How To Troubleshoot Brokerconfig and General Gateway Agent Issues

Version 13

    Verified Product Versions

    Endpoint Manager 9.6Endpoint Manager 2016.xEndpoint Manager 2017.x


    How to Troubleshoot BrokerConfig and General Gateway Agent Issues.




    You may see any of the following errors:

    1. Connection through management gateway failed 14 SSL name mismatch.
    2. The underlying connection was closed: Unable to connect to the remote server.
    3. 404: Not Found.
    4. 401: Unauthorized.
    5. BrokerConfig returns: HTTPS response finished status 404 description not found - connection link not successful. status 404 (Skip to AGENT step 1)





    1. Core.Secure, SSL and sub objects must be set to 'Integrated Windows Authentication' only. These objects can be found in IIS Manager under Default Web Site | LANDesk | Managementsuite | Core.
    2. Verify the IUSR_ specified in the Properties of Default Website.
    3. Browse /LANDesk/ManagementSuite/Core/ from the core and from a machine while logged in as the account being used to obtain the certificate.
      Unable to obtain a broker certificate with BrokerConfig.exe (IIS Troubleshooting)



    1. Verify HKLM\Software\Wow6432Node\Intel\LANDesk\LDWM\CoreServer, is a Hostname or Fully Qualified Domain Name (cannot use an IP Address or Alias).
    2. BrokerConfig.exe Test: Ensure that proper credentials (LDMS User credentials) are specified and choose proper connection method (Using Management Gateway or Direct Connection to Core) and test, unless both conditions are met results will be unreliable.
      Ensure that the LDMS user being used to retrieve the certificate is in the local LANDesk Management Suite group on the core server.
    3. Check the C:\Program Files\LANDesk\LDClient\brokerconfig.log.
    4. Check C:\Program Files\LANDesk\proxyhost.log, this will show attempts by proxyhost to make internal and external connections.
    5. On failure, make sure the \Program Files (x86)\LANDesk\Shared Files\cbaroot\brokerconfig.xml has the correct IP address of the CSA. If not, on the core, the agent client connectivity CSA settings will need to be adjusted with the correct CSA

    Issue: CSA Public IP address reverting back to old IP address


    1. Restart the LANDesk Management Gateway service.  (This will re-create brokerservice connections to the gateway, recreating any hung processes.)
    2. Check NTFS Permissions on the \...\LDMain\BrokerReq folder.
    3. Check IIS logs (in C:\%windir%\system32\logfiles\W3SVC1) for the IIS Status code returned on brokercertificaterequest.asmx.
    4. Check LDMain\brokerservice.log.  (This log corresponds to the LANDesk Management Gateway Service.)
    5. Check for .NET errors.
    6. Verify that the broker.crt and the protect.ini refer to the same .0 file.
    7. Obtain latest version of BrokerService.exe and postcgi.exe.
    8. Verify that the user credentials that you are using with Brokerconfig.exe are in the ManagementSuite group.



    1. Verify that the Certificate has been posted to the Gateway.
    2. Verify that all information in Configure | Management Gateway | Gateway Information Tab is correct.
    3. Verify that the Gateway has been activated. This is done by going to /{gateway name}/gsb.
    4. In the Gateway Services configuration area check that anything that the Gateway can be resolved to is set in the "Additional Hostnames" section. This includes all Domain/Hostnames (Fully Qualified and Simplified names), and all IP Address (Internal and External).
    5. In System Settings verify that the correct time zone is selected.
    6. Verify that under Users that all users have an * under organization.
    7. Verify the service account is not locked (if it is locked with multiple retries then a Core is configured with the wrong Management Gateway password).

    How to Configure a Gateway (Cloud Service Appliance) - Quick Guide


    When using BrokerConfig.exe –r:

    DNS: Use ping to verify that the Core is able to resolve clients, and clients are able to resolve core.