Article Number
000001332
Applies To
RSA Product Set: RSA NetWitness Platform
RSA Product/Service Type: Endpoint Log Hybrid
RSA Version/Condition: 11.3.x, 11.4.x
Platform: CentOS 7
RSA Product/Service Type: Endpoint Log Hybrid
RSA Version/Condition: 11.3.x, 11.4.x
Platform: CentOS 7
Issue
Endpoint Agents are not reflected on UI under Investigate >>> Hosts although NWEAgent Service is running.
Cause
Most properly the connection on Port TCP/443 is not established, either there is blockage point in the path between the Agent and the server or we do have a mismatch in TLS and Ciphers options.
Resolution
First of all, we need to test the connectivity between the Endpoint Agents and the server on both ports TCP/443 and UDP/444, so use Testnet utility and for more details follow the steps in Article 000038661.
In case there was error similar to the below, it means that the port is open but still the connection is not established.
Next step is to verify that both the Agent and Server can agree on an SSL Protocol (TLSv1.2, TLSv1.3...) and Cipher Suite.
Server Side
Agent Side
Download any third-party tool to list the enabled TLS version and Ciphers such as https://www.nartac.com/Products/IISCrypto/Download.
![]()
![]()
In the above example, we can see that ECDHE family was disabled.
After enabled them and used the Testnet utility, it shows that the connection is established successfully.
In case there was error similar to the below, it means that the port is open but still the connection is not established.
C:\Windows\System32>NWEAgent.exe/testnet
C:\Windows\System32>
**************************************************
* NetWitness Endpoint Agent *
* © 2019 RSA Security LLC., All rights reserved. *
**************************************************
Compiled on Apr 1 2019 10:47:28.
- Found service certificate...
- Found service config...
- Service master server 192.168.2.132:443, UDP:444...
- Found service assigned server 192.168.2.133:443, UDP:444...
- Attempting connection with basic socket...
- Resolved address...
SUCCESS: Connected with basic socket.
- Attempting connection with WinHTTP...
ERROR: TestHttpsConnection: Could not connect, and no proxy was found. (Error =
0, Code = 500)
- Attempting UDP beacon test...
- Resolved address...
SUCCESS: Got expected UDP reply.
Next step is to verify that both the Agent and Server can agree on an SSL Protocol (TLSv1.2, TLSv1.3...) and Cipher Suite.
Server Side
- The Endpoint Server is configured to run in FIPS mode and accept only TLSv1.2.
- For the Ciphers, they are listed in /etc/nginx/conf.d/nginx.conf.
[root@EndpointLogHybrid ~]# cat /etc/nginx/conf.d/nginx.conf | grep -i ssl_ciphers
ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
Agent Side
Download any third-party tool to list the enabled TLS version and Ciphers such as https://www.nartac.com/Products/IISCrypto/Download.
In the above example, we can see that ECDHE family was disabled.
After enabled them and used the Testnet utility, it shows that the connection is established successfully.
C:\Windows\System32>NWEAgent.exe/testnet
C:\Windows\System32>
**************************************************
* NetWitness Endpoint Agent *
* © 2019 RSA Security LLC., All rights reserved. *
**************************************************
Compiled on Dec 10 2019 03:54:23.
- Found service certificate...
- Found service config...
- Service master server 192.168.2.132:443, UDP port 444...
- Found service assigned server 192.168.2.133:443, UDP port 444...
- Attempting connection with basic socket...
- Resolved address...
SUCCESS: Connected with basic socket.
- Attempting connection with WinHTTP...
SUCCESS: Connected over HTTPS with WinHTTP. Server reply : {"serviceId":"9a9e82e
6-0104-4e42-a9fd-75537854a534","serviceName":"endpoint-server","marketingVersion
":"11.4.0.0"}
- Attempting UDP beacon test...
- Resolved address...
SUCCESS: Got expected UDP reply.Notes
If enabling the ciphers does not work, you can also check to see if there is a proxy in between the agent and the Endpoint Server.
One of the client's machines opens a command prompt with runas administrator option.
Type: netsh.exe winhttp show proxy
The results either state directly connected or display the proxy that is used.
If the output displays a proxy IP, it is best work with the group responsible for managing proxy servers.
A temporary measure would be to config the system to bypass proxy by the following means.
set proxy myproxy
set proxy myproxy:80 "<local>bar"
set proxy proxy-server="http=myproxy;https=sproxy:88" bypass-list="*.domainName.com"
Below web link to Microsoft KB article for more information:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731131(v=ws.10)
One of the client's machines opens a command prompt with runas administrator option.
Type: netsh.exe winhttp show proxy
The results either state directly connected or display the proxy that is used.
If the output displays a proxy IP, it is best work with the group responsible for managing proxy servers.
A temporary measure would be to config the system to bypass proxy by the following means.
set proxy myproxy
set proxy myproxy:80 "<local>bar"
set proxy proxy-server="http=myproxy;https=sproxy:88" bypass-list="*.domainName.com"
Below web link to Microsoft KB article for more information:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731131(v=ws.10)
In this article
