9 Replies Latest reply on Nov 3, 2011 6:30 AM by PhilR

    ePO 4.6 Rogue System Detection (RSD) 4.6 Sensors not connecting to server, port issue

      During installation the Client-to-server authenticated communication port (which RSD Sensors use to communicate with the ePO server) was changed from the default 8444 to 8443 (Console port was also changed to a different port number).

       

      Despite the change, the Rogue Sensors still try to communicate to port 8444 resulting in failures since the server/app is not listening on this port.

       

      Unlike ePO 4.5 there doesn't seem to be a way to change the Senser to Server port after installation or from RSD policies. Log entries from RSDSensor_out listed below, showing attempts to connect to 8444, but should be 8443.

       

      08-11-11 10:31:16,711 [11760] INFO RSDSensor.ServerCom <> - Sending data to the server at https://[ip address/name]:8444/rsdsensor/engine.sm

       

      08-11-11 10:31:22,171 [11760] ERROR RSDSensor.ServerCom <> - There was an error connecting to the server '[ip address/name]' curl error=Couldn't connect to server (7)

      08-11-11 10:31:22,171 [11760] WARN RSDSensor.ServerCom <> - Server returned HTTP status failure... adding the request to the retry queue..

       

      Possible work around or fix for this?

        • 1. Re: ePO 4.6 Rogue System Detection (RSD) 4.6 Sensors not connecting to server, port issue

          I think you can change the port from the RSD policy have you checked that and then make sure you enabled that port by adding a rule to the HIPS firewall

          if you are going to use the new port

          • 2. Re: ePO 4.6 Rogue System Detection (RSD) 4.6 Sensors not connecting to server, port issue

            Make sure you send a wakeup agent call to the systems

            • 3. Re: ePO 4.6 Rogue System Detection (RSD) 4.6 Sensors not connecting to server, port issue
              andrep1

              There is an with configuring the port correctly and we have find the cause yet. I do have a service request with platinum opened up on the subject with exactly them same issue. We have been able to come up with a resolution yet. 

               

              If you change/create this value hklm\software\mcafee\rsd\sensor\serverport  on the client and set it to your custom port, it should start communicating and it will not be overwritten by policy. It is only a workaround. It can work if you don't have too many sensors or have access to a way to modify the port using a script.

               

              Also in epo 4.6 you can change the server port in the usual place but you no longer have access to modify the sensor port for the rsd policy.

              • 4. Re: ePO 4.6 Rogue System Detection (RSD) 4.6 Sensors not connecting to server, port issue

                I was able to find an old KB (https://kc.mcafee.com/corporate/index?page=content&id=KB57791)  that can be usesful as a simular work around.

                 

                The entire KB doesn't apply to ePO 4.6 but I was able to get the Sensor's communicating following the steps below. However I had to change my custom port back to the default 8444.

                 

                • Ensure all ePO consoles are closed.
                • Click Start, Run, type services.msc and click OK.

                • Right-click each of the following services and select Stop:

                  • McAfee ePolicy Orchestrator 3.6.x Application Server

                  • McAfee ePolicy Orchestrator 3.6.x Event Parser

                  • McAfee ePolicy Orchestrator 3.6.x Server

                • In Windows Explorer, browse to the following directory:

                  ...\Program Files\Common Files\McAfee\Tomcat\conf\

                • In Notepad, open Server.XML and replace all entries of port 8444 with the desired port.

                • Click Start, Run, type services.msc and click OK.

                • Right-click each of the following services and select Start:

                  • McAfee ePolicy Orchestrator 3.6.x Application Server

                  • McAfee ePolicy Orchestrator 3.6.x Event Parser

                  • McAfee ePolicy Orchestrator 3.6.x Server

                • 5. Re: ePO 4.6 Rogue System Detection (RSD) 4.6 Sensors not connecting to server, port issue
                  andrep1

                  Right, still doesn't explain why we are not able to change using policies though...

                  But I'm glad it fixed your issue.

                  • 6. Re: ePO 4.6 Rogue System Detection (RSD) 4.6 Sensors not connecting to server, port issue
                    Brendon Elliott

                    I have an open case ID with McAfee support on the same issue,

                     

                    My custom port during fresh installation was change from 8444 to 50506, however, RSD is still trying to send on 8444,

                     

                    What is very strange is, RSD reported back on 50506 for about a month and was working on agent deployments with automatic responce's, then all of a sudden, RSD is trying to send coms on 8444 again.

                     

                    My last update this morning,

                     

                    • Sent RSDSensor_out.log
                    • Sent MER resaults (log level 8)

                     

                    While working with support on remote session, the following was supplied

                     

                    • please note that this did not resolve my issue and should not be used as a solution
                      • it could possibly be used as a test sequence in you environment

                     

                    • Make sure you backup your DB
                    • Add SQL script
                    • modify 8444 to you custom port
                    • execute SQL script
                      • you will nitce resaults found and modified
                    • restart ePO services
                    • restart RSD services
                    • View rogue detection

                     

                    (Script)

                     

                    UPDATE PSV SET SettingValue = N'8444'

                    FROM EPOPolicyProductToTypes PTT

                    INNER JOIN EPOPolicySettings PS ON (PTT.TypeID = PS.TypeID) INNER JOIN EPOPolicySettingValues PSV ON (PS.PolicySettingsID = PSV.PolicySettingsID) WHERE (PTT.ProductCode = N'SNOWCAP_2000') AND (PSV.SectionName = N'Sensor-General') AND (PSV.SettingName = N'ServerPort');

                     

                     

                    This did not have any effect on RSD in my scenario, i was then told to remove RDS from ePO server and re-install and view the consol, still no change,

                     

                    case is still open and awaiting feed back

                    • 7. Re: ePO 4.6 Rogue System Detection (RSD) 4.6 Sensors not connecting to server, port issue
                      andrep1

                      Deleting the RSD policy and recreating it did the trick for me... All you mentionned I had done, but it did not make a difference.

                      There's an issue and no one from McAfee seems to be acknowledging it.  When I called in, there was no bug report open for this.

                       

                      I don't have the information handy, but there's a registry key to force the port locally and a way to run the sensor in console mode while forcing the port at the same time.

                      • 8. Re: ePO 4.6 Rogue System Detection (RSD) 4.6 Sensors not connecting to server, port issue
                        Brendon Elliott

                        McAfee case ID 3-1697314001 - Resolved

                         

                        Support Technician removed RDS extencians,  added new RSD 4.6 extensians.

                         

                        Recreated the RSD policy

                         

                        T2:

                        C: Knowing issue BZ692377.

                        S: Removing RSD extension and recheking it and using the default policy.

                         

                        Resolution:

                         

                        C: Knowing issue BZ692377.

                        S: Removing RSD extension and recheking it and using the default policy.

                         

                        Description:

                        The issue seems to come from a policy where the Server Port was not correctly retrieved and uses the default port 8444, Any policy that was duplicated from the 'McAfee Default' RSD policy should work properly with an altered ServerPort.  This includes the McAfee Default policy itself.

                        However in your case the policy seems to have been corrupted, and any policies that were duplicated from it, will not work.

                         

                        Solution:

                        Removing the RSD extension and rechecking it again fix the problem as you will get a new My Default and McAfee Default policies in place and duplicating one of this will still work fine retrieving the correct port.

                         

                        The RSD extension can be found under \Program Files\McAfee\ePolicy Orchestrator\Installer\ePO\extensions\rsd.zip.

                         

                        hope this helps everyone as well

                         

                        Message was edited by: BlackDiamond on 2011/09/29 9:55:01 AM

                         

                        Message was edited by: BlackDiamond on 2011/09/29 9:55:38 AM
                        • 9. Re: ePO 4.6 Rogue System Detection (RSD) 4.6 Sensors not connecting to server, port issue
                          PhilR

                          I had a problem in ePO 4.6.0 and 4.6.1 where RSD was detecting devices but the Automatic Actions associated with Rogue Detection weren't being run.

                           

                          Removing then reinstalling the ePO RSD extension fixed the issue.

                           

                          Thanks for the good advice.

                           

                          Phil