value is later reset to default.<br><br>If you are unable to install the cipher suites Windows update on the host or fix the SSL Cipher Suite Order Group Policy setting, a workaround would be to allow TLSv1 and TLSv1.1 for the Policy Manager Server by using these steps: <ol><li>Stop the F-Secure Policy Manager Server service using command prompt command: <b>net stop fsms</b></li><li>Open Regedit and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Data Fellows\F-Secure\Management Server 5\</li><li>Open the <b>additional_java_args </b>string and add: <b>-DenableVistaInteroperability=true</b></li><li>Start the F-Secure Policy Manager Server service using command prompt command: <b>net start fsms</b></li></ol> Now hosts using TLSv1 and TLSv1.1 will be again able to connect to the Policy Manager Server and download policies. <p>Article no: 000025934</p> </article> </main>