Environment
- App Control Console: All Supported Versions
- App Control Agent: All Supported Versions
Objective
How to troubleshoot Agents reporting to the Console as Approvals out of Date.
Resolution
- Verify the Agent is currently showing as Connected in the Console.
- Verify the Agent is not the Agent Upgrade cycle, as this will prevent CL Updates.
- Verify the Server-Agent Certificate in the Console > System Configuration > Security is not expired, and formatted correctly.
- Common Name shown should match Server Address from the General tab.
- Expiration Date should be in the future.
- A matching Certificate should be listed in the Trusted Communication Certificates list at the bottom of the Security tab, and Trusted.
- Verify the Resource Download Location in System Configuration > Advanced is still accurate, and contains the necessary files.
- Verify the IIS Certificate bound to Port 443 is not expired, and formatted correctly
- Common Name shown should match Server Address from the General tab.
- Expiration Date should be in the future.
- A matching Certificate should be listed in the Trusted Communication Certificates list at the bottom of the Security tab, and Trusted.
- Verify the required ports for App Control are available to the Server Address. By default these are 41002 and 443.
- Verify whether a Proxy or other Network Appliance is between the Agents and App Control Server.
- If a certificate exists on the Proxy or other Network Appliance, it must be imported & Trusted in the Trusted Communication Certificates list.
- If SSL Inspection is enabled the Agents will reject the modified packets.
- If any other authentication (such as 2FA) is enabled for 41002 or 443 the Agents may fail to properly communicate.
- Verify the TrustedCertList.pem file is not corrupt.
- Manually import the TrustedCertList.pem and keychain.json files on the endpoint.
If the issue persists, the Disconnected Agent Logs will be required to properly begin an investigation into these communication issues:
Related Content