Cannot establish trust relationship with load balanced Endpoint Encryption Management Server

book

Article ID: 193516

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

If you are using more than one Endpoint Encryption Management Server and you are using a load balancer to distribute the client traffic to the servers, you may find that when you try to run certain commands from Symantec Endpoint Encryption Manager, you receive an SSL/TLS error. For example, you may see the following error message when you  run the Change Web Access Command:

In the Event Viewer System log you may see a corresponding Schannel error with Event ID 36888:

Cause

Endpoint Encryption Manager is trying to connect to a server name that does not match the name of the TLS certificate.

In SEEMS Configuration Manager, in the Web Server section, the Web server name must match the name of the certificate specified in the Server Certificate field.

Environment

Release : 11.0 and above.

Component : Symantec Endpoint Encryption Management Server.

Resolution

There are two ways to resolve this.

Option 1 - Modify local hosts file

In SEEMS Configuration Manager, ensure that the Web server name value matches the name of the Endpoint Encryption Management Server's TLS certificate.

For example, suppose that your clients connect to the DNS name see.example.com which resolves to a load balancer that points to two Endpoint Encryption Management Servers with the names see1.example.com and see2.example.com. If the TLS certificate has the name see.example.com then you need to use the name see.example.com as the Web server name in SEEMS Configuration Manager:

You will then need to create an entry in the C:\Windows\System32\drivers\etc\hosts file pointing see.example.com to the IP address of the local Endpoint Encryption Management Server. This is so that each Encryption Management Server resolves the load balancer DNS name to itself. For example, if the local Endpoint Encryption Management Server has an IP address of 10.9.8.7 the entry would look like this:

10.9.8.7 see.example.com

Option 2 - Use a certificate with additional Subject Alternative Names

If you wish to avoid adding an entry to the local hosts file you can use a TLS certificate that has additional SANs (Subject Alternative Names) for each of the Endpoint Encryption Management Servers. For example, the TLS certificate name is see.example.com but also has SANs for see1.example.com and see2.example.com.

If you obtain a TLS certificate with the correct SANs, SEEMS Configuration Manager can use the Web server name value that matches one of the SANs. For example, see1.example.com.

Attachments