Unable to make HTTP Proxy work

[karsayor 8]

Hello

 

I did setup the proxy as explained here, but I cannot get it to work. My policy is as attached in pictures but I cannot get it to work. Everytime I apply to policy to agent, then it fails to connect with event on the agent :

Quote

2020-04-15 13:42:01 Error: CReplicationModule [Thread ac70]: CAgentReplicationManager: Replication finished unsuccessfully with message: Request: Era.Common.Services.Replication.PublishLogRequest on connection: host: "ESMCVAIP" port: 2222 with proxy set as: Proxy: Connection: ESMCVAIP:3128, Credentials: Name: , Password: ******, Enabled:1, EnabledFallback:0, failed with error code: 14, error message:  Connect Failed, and error details: Replication details: [Task: CLogRegularTask, Scenario: Automatic replication (REGULAR), Connection: ESMCVAIP:2222, Connection established: true, Replication inconsistency detected: false, Server busy state detected: false, Realm change detected: false, Realm uuid: 34beb5ce-7f17-11ea-87fd-005056b9736f, Sent logs: 0, Cached static objects: 71, Cached static object groups: 10, Static objects to save: 1, Static objects to delete: 1, Modified static objects: 2]
2020-04-15 13:43:43 Error: CReplicationModule [Thread ac70]: InitializeConnection: Initiating replication connection to 'host: "ESMCVAIP" port: 2222' failed with: Request: Era.Common.Services.Replication.CheckReplicationConsistencyRequest on connection: host: "ESMCVAIP" port: 2222 with proxy set as: Proxy: Connection: ESMCVAIP:3128, Credentials: Name: , Password: ******, Enabled:1, EnabledFallback:0, failed with error code: 14, error message: Connect Failed, and error details: 
2020-04-15 13:43:43 Warning: CReplicationModule [Thread ac70]: InitializeConnection: Not possible to establish any connection (Attempts: 1)
2020-04-15 13:43:43 Error: CReplicationModule [Thread ac70]: InitializeFailOverScenario: Skipping fail-over scenario (stored replication link is the same as current)
2020-04-15 13:43:43 Error: CReplicationModule [Thread ac70]: CAgentReplicationManager: Replication finished unsuccessfully with message: InitializeConnection: Initiating replication connection to 'host: "ESMCVAIP" port: 2222' failed with: Request: Era.Common.Services.Replication.CheckReplicationConsistencyRequest on connection: host: "ESMCVAIP" port: 2222 with proxy set as: Proxy: Connection: ESMCVAIP:3128, Credentials: Name: , Password: ******, Enabled:1, EnabledFallback:0, failed with error code: 14, error message:  Connect Failed, and error details: Replication details: [Task: CReplicationConsistencyTask, Scenario: Automatic replication (REGULAR), Connection: ESMCVAIP:2222, Connection established: false, Replication inconsistency detected: false, Server busy state detected: false, Realm change detected: false, Realm uuid: 34beb5ce-7f17-11ea-87fd-005056b9736f, Sent logs: 0, Cached static objects: 71, Cached static object groups: 10, Static objects to save: 0, Static objects to delete: 0, Modified static objects: 0]

And on the server side I get :

Quote

[Wed Apr 15 08:47:10.064901 2020] [access_compat:error] [pid 1201] [client CLIENTIP:54581] AH01797: client denied by server configuration: proxy:ESMCVAIP:2222

What is very strange is that if I install the agent with the ESMCAgentInstaller.bat including the HTTP Proxy settings, then it works, but as soon as the policy with the same settings is applied. Connect cannot be made anymore..

I would really appreciate help since I don't know where to look for anymore...

 

 

diagnotic-agentsetupwithhttpproxy.txt diagnotic-agentwithpolicy.txt

[MartinK 378]

Error from proxy itself indicates that it is missing configuration enabling client to use it for AGENT->ESMC communication. It is by default configured only to enable communication of clients with ESET servers, i.e. with services available in the internet.

In order to configure it properly, you should follow this documentation article, where you will have to configure at least ProxyMatch parameters to match your environment.

Installer most probably works because when proxy is set during installation, it enabled "Use direct connection if HTTP proxy is not available", which means that AGENTs are connecting directly to ESMC in case connection through proxy fails.

Just from curiosity: you are attempting to use HTTP proxy not only for accessing internet, but also for ESMC->AGENT (= Global proxy configuration) communication: is it expected? Asking because it makes almost no sense in case both proxy and ESMC are on the same machine.

[karsayor 8]

Hi Martin,

Thank you for your time and analysis. Indeed, you were correct. It seems that adding a ProxyMatch rule solved the issue.

I still wonder because I followed this topic to enable HTTP Proxy which is linked to the second part of this one to configure a policy for the clients that clearly states that we should enable the Global Proxy, but I don't see any mention of the need to add a ProxyMatch rule in case you want to use a Global Proxy ?

It's not specially necessary for the to proxy communication from agents to ESMC, I was just following those two KB and was thinkin that those were the best practices :)

In earlier version of ESMC like 6, IIRC there was only one setting for the proxy correct ? And am I still correct thinking that setting up this proxy was like configuring the Proxy only for ESET Services below ? So the option to Proxy replication to ESMC servers appeared since when ? It's just for me to understand :)

[MartinK 378]

10 hours ago, karsayor said:

In earlier version of ESMC like 6, IIRC there was only one setting for the proxy correct ? And am I still correct thinking that setting up this proxy was like configuring the Proxy only for ESET Services below ? So the option to Proxy replication to ESMC servers appeared since when ? It's just for me to understand

Thanks for letting us know, I will ask our documentation team to verify.

And indeed there was only one setting in ERA6, but it was used only for HTTP downloads (i.e. eqivalent of ESET Services setting). With ESMC 7.0, new protocol was introduced, capable of communication through HTTP proxy -> settings were extended to handle cases, where HTTP proxy used in environments are used primarily to access internet and might not even be capable of handling AGENT-to-ESMC communication (as was yours until reconfiguration).

 

[karsayor 8]

Thank you !