Sensor not connecting via proxy/firewall
Article ID: 285059
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
- Endpoint Standard sensor fails to install
- Endpoint Standard sensor stops checking in to the console
- The following error can be observed in the confer logs
http: schannel: next InitializeSecurityContext failed: Unknown error (0x80092013) - The revocation function was unable to check revocation because the revocation server was offline
- This issue may also occur in environments without a proxy
- This issue may occur on select machines while others with the same network configuration are able to communicate
Environment
- Carbon Black Cloud Windows Sensor: Version 3.3.x.x and Higher
- Microsoft Windows: All Supported Versions
- Network Proxy and/or Firewall
Cause
- CRL (Certificate Revocation List) checks are performed on a per application basis
- The 3.3.x.x and higher sensor relies on Windows to execute a CRL check
- The CRL traffic generated by Windows needs to be allowed
- This traffic is attempting to access the ocsp.godaddy.com and crl.godaddy.com domains
Resolution
#%$Depending on the environment, there are multiple options to allow this traffic not limited to but including the following general steps. Specific steps will depend on environment configuration.#%$
Options:
- Configure the Winhttp service on the affected machines to utilize the proxy for Windows CRL checks
- Configure the proxy or firewall to allow CRL traffic
- Allow port 80 traffic to crl.godaddy.com and ocsp.godaddy.com through the proxy or firewall
- For sensors 3.4.0.925 and higher review How To Configure Sensor Not To Require CRL Checks On Install
- For sensors 3.8.0.722 and higher review How to Adjust CRL checking for Best Effort
Additional Information
- Additional information can be found about What are some concerns with disabling the CRL check within the Sensor?
- The minimum requirement to resolve this issue is to allow CRL check traffic to the crl.godaddy.com and ocsp.godaddy.com domains as noted in the last option listed under Resolution
- The crl.godaddy.com and ocsp.godaddy.com domains utilize OCSP (Online Certificate Status Protocol) and Certificate Revocation List (CRL) checks to validate the sensor's install certificate
- CAPI2 logging can be enabled on the affected device to provide further insight into CRL traffic
- If the issue is not resolved with the above configuration changes or only occurs on a subset of machines with the same network configuration, please open a support case
Feedback
Yes
No
Powered by
