Returning laptops won't connect to Kace SMA. Why?
My workplace has a library of laptop computers that can be checked-out by employees and returned.
When the laptops are in the library, and connected to the Workplace network, they are connected to the Kace SMA.
When the laptops are taken offsite, and connected to the Workplace network via VPN, they connect to the Kace SMA.
But when the laptops are returned to the library, and connect to the Workplace network, they will not re-connect to the Kace SMA. If I launch the KACE Agent Toolkit and press the Server Retrust button, then the laptop connects to the Kace SMA and is happy until it is again taken offsite and then returned to the library.
I first noticed this issue a few months ago on the prior Kace SMA release, but just now have time to investigate. Our SMA is running the most recent release and agent, agent version 10.2.108.
I opened a support case with Kace a couple weeks ago, and provided several Kaptures, log files, and screenshots. There has not been a quick resolution. The only clue to the problem we have identified is the konea.log scrolls errors about a "certificate signed by unknown authority". That's odd to me because SSL is not enabled on the Kace SMA. I have considered enabling SSL, but don't care to go through that hassle to learn that it doesn't solve the problem.
I appreciate any suggestions for resolving the issue.
Answers (1)
Top Answer
The Agent has two communications paths to the SMA.
One is the koneas (server) - konea (Agent) that uses port 443 HTTPS regardless if you have SSL enabled for the Apache Web Server running on the SMA. This process does involve a SSL certificate.
The konea communications is how the Agent receives tasks like "Hey go run inventory".
Once this inventory task for example is completed. The inventory is uploaded to the Apache Web Server on the SMA using port 80 HTTP since you do not have SSL enabled.
It is highly recommended to use a SSL certificate from a well known ROOT CA with the Apache to make your environment more secure.
Do you have any type of Proxy between the SMA and these external devices that may do SSL inspection on the traffic?
Comments:
-
Thank you. That information was very helpful. Based on it, we re-inspected and identified a firewall SSL Decryption rule that was causing the problem. We whitelisted the KACE SMA from SSL Decryption, and the problem appears resolved. - davidrnoble 4 years ago