Stuck on Disconnected Policy

[rynntbm]

We have a lot of Integrity Agent clients getting stuck on the Disconnected Policy. When first connecting to the network, the client says it has contacted the server (once) but the Disconnected policy stays active and it never hits the server again. So far the only fix has been to create a new windows user profile. If anyone else logs onto the same machine, it works fine. You can ping the server and even connect to the server interface via 443. Running server 6.50.636.000 and client 6.5.063.199. Any words of wisdom would be appreciated. Thanks.

[CSING]

Is the disconnected policy part of a policy package or did you deploy it with the client?

-cs

[rynntbm]

It is part of a policy package and we don't include a disconnected or personal policy in the client install package. It acts as if it just decides to stop checking in. I noticed there was thread about the DP staying active after the 2nd time using VPN if conditions are right. We do use VPN but the probably also exists when they are in the office on our LAN.

[CSING]

Then it appears to be a connectivity issue. What is confusing is that only a some clients expirence the issue.

1. Check to ensure following ports are open to Integrity server.
443 & 80 TCP and 6054 UDP. sniff the traffic from the client to ensure that you are getting traffic (heartbeats) from the client and the Server on port 6054. and you are getting responses.

Also if the client is resolving by DNS name you will have to make sure that it is resolving the name correctly. You can check the ZALOG.txt file and see if DNS queries port 53 are being blocked.


2. Do you have proxy devices? Has the integrity server been set as an override using both IP and name.


hth

[mcnallym]

Likely to be Proxy Server issue.

Does your Default User Profile have Proxy Server settings configured at all.

If so here are two methods to override these

If there are proxy settings in the default profile on the clients then this can be fixed in a number of ways

Create an exception for the Integrity Server in the SYSTEM user's proxy settings by one of the following two methods:


In the SYSTEM user registry key S-1-5-18 key HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net Settings, change the ProxyOverride key to include the IP address or FQDN of the Integrity Server;

Or


In the SYSTEM user registry key HKEY_USERS\S-1-5-18
\Software\Microsoft\Windows\CurrentVersion\Interne t Settings, set 'ProxyEnable' to 0 (off) to disable proxy settings for the SYSTEM user.

The other way is too

Solution



The config.xml can be configured to create connections to the Integrity server and to create initial installation settings for a new Integrity install.

Starting from Integrity 6.5 HFA_03 onward, you can also configure a config.xml for the client package to enable an Integrity client to contact the Integrity server if the default User Profile contains proxy information.

These settings are used to modify the personal policy that stores the configuration and connection information.

To enable the Integrity client bypass the proxy settings, add the following proxy override attributes to your existing config.xml settings (see example below):


proxyEnable = true/false

proxyServer = Proxy-Server-IP:port

proxyOverride = Integrity-Server-IP[;Integrity-Server-Name]

Example:
<configuration
proxyEnable="true"
proxyServer="1.1.1.1:8080"
proxyOverride="192.168.1.1"/>


Notes:

The Integrity server must be spelled out in full in the bypass list.
For example, if the integrity server's URL is integrity.zonelabs.com, the wildcard proxy entry *.zonelabs.com will not work.
You must specify the entire name, integrity.zonelabs.com.
This is also true for IP.


The Proxy override entry must match the connection string in the client package.
If you use an IP address to connect to the Integrity server, you must configure the IP address in the override list.
If you use a URL, it must be configured with the complete URL.

[rynntbm]

It does not look as though we have proxy settings set for our user profiles. ProxyEnable is set to "0". I used microsoft network monitor to view any communication with our Integrity server IP. The clients that are working properly call and get replies from the server on 443 and 6054. The clients that are stuck on the disconnected policy aren't trying to call the server at all. Do you guys know if there is a reason why the client would stop trying to call home? Thanks.

[CSING]

With a deployment set to always trigger there is a default reset interval timer of 180 sec. Which means that the client will attempt a sync request on port 443 every 120 secs by default.

1. Did you deploy the same client package to all the endpoints?

2. Did you set it for LDAP, NT domain or Manual?

3. Have you eliminated DNS as an issue. That port 53 is not blocked and that the endpoints can ping the server by DNS name. Place the Integrity server in the host file of a client not working if you are unsure and verify by a successful ping.

[rynntbm]

We have two package installs out there, some are still 6.0 clients and some have been upgraded to 6.5 (199). I believe we've seen this problem in both. I've tried upgrading to .207 and .222 but no cigar. We've always left the authentication setting on NT Domain and we set the server location by IP. Thanks.

[CSING]

After an new installation and reboot, I believe that the next user should have admin rights on the box. If not I don't think the install finishes.

ON those boxes that are not connecting. Log in with admin rights and then go to the command line and directory Integrity client and run the following command.

iclient -config c:\path\to\policy.xml where policy.xml is the following and you edit your.integrity.server.ipaddress to the IP address of your server.

By all means that will get you connected.

<?xml version="1.0" encoding="UTF-8"?>
<ZoneLabsSettings version="1">
<ruleset name="runningruleset" start="afterstartup" stop="onshutdown">
<integrity>
<connection
name="Integrity Server"
host="https://your.integrity.server.ipaddress:443/cm/"
port="0"
trigger="always"
DelayTime="0"
connectionId="INTEGRITY_TRIGGER_ALWAYS"
reconnectInterval="60"
orientation="Enterprise"

/>
</integrity>
</ruleset>
</ZoneLabsSettings>

[rynntbm]

Thanks! Looks like loading the connection info into the policy worked. Other problems similar to this seem to be fixed by rebooting the server (probably needs a new server install). Thanks again!