/build/static/layout/Breadcrumb_cap_w.png

Any help using KACE through TMG 2010?

Afternoon,

I am trying to publish KACE through our TMG.  I have the web console working, that was straight forward.  I cannot however get any v7 agents to connect.

I thought that v7 agents use HTTPS?

Help?


Asked 6 years ago 1480 views
2 Comments   [ + ] Show comments
  • Nico, i have the same issue with BIGIP, do we need to add something into the SSL cert for KONEA or is there a place in KACE to add the .PEM file used by the agent? I don't think bypassing konea will work in the future. - craig_andersen 6 years ago
  • I gave up.

    Still leaves me with the question "how do I patch machines outside my office?"

    At the moment we hope that a user connects a VPN...not great as who does that anymore?

    Wandering down the Direct Access route will only help Windows users. - Darkplace 6 years ago

Answers (1)

Posted by: Nico_K 6 years ago
Red Belt
0
check the logs of the agents.
I assume your TMG is inspecting the packets and reencrypt it using the wrong SSL certificate.

The agents use their own certificate to be able to communicate encrypted also with a plain non SSL appliance
Comments:
  • Thanks for the reply.

    Maybe. I am using SSL bridging...

    agent---ssl--->TMG---ssl--->KACE

    which works for the web interface.

    is it a DNS name thing? The external name is kace1000.external.com and internally it is kace1000.internal.org but again this works fine for the web console.

    Do I need a separate rule for the agent access? Besides than the web console rule? - Darkplace 6 years ago
  • d'Oh! Just checked the listener and I've got the wrong cert applied...chrome allows me to ignore the cert error however I don't think the agent does...well konea.log shows it doesn't like it! - Darkplace 6 years ago
    • that doesn't work - i dont think this is possible as the konea service uses its own cert something like

      konea-kace.work.com.pem

      with a trusted 3rd paty cert I get

      |ERROR|serverconn.go:355:createSession | Could not Negotiate |{"err":"x509: certificate is valid for kace.work.com, not konea"}

      so ssl offloading cannot be done? I'd have to have to put the KACE appliance on the "internet" in the "DMZ" - Darkplace 6 years ago
      • as I said: your TMG is applying the wrong certificate. The one for your appliance and not the needed KONEA one.
        Currently there is only one solution: Exclude the konea (the KACE ONE AGENT) traffic in your TMG - Nico_K 6 years ago
      • remember: The appliance uses two certificates:
        one for the appliance (the webui etc) and one for the agents (konea), which should not be mixed or you run in this issue. if your TMG cannot handle two certs exclude the agent traffic from it - Nico_K 6 years ago
  • Ok thanks. Shame I need to get my remote clients to VPN in to connect to KACE. - Darkplace 6 years ago
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ