policy manager can not be accessed in fsecure 12.4 (administration module - a connection with the se

I have problems in acessing the policy manager. I tried to reconfigure port as shown, restarted the services but the problem persists. Any Ideas ?

fsecure.png

 

Best Answer

  • noknowhownoknowhow Posts: 7
    Accepted Answer

    As i tried it from the server only .. localhost and dc01... where the same machine but i forgot that they do not use the same ip 127.0.0.1 is definetly not 192.168..... shame on me

    of course you are right ... as i am on the server via rdp i do not need to administer anything on an other maschine.

    So one thing remains ... some previous version has worked with https://localhost while it has to read https://localhost:8085. Im pretty sure about it as i initialy made the setup with the modified ports. Maybe the Hosts File or a meanwhile changed switch had some information that translated the ip.

    Anyhow i guess i'll never  find out about that part.

     

    Thank you for your help and consider this case as solved

Comments

  • BenBen Posts: 2,640 F-Secure Product Expert

    Hi, 


    can you confirm that port 8087 is not used by any other service?
    Did you try changing the port already?

  • same problem here on different portdx.png

  • sorry for the long replie time .. been busy on other customers,

    Yes, stated above and again below i can confirm that the ports are not in use and i tried as well changin g them from former 8085 to 8087. A quick try on 80 and 81 for the administartion module also archieved nothing.

  • MJ-perCompMJ-perComp Posts: 1,098 Superuser

    Having an other look at your screenshots, all look nice, except that I do not see
    1) if the firewall is open for 8085 (8087)
    2) You status it rying to connect to DC01 instead of 127.0.0.1.. the port is not bound to the external IP.
    So rerun the setup and chose "change settings" to allow administration from other PC.

    Remenber these:
    12.40 is introducing https so by default you need 80, 443, 8080 and 8081

    80 and 443 ar for Host-> Server communication. Ports must be open at Firewall of the Server

    8080 is by default limited to local access and is used for PMC -> PMS communication
    8081 is WebReporting


    So please try to connect to these ports using a standard browser with proxy settings = none.
    e.g. https://<ip of server>:443. What is the output?

     

    Changing port 443 is a bit tricky, as Clients need to learn about that change through the policy, which they might expect to receive on Port 443. Try to stick with that port.

    Laksh
  • VadVad Posts: 1,055 F-Secure Employee

    Hello Matthias, noknowhow,

     

    Small correction. Default HTTPS port is 443.

     

    Best regards,

    Vad

    Laksh
  • MJ-perCompMJ-perComp Posts: 1,098 Superuser
    changed that to 443. thanks for the correction.
  • A-GrinkevitchA-Grinkevitch Posts: 162 F-Secure Employee

    Hello noknowhow,

    Could you please check jetty.request.log in c:\Program Files (x86)\F-Secure\Management Server 5\logs\

    Requests from the Status monitor should be logged like:

    127.0.0.1 - - [date:time +offset] "GET https://localhost:8087/fspms/version HTTP/1.1" 200 11 "-" "FSMS_STATUS_QUERY"

    127.0.0.1 - - [date:time +offset] "GET https://localhost:8083/web-reporting/version HTTP/1.1" 302 0 "-" "FSMS_STATUS_QUERY"

    127.0.0.1 - - [date:time +offset] "GET /fsms/fsmsh.dll/?FSMSCommand=GetVersion HTTP/1.1" 200 - "-" "FSMS_STATUS_QUERY"

    127.0.0.1 - -[date:time +offset] "GET /fsms/fsmsh.dll/?FSMSCommand=GetVersion HTTP/1.1" 200 - "-" "FSMS_STATUS_QUERY"

     

    Please copy-paste it here.

    Also you can check what is the status code for the https://localhost:8087/fspms/version request (200 in my example) and check other logs for exceptions happened same time. If this entry does not exist in the log, that might be firewall issue.

    Also, one idea is to set RestrictLocalhost to 0 in the registry (with PMS service restart) and try again. Status monitor might reach Policy Manager via external interface while according to your registry only connections from localhost are allowed.

  • Rob-KRob-K Posts: 33

    Hi,

     

    try a telnet on the specified port when the PM services are not running.

    If you get a connection the port is already used by a differnet application

     

    format:

    telnet fqdn portnumber

     

     

     

  • as a result i get in the last jetty_2017_11_05.request.log.1 some lines like the following 2 lines

    192.168.100.88 - - [05/Nov/2017:23:07:58 +0100] "GET https://dc01.elora.intern:8082/host-module/fsms/fsmsh.dll?FSMSCommand=GetPackage&Type=4&Identity0=50a2937c-9e70-e211-a059-008cfa3d08ea&Counter=11 HTTP/1.1" 304 0 "-" "F-Secure Network Request Broker"
    192.168.100.88 - - [05/Nov/2017:23:07:58 +0100] "POST https://dc01.elora.intern:8082/host-module/fsms/fsmsh.dll?FSMSCommand=UploadPackage&Type=5&Identity0=50a2937c-9e70-e211-a059-008cfa3d08ea HTTP/1.1" 200 8 "-" "F-Secure Network Request Broker"

     

    i switched to 8085 meanwhile and even restarted the whole maschine ...

    doing a https://localhost:8085/fspms/version comes up with a nearly white page showing only

    13.00.83038
    as i updated from version 12.4 to 13 ... but still output of polcy manager is
    the same as above

    Administation Module
    HTTP Pport : 8085
    Status : a connection with the server cant be established


     

  • doing https://<ip of server>:443. the output directs me to the login of the Outlook Web access ... as required while using https://<ip of server>:8085 comes up with a login for f-secure. after login

    F-Secure Policy Manager Server

    Wenn diese Meldung angezeigt wird, ist F-Secure Policy Manager Server installiert und funktioniert ordnungsgemäß. Sie können nun über die F-Secure Policy Manager-Konsole eine Verbindung herstellen.

    Der Host-Schnittstellenstatus von F-Secure Policy Manager Server kann hier überprüft werden.

    Berichte können mithilfe der F-Secure Policy Manager Web-Berichterstellung angezeigt werden.

    Der öffentliche Schlüssel der F-Secure Policy Manager Server-Verwaltung, mit dem die Gültigkeit verteilter Richtlinien überprüft wird, kann hier heruntergeladen werden

     

    which means Roughly translated ... it works ... ehrn clicking the report function it comes up with a report on the Web Reporting Port i defined with 8083 showing the status of all pcs connected and the aproximmate details

     

    but still no polciy manger when trying to log in is keeps saying connection can not be established.

    I deactivated the windows firewall but no changes, Interesting is that the corresponding msg window states "Cant connect to dc01.elora.intern:8080". Where he gets the 8080 from ?

     

    As port 8080 always has been in use by other applications we definded the ports at installation as shown in the screenshot above and it worked for some time.

     

  • Well it seems to be solved somehow... have to check if everything works.
    In the polcymanager login I added a new host (modifed an exisiting) that reads https://localhost:8085

    at least i get the policy manager window and it seems as if i am able to distribute rules.

    But still 2017-11-06 17_09_58-192.168.1.100 - Remotedesktopverbindung.png

     

    and the really funny thing about it is that it worked for sometime just with https://localhost

     

     

     

  • A-GrinkevitchA-Grinkevitch Posts: 162 F-Secure Employee

    Hello noknowhow,

    Did you try my previous suggestion to set RestrictLocalhost to 0? You show screenshot where Status Monitor tries to connect PM via dc01…, while according to registry screenshot PM’s admin port listens on localhost interface only. Unfortunately I do not have your FSMS_STATUS_QUERY entries from request logs, so cannot say for sure if that is the exact reason.

    Another question: why does Status Monitor connects to PM via dc01… but not localhost as should be by default. Did you change the Status Monitor’s configuration manually? As PMC now connects fine, if my assumption is right and you do not need to run PMC on remote hosts, it is enough to change computer name in the Status Monitor’s configuration to localhost. Even without touching RestrictLocalhost it should connect to all ports successfully.

    As for port 8080: Policy Manager Consoles uses default admin port to connect PM even though connection string does not have it. So, if you change port to non-default at PMS, you have to change it in PMC’s connection URL as well. Everything works transparently with default ports, but agree, not that obvious if using non-defaults. I’ll talk with dev team and discuss if it possible to improve the logic…

    Laksh
This discussion has been closed.