Unified Agent does not go into passive mode

book

Article ID: 168621

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

The organization has an on-premises Symantec ProxySG that protects the corporate network. To enforce the local policies while users are connected to the corporate network, Unified Agent (UA) must go into a passive mode. Passive mode ensures that the local policies take effect on all user devices.

The following log entry indicates where the connection is forcibly closed by the remote host.

<16>[05-24-2016 10:35:05 (UTC+5:30)]: Tunnel error on tunnel(non-interactive-user): (10054) An existing connection was forcibly closed by the remote host

The host does not mean only the data center, but includes intermediate devices such as firewalls, proxies, and so on. If the proxy does not allow the connection to the data center, the UA cannot detect itself from the portal. The UA also is unable to enter passive mode.

The outside of the home network and the UA is able to connect. This connection shows nothing wrong with the UA configuration and settings.

Cause

Unified Agent attempts to establish a connection to client.threatpulse.net, ctc.threatpulse.com, and portal.threatpulse.com, which it must do to determine whether it is on a protected network. When Unified Agent detects that it is on a protected network, it goes into passive mode automatically.

Resolution

Enforce passive mode on Unified Agent

Log in to the Web Security Service portal.

Create an Explicit Proxy location that specifies the public egress IP address for the corporate network following the steps bellow.

  1. Go to Service.
  2. Network.
  3. Locations.
  4. Add Location.
  5. Select Explicit proxy Access Method.
  6. Specify the the public egress IP address for the corporate network.
  7. Fill the required information (*) and Save.

 

 

Ensure that:

  • Authentication on the on-premises ProxySG is disabled for: client.threatpulse.net, ctc.threatpulse.com, and portal.threatpulse.com
  • SSL interception is disabled for: client.threatpulse.net, ctc.threatpulse.com, and portal.threatpulse.com
  • Traffic is allowed on: client.threatpulse.net, ctc.threatpulse.com, and portal.threatpulse.com
  • Intermediate devices are checked. If the proxy or firewall does not allow the connection to data center, UA cannot detect itself from the portal.

 

 

Attachments