6 Replies Latest reply on Nov 2, 2007 10:13 AM by mvasquez

    ePolicy Orchestrator Repository update problem.

      Greetings,

      I have a server running ePo 3.6 and I cannot complete a successfull repository pull since 10/11/2007.

      These are the things that have happened since:

      1. My grant expired.

      2. I had the server update thru a proxy server that had a direct connection to the internet, no firewall was protecting that connection.

      3. The public connection was removed and I'm forced to go thru our firewall.

      When I do a Http and it fails witht he following error: "DATE: Failed to download file catalog.z from site update.nai.com:80, error code 403"

      When I try to do a repository pull using FTP it reaches 25% and fails with the following error: "Date: Failed to download file Current\PATCHMP1000\Templates\0000\Ptchscan.scp.zip from site ftp.nai.com:21, error code 2 ( The system cannot find the specified file. )

      I have a bit of network knowledge but no access to the firewall, I have to talk to the network administrator in order to get him to help me, he wants to know what configuration he has to put into the firewall to give the needed access to the server. He told me he tried to filter the server to troubleshoot the communication. When doing http pulls we don't see any traffic and with ftp we see the traffic. The firewalls are whatchguard.

      I hope this information helps anyone help me.

      Thanks in advance for your time.

      (English is not my native language, I apologize for any errors.)
        • 1. RE: ePolicy Orchestrator Repository update problem.
          zebulebu
          Hi

          Not too familiar with EPO myself, having only just taken over management of it where I work, but that sounds like you need to configure your proxy server to allow access via HTTP from the internal (EPO) server to the NAI site. The FTP issue might be related to a timeout on the FTP protocol, since the FTP connection can be established but the download never completes. This could point to traffic shaping on FTP, connection limits or download size being reached for FTP during a specific period or an issue related to link saturation.

          Since you used to bypass the firewall, I would guess that no-one has ever bothered to set up the necessary ACL\policy entries to facilitate HTTP access from the EPO Server outbound. Any decent firewall admin nowadays configures the firewall only to route HTTP/HTTPS/FTP connections out via their proxy architecture by default, with exceptions for machines that access web servers that won't allow a proxified connection configured in the firewall ruleset.

          You'll need to check the proxy settings in your browser and the ones set in EPO itself and make sure they match. If not, you can set EPO to override the IE proxy settings if required, so make sure you get them from your network/security bods and try and do a pull. If they are asking you for information, they probably only need the IP address/name of the EPO server and the URL of the sites it is accessing (NAI's HTTP site)

          HTH
          • 2. RE: ePolicy Orchestrator Repository update problem.
            I have had issues with pulling updates from McAfee's server also. It usually is successful on the next pull. Have you tried to connect to their servers with a FTP client and do your own 'pull' (to a different directory) to see if it completes?
            • 3. RE: ePolicy Orchestrator Repository update problem.
              To Zebulebu: I checked the IE proxy settings as well the ones in ePo since the proxy server that I was using is no longer available, they are both set to not use any proxy servers.

              We have physically 2 separate networks, 1 network has only one entry level firewall, the other has 2 firewalls in a cluster and those are more advanced. The thing is that at one time the entry level firewall didn't allow the ePo server in that network to communicate, the network admin configured something (he claims he doesn't remember) and now that server connects without problems. The advanced firewalls don't even allow windows update to connect.

              To drhodes: I've tried some 10 consecutive repository pulls without success. I did connect to the FTP server using IE and browsed some folders but I didn't download anything, I will with a client tomorrow.

              Thanks for your replies, not having the virus definitions updated is getting on my nerves :D.null
              • 4. RE: ePolicy Orchestrator Repository update problem.
                remember that you can always check in the DAT by hand if needed.
                • 5. RE: ePolicy Orchestrator Repository update problem.
                  metalhead
                  When I do a Http and it fails witht he following error: "DATE: Failed to download file catalog.z from site update.nai.com:80, error code 403"

                  => Error 403 means "Access forbidden" so your firewall has blocked this traffic

                  When I try to do a repository pull using FTP it reaches 25% and fails with the following error: "Date: Failed to download file Current\PATCHMP1000\Templates\0000\Ptchscan.scp.zi p from site ftp.nai.com:21, error code 2 ( The system cannot find the specified file. )

                  => Donwload problems with the PATCHTMP (=System Compliance Profiler Templates) are often related to "Intelligent" firewalls blocken javascipt code. The SCP templates mainly consists of javascript.
                  • 6. RE: ePolicy Orchestrator Repository update problem.
                    I second the proxy config. Make sure it is going out the proxy if your company enforces proxy throughout your network. It is in the Configure Proxy Settings in the repository section.