Environment

• App Control Console: All Supported Versions
• App Control Agent: All Supported Versions

Objective

Resolution

1. Verify the Agent is currently showing as Connected in the Console.
2. Verify the Agent is not the Agent Upgrade cycle, as this will prevent CL Updates.
3. Verify the Server-Agent Certificate in the Console > System Configuration > Security is not expired, and formatted correctly.
   • Common Name shown should match Server Address from the General tab.
   • Expiration Date should be in the future.
   • A matching Certificate should be listed in the Trusted Communication Certificates list at the bottom of the Security tab, and Trusted.
4. Verify the Resource Download Location in System Configuration > Advanced is still accurate, and contains the necessary files.
5. Verify the IIS Certificate bound to Port 443 is not expired, and formatted correctly
   • Common Name shown should match Server Address from the General tab.
   • Expiration Date should be in the future.
   • A matching Certificate should be listed in the Trusted Communication Certificates list at the bottom of the Security tab, and Trusted.
6. Verify the required ports for App Control are available to the Server Address. By default these are 41002 and 443.
7. Verify whether a Proxy or other Network Appliance is between the Agents and App Control Server.
   • If a certificate exists on the Proxy or other Network Appliance, it must be imported & Trusted in the Trusted Communication Certificates list.
   • If SSL Inspection is enabled the Agents will reject the modified packets.
   • If any other authentication (such as 2FA) is enabled for 41002 or 443 the Agents may fail to properly communicate.
8. Verify the TrustedCertList.pem file is not corrupt.
9. Manually import the TrustedCertList.pem and keychain.json files on the endpoint.

• Disconnected Agent Logs (Windows)
• Disconnected Agent Logs (Linux)
• Disconnected Agent Logs (macOS)

Related Content