Troubleshooting Endpoint Distribution Services (Communication from Endpoint to EMSS server)

Version 7

     

    Purpose

     

    Give some initial steps to start diagnosing and fixing endpoint-server communication issues. If issues are still present after applying initial fixes, please contact support at https://support.ivanti.com/  with the information gathered from this initial troubleshooting.

     

    Symptoms

     

    EMSS endpoints are not connecting the EMSS server.

     

    Cause

     

    There can be many causes, but generally it is a networking or firewall issue.

     

    Resolution

     

    Ensure the Agents are running

     

    1. From the agent machine having this issue, ensure that the LM Agent or Patch Agent is running.  
      • LM Agent will show as LMAgent.exe in the Task Manager process list
      • Patch Agent will show as Gravitixservice.exe in the Task manager process list.
    2. If one or both of them is not running, open up the Services Microsoft Management Console (Start > run or Start > Search all programs and files, then type 'services.msc').
    3. After starting the services, check the EMSS WebUI again for the agent status. If they still do not show as Online, continue troubleshooting.
    4. Open up the Patch Agent Control Panel and go to the proxies tab (if Pre-Vista) or click the Tools button and then click the 'Proxy Settings' link (if post-Vista OS).
    5. Make a note of whether or not a proxy is being used here or what the proxy and port are.
    6. Open up Internet Explorer and go to Tools  > Internet Options , click on the 'Communications' tab and then click the [LAN Settings] button towards the bottom.
    7. If the agent was not using a proxy, then make sure that the browser is also not using a proxy. If the agent was using a proxy, then you will need to enter that information here and click [OK].

    Initial Communication Testing

     

    1. Ping the endpoint to see what the TTL is on the ICMP packet. For the OS to be recognized as Windows, the TTL must be between 64 and 128.
    2. Ensure the client time is correct/in sync with the server
    3. Is there any Firewall running on the client and blocking TCP/33115, TCP/65129 (65229 if using TLS), UDP/137 and 138, TCP/139 and 445 or RPC port 135 -- these ports must be open and the Windows Firewall/Internet Connection Sharing service must be turned on and started (though your Windows Firewall control panel can be set to OFF)
    4. The account running the client deployment tool must be a local administrator on the remote computer.
    5. The CDT uses services on the remote client which have to be up and running: ‘Server’, ‘Computer Browser’ and ‘Remote Registry’ must be started  otherwise it cannot contact the client . Please double check these (perhaps GPO settings are in effect?)  Extra info on ensuring remote registry is setup correctly: http://support.microsoft.com/kb/314837
    6. We use NETBIOS so please ensure there are no duplicate machines on the network
    7. Ping the machine name. Please check that the resolved address is the same as the Endpoint machine name.  Ensure you can manage the machine via MMC snap-in and connect via remote registry as a test
    8. Can you connect to the IPC$ and ADMIN$ share from the server ? "net use \\ClientName\ipc$" (no quotes)

     

     

    Additional Communication Testing

     

    1.       To further test Endpoint -server communication, log on to your endpoint, open a web browser and enter the following URL’s into the address bar. If you encounter any errors, write them down to later give to a support representative

    *Note that SERVERNAME is the IP Address or Fully Qualified Domain Name of the EMSS Server (Please use whichever one the agents are using for their connection).

     

    a.       http://SERVERNAME

                                                                   i.      This should be the EMSS WebUI, which should prompt you once for a login to the EMSS WebUI itself.

     

    b.       http://SERVERNAME/gravitix

                                                                   i.      This page should not prompt you for any login information if you entered it in for the previous URL.

                                                                 ii.      You should see a page that shows: RC="4097." If you are using SSL for patch agent communication (configured in your Agent Policy Sets) then it will communicate over port 443, so test https://SERVERNAME/gravitix

                                           

     

    c.       http://SERVERNAME/agentcenter/agentcenter.asmx

                                                                   i.      This page should not prompt you for any login information if you entered it in for the previous URL.

                                                                 ii.      You should see a page that begins with "AgentCenter" in a blue banner across the top, with a description that states "The following operations are supported. For a formal definition, please review the Service Description." and have a list of services. If you are using SSL for patch agent communication (configured in your Agent Policy Sets) then it will communicate over port 443, so test https://SERVERNAME/agentcenter/agentcenter.asmx

    d.       If “Error: This endpoint is not able to send or receive information from the server because the eds server it is connected to is offline”, go to services on the EMSS server and check the EDS Server service. If the status does not show “Running” right click on the service and choose “Start,” after a pause, on the endpoint, refresh  http://SERVERNAME/agentcenter/agentcenter.asmx and see if it shows as above.

     

     

    e.       https://SERVERNAME/servicerequestrest

                                                                   i.      Please note that this is using https and not http for connection. This communication will be over port 443 and not port 80 as the previous 3 URLs.

                                                                 ii.      This page may give you a certificate error when loading the page, this is normal.

                                                               iii.      This page should not prompt you for any login information.

                                                               iv.      You should see a page that begins with "ServiceRequestRest Service" in a blue banner across the top of the page. Directly under that, it will show "You have created a service." and then provide you with some code that can be generated. You can ignore the rest of the page, as it is unimportant for troubleshooting.

     

                   f.  Additional sites to try:   

     

    2.       If any of these pages do not load, please check the same page using the same method of connection on the EMSS Server itself.

    a.       If the page does not load on the Server, then the issue may be with the EMSS Server and we'll follow up on that path.

    b.       If the page loads fine on the server, then the issue is most likely with communications between the agent machine and the server. Please verify that you have port 80 and port 443 opened in the firewalls between the endpoint having the issue and the EMSS Server.

    c.       If you receive an extra login prompt that does not appear to be from the EMSS Server, then you may need to check your proxy or firewall settings to ensure that authentication is not required, or that the authentication information is entered in the agent and that it is entered in properly.

    3.      If unable to bind to 443… (Details of this process shown here: After Removing SSL Port Binding On IIS, EDS Stops Listening On Port 433 )

        1. Assign the self-signed certificate to the EMSS website.
        2. In an administrator prompt, run:
          netsh http show sslcert
        3. Collect IP:port, Certificate Hash, and Application ID.
        4. Remove the HTTPS binding from EMSS website.
        5. In an administrator prompt, run the following using the
          IP:port, Certificate Hash, and Application ID from step 3:
          netsh http add sslcert ipport=x certhash=x appid=x
        6. The certificate should now be bound to port 443 for EDS.

    4.     If none of these solutions solve your issue, please contact support at https://support.ivanti.com with the information you gathered through this guide.

     

     

    Affected Product(s)

     

    EMSS