Troubleshooting Agent-Server Communication Failure

Domain Reachability

Server domains/IP addresses should be whitelisted in firewalls, proxies, antivirus software, web filters, etc. Find the list of domains here. To verify domain reachability: Open your browser, type https://<domain name>, and check whether the HTTPS requests are successful without requiring any user intervention.

Proxy Configuration

To make the agent communicate via proxy, the proxy should be configured for remote offices. This can be done by navigating to Agent -> Remote Offices -> Edit Remote Office.

NOTE:

  • Existing agents need to be reinstalled with new agent binaries to apply proxy details in the agent.
  • The agent will not use system proxy.
  • If the agent is unable to reach the proxy server, it will try to contact the Endpoint Central server without a proxy.

Ensure TLS 1.2 is the Default Mode of Communication

Transport Layer Security (TLS) is the security protocol used for encrypting communication between web servers and endpoints. Support for older versions 1.0 and 1.1 has been withdrawn due to security concerns. TLS 1.2 is made mandatory for communicating with the cloud server (Link). In some legacy Windows devices such as Windows 7, Windows Server 2008 R2, and Windows Server 2012, TLS 1.2 is not enabled by default. Navigate to the following link to enable TLS 1.2: Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows.

Proxy Certificates missing in Trusted Certificate Store

Some proxies might intercept agent-server communication by providing their own self-signed certificate. In such cases, a proxy root certificate has to be installed in the machine's trust store. Manual certificate installation steps and certificate installation via GPO steps are attached below.

THIRD-PARTY ROOT CERTIFICATE IS MISSING FROM THE WINDOWS TRUSTED ROOT CERTIFICATE STORE

Root certificates are used to authenticate a website's identity and enable encrypted communication with the server. The Windows Root Certificate Program enables trusted root certificates to be distributed automatically in Windows. Some reasons for missing root certificates include:

  • The administrator removed the root certificate from the system.
  • The system might not be patched with the Windows Root Certificate Program Update.
  • The system doesn't have internet connectivity, which is needed to perform an automatic root certificate update.
  • The system administrator might have deployed a GPO Policy that disables certificate auto-download.
Registy Path  HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\AuthRoot 
Registry Name   DisableRootAutoUpdate 
Registry Value 1 [REG_DWORD] 

The following root certificates are used to authenticate the server domains: link. If the root certificate is missing on some machines, the certificate can be installed manually.

STEPS TO IMPORT ROOT CERTIFICATE MANUALLY

  1. Run mmc.exe.
  2. Select File -> Add/Remove Snap-in, select Certificates (certmgr) in the list of snap-ins, and then click Add.
  3. Select that you want to manage certificates of the local Computer account.
  4. Click Next -> OK -> OK.
  5. Expand the Certificates node -> Trusted Root Certification Authorities Store. This section contains a list of trusted root certificates on your computer.
  6. If the above-mentioned root certificates are not available in the trusted store, right-click Trusted Root Certification Authorities Store, select All Tasks -> Import to import the root certificates into the trusted store.

If the root certificate is missing on many machines, certificates can be installed via GPO. Refer to the following steps for Certificate Installation Via GPO: link