cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ninov_n
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 7
‎02-19-2019 06:58 AM

What happens to Proxy Setting in place after upgrade?

Jump to solution

Hello,

I have seen an issue where while using a third party Gateway(Blue Coat) with ePO 5.1.3 there is no issue but after migration to 5.9.1, Software Manager cannot reach McAfee sites anymore. From tcpdumps it seems like ePO does not send same credentials anymore. Performed multiple tests agains account and certificate as per:

https://kc.mcafee.com/corporate/index?page=content&id=KB74029

AddTrustExternalCARoot certificate was imported on both ePO and gateway but it still seems like gateway receives wrong authentication account name even after changing it.

Do you have any ideas about it?

 

Best regards,

Nino

In case above information was useful or answered your question, please select "Accept as Solution" in my reply, or give a Kudo. Thanks!
Nino
Labels (3)
Labels
0 Kudos
Reply
1 Solution

Accepted Solutions
cdinet
Employee
Employee
Report Inappropriate Content
Message 4 of 7
‎02-19-2019 09:35 AM

Re: What happens to Proxy Setting in place after upgrade?

Jump to solution

This is a known issue with bluecoat.  The impersonation has no effect in sending the correct proxy user name during the NTLM handshake because WinInet does not support impersonation (refer: https://docs.microsoft.com/en-us/windows/desktop/wininet/wininet-vs-winhttp).  They are working on changing epo to use winhttp, but we don't know yet what version that will be in.  We have re-added some focus on it, so hopefully we can get that moving, but this is a major change to the way it is currently behaving.  Bottom line, no eta for when that will work as desired.  Can they bypass proxy for epo as a workaround until that is done?

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

Reply
6 Replies
cdinet
Employee
Employee
Report Inappropriate Content
Message 2 of 7
‎02-19-2019 07:13 AM

Re: What happens to Proxy Setting in place after upgrade?

Jump to solution

Have you validated the proxy settings in the epo server settings, proxy settings section? 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

0 Kudos
Reply
ninov_n
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 7
‎02-19-2019 07:36 AM

Re: What happens to Proxy Setting in place after upgrade?

Jump to solution

The credentials are set properly since same account is set on another ePO 5.1.3 with another gateway. The thing is that after the upgrade to 5.9.1, ePO server sends to the gateway "epohostname$" instead "domain\account" and gateway cuts its internet access, causing failure for Software Catalog update task.

I have tested this in a MWG and it seems that behavior is similar with the authentication by sending "hostname$" instead actual account set for proxy authentication.

I will try to reproduce it with both 5.9.1 and 5.10 upgrade but so far I did not find any additional information about upgrading ePO with proxy settings in place.

 

In case above information was useful or answered your question, please select "Accept as Solution" in my reply, or give a Kudo. Thanks!
Nino
0 Kudos
Reply
cdinet
Employee
Employee
Report Inappropriate Content
Message 4 of 7
‎02-19-2019 09:35 AM

Re: What happens to Proxy Setting in place after upgrade?

Jump to solution

This is a known issue with bluecoat.  The impersonation has no effect in sending the correct proxy user name during the NTLM handshake because WinInet does not support impersonation (refer: https://docs.microsoft.com/en-us/windows/desktop/wininet/wininet-vs-winhttp).  They are working on changing epo to use winhttp, but we don't know yet what version that will be in.  We have re-added some focus on it, so hopefully we can get that moving, but this is a major change to the way it is currently behaving.  Bottom line, no eta for when that will work as desired.  Can they bypass proxy for epo as a workaround until that is done?

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Reply
cdinet
Employee
Employee
Report Inappropriate Content
Message 5 of 7
‎02-19-2019 09:36 AM

Re: What happens to Proxy Setting in place after upgrade?

Jump to solution

As to why it previously worked, the code was changed to impersonate the proxy user before connecting to the proxy server where it did not before.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Reply
ninov_n
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 7
‎02-25-2019 12:45 AM

Re: What happens to Proxy Setting in place after upgrade?

Jump to solution

Last thing I am curious, is that affecting all currently supported ePO environments - 5.3.x, 5.9.x and 5.10?

In case above information was useful or answered your question, please select "Accept as Solution" in my reply, or give a Kudo. Thanks!
Nino
0 Kudos
Reply
cdinet
Employee
Employee
Report Inappropriate Content
Message 7 of 7
‎02-25-2019 05:54 AM

Re: What happens to Proxy Setting in place after upgrade?

Jump to solution

I am sure it is affecting 5.9 and 5.10, but not so sure about 5.3, you would have to test that.  Since it is going end of life next month, I know they won't be fixing anything in that version.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC