Any help using KACE through TMG 2010?
Afternoon,
I am trying to publish KACE through our TMG. I have the web console working, that was straight forward. I cannot however get any v7 agents to connect.
I thought that v7 agents use HTTPS?
Help?
2 Comments
[ + ] Show comments
Answers (1)
Please log in to answer
Posted by:
Nico_K
7 years ago
check the logs of the agents.
I assume your TMG is inspecting the packets and reencrypt it using the wrong SSL certificate.
The agents use their own certificate to be able to communicate encrypted also with a plain non SSL appliance
I assume your TMG is inspecting the packets and reencrypt it using the wrong SSL certificate.
The agents use their own certificate to be able to communicate encrypted also with a plain non SSL appliance
Comments:
-
Thanks for the reply.
Maybe. I am using SSL bridging...
agent---ssl--->TMG---ssl--->KACE
which works for the web interface.
is it a DNS name thing? The external name is kace1000.external.com and internally it is kace1000.internal.org but again this works fine for the web console.
Do I need a separate rule for the agent access? Besides than the web console rule? - Darkplace 7 years ago -
d'Oh! Just checked the listener and I've got the wrong cert applied...chrome allows me to ignore the cert error however I don't think the agent does...well konea.log shows it doesn't like it! - Darkplace 7 years ago
-
that doesn't work - i dont think this is possible as the konea service uses its own cert something like
konea-kace.work.com.pem
with a trusted 3rd paty cert I get
|ERROR|serverconn.go:355:createSession | Could not Negotiate |{"err":"x509: certificate is valid for kace.work.com, not konea"}
so ssl offloading cannot be done? I'd have to have to put the KACE appliance on the "internet" in the "DMZ" - Darkplace 7 years ago-
as I said: your TMG is applying the wrong certificate. The one for your appliance and not the needed KONEA one.
Currently there is only one solution: Exclude the konea (the KACE ONE AGENT) traffic in your TMG - Nico_K 7 years ago -
remember: The appliance uses two certificates:
one for the appliance (the webui etc) and one for the agents (konea), which should not be mixed or you run in this issue. if your TMG cannot handle two certs exclude the agent traffic from it - Nico_K 7 years ago
-
Ok thanks. Shame I need to get my remote clients to VPN in to connect to KACE. - Darkplace 7 years ago
Still leaves me with the question "how do I patch machines outside my office?"
At the moment we hope that a user connects a VPN...not great as who does that anymore?
Wandering down the Direct Access route will only help Windows users. - Darkplace 7 years ago