IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Carbon Black Cloud: Sensor not connecting via proxy/firewall

Carbon Black Cloud: Sensor not connecting via proxy/firewall

Environment

  • Carbon Black Cloud Windows Sensor: Version 3.3.x.x and Higher
  • Microsoft Windows: All Supported Versions
  • Network Proxy and/or Firewall

Symptoms

  • Endpoint Standard sensor fails to install
  • Endpoint Standard sensor stops checking in to the console
  • The following error can be observed in the confer logs 
    http: schannel: next InitializeSecurityContext failed: Unknown error (0x80092013) - The revocation function was unable to check revocation because the revocation server was offline
  • This issue may also occur in environments without a proxy
  • This issue may occur on select machines while others with the same network configuration are able to communicate

Cause

  • CRL (Certificate Revocation List) checks are performed on a per application basis
  • The 3.3.x.x and higher sensor relies on Windows to execute a CRL check
  • The CRL traffic generated by Windows needs to be allowed
  • This traffic is attempting to access the ocsp.godaddy.com and crl.godaddy.com domains

Resolution

Depending on the environment, there are multiple options to allow this traffic not limited to but including the following general steps.  Specific steps will depend on environment configuration.

 

Options:

Additional Notes

  • Additional information can be found about What are some concerns with disabling the CRL check within the Sensor?
  • The minimum requirement to resolve this issue is to allow CRL check traffic to the crl.godaddy.com and ocsp.godaddy.com domains as noted in the last option listed under Resolution
  • The crl.godaddy.com and ocsp.godaddy.com domains utilize OCSP (Online Certificate Status Protocol) and Certificate Revocation List (CRL) checks to validate the sensor's install certificate
  • CAPI2 logging can be enabled on the affected device to provide further insight into CRL traffic
  • If the issue is not resolved with the above configuration changes or only occurs on a subset of machines with the same network configuration, please open a support case

Related Content


Was this article helpful? Yes No
75% helpful (3/4)
Article Information
Author:
Creation Date:
‎11-27-2018
Views:
15508
Contributors