search cancel

Troubleshooting the issues with scanner enrollment if you have a proxy server

book

Article ID: 174251

calendar_today

Updated On:

Products

Protection Engine for Cloud Services Protection Engine for NAS

Issue/Introduction

If you have a proxy server in your environment and you try to enroll the Symatne Protection Engine scanner with centralized cloud console, you may encounter the following issues:

  • Scanner enrollment fails.
  • Scanner enrollment succeeds but CAF service stops functioning.
  • Scanner enrollment succeeds but centralized cloud console does not receive events.

Certificate pinning does not work correctly when communication between CAF (Common Agent Framework) and centralized cloud console (CWP Server) happens through a proxy. The certificate chain sent by server is not correctly received across proxy. Either proxy modifies the chain or sends its own certificate.

Resolution

To resolve this issue, you must disable the certificate pinning.

To disable certificate pinning manually

  1. Unenroll the scanner if you have not disabled certificate pinning before enrolling the scanner with the centralized cloud console.
    See Unenrolling scanners from centralized console 
  2. Take a backup of CAFStorage.ini file and delete it.
    Windows: C:\ProgramFiles\Symantec\CommonAgentFramework\CAFStorage.ini
    Linux: /opt/Symantec/cafagent/bin/CAFStorage.ini
    Note: Skip the steps 1 and 2 if the scanner is not enrolled yet.
  3. Open CAFConfig.ini in the text editor.
    Windows: C:\Program Files\Symantec\Common Agent Framework\CAFConfig.ini
    Linux: /etc/caf/CAFConfig.ini
  4. Remove the following two lines:
    [ssl-config]
    Https_CertFilePath=certs
  5. Enroll the scanner with the centralized cloud console.
    See Enrolling the scanners with the centralized console