Error:"...could not verify the configuration server" and ProxyClient or Unified Agent unable to connect to Client Manager

book

Article ID: 168470

calendar_today

Updated On:

Products

ProxySG Software - SGOS Unified Agent Local Enforcement

Issue/Introduction

Please note that ProxyClient is End of Life and is not currently supported.

ProxyClient versions 3.4.4.10 and 3.3.3.3 and Unified Agent version 4.1.3.151952 includes a feature which requires certificate validation when connecting to the Client Manager. This feature was introduced in compliance to SA89/CVE-2015-1454: SA89: ProxyClient and Unified Agent Certificate Validation Flaw

With the introduction of this new security feature, if the Client Manager certificate is not trusted by the workstation where the ProxyClient is installed, the system displays a warning that the certificate is untrusted.

Blue Coat Proxy Client attempted to download new configuration but could not verify the configuration server.

ProxyClient pop up cert warning
If the user clicks "Yes" to ignore the validation failure, they should not be prompted again. However, to deploy a silent installation, import the Client Manager's certificate into the computer's certificate store before deploying ProxyClient software to workstations. 
 

Resolution

1) Download the certificate from the Client Manager.

First, make note of the certificate used for Client Manager. If you created a keyring specifically for the Client Manager, you need to export the certificate from that keyring for use in the ProxyClient deployment. 

To view or set this keyring in the Client Manager, navigate (in the Management Console) to Configuration > ProxyClient > General > Client Manager:

   User-added image

Note: The Common Name of the certificate in the selected keyring must match the "Use host" field or the hostname from the initial client request. Otherwise, users may still get a pop-up warning regarding a hostname mismatch. 

After you've set or verified the keyring selected in the Client Manager, you can download the certificate by going to the following URL of the ProxySG acting as Client Manager:

https://x.x.x.x:8082/SSL/Download_ca

In the preceding example, x.x.x.x is the IP address of the ProxySG which acts as the Client Manager.

   User-added image

Note: If a specific keyring was not created for the Client Manager function and the setting is default, you only need to download the "default" certificate (shown in the screenshot), provided the common name of the certificate matches the hostname or IP address of the Client Manager. 


2) Importing the Client Manager certificate into the Windows workstation certificate store.
The following procedure describes the steps thar are required to install the Client Manager's certificate into the computer system's security store using the Microsoft Management Console snap-In. The configuration below is mainly intended for pre-deployment testing. Importing the Client Manager certificate to multiple systems can be automated using the Group Policy Object (GPO) method for silent installations. 

To view the Certificates store on the local computer, perform the following steps:

  1. Click Start, and then click Run.
  2. Type "MMC.EXE" (without the quotation marks) and click OK or press enter.
  3. Click Console in the new MMC you created, and then click Add/Remove Snap-in.
  4. In the new window, click Add.
  5. Highlight the Certificates snap-in, and then click Add.
  6. Choose the Computer option and click Next.
  7. Select Local Computer on the next screen, and then click OK.
  8. Click Close, and then click OK.
  9. Navigate to Trusted Root Certification Authorities/Certificates, select the Certificates folder, and then click Action, select All Tasks, and then Import
  10. Proceed through the prompts to navigate and import the certificate downloaded from the Client Manager.


Note: Installing the certificate through Internet Explorer does not accomplish the same goal. Doing so would place the certificate in the user certificate store. Whereas the above steps imports the certificate into the computer system certificate store where it is needed for ProxyClient access

Please refer to Microsoft documentation for any additional deployment instructions.
 

Attachments