/build/static/layout/Breadcrumb_cap_w.png

KACE Product Support Question


Any help using KACE through TMG 2010?

05/24/2017 1328 views
Afternoon,

I am trying to publish KACE through our TMG.  I have the web console working, that was straight forward.  I cannot however get any v7 agents to connect.

I thought that v7 agents use HTTPS?

Help?


2 Comments   [ + ] Show comments

Comments

  • Nico, i have the same issue with BIGIP, do we need to add something into the SSL cert for KONEA or is there a place in KACE to add the .PEM file used by the agent? I don't think bypassing konea will work in the future.
  • I gave up.

    Still leaves me with the question "how do I patch machines outside my office?"

    At the moment we hope that a user connects a VPN...not great as who does that anymore?

    Wandering down the Direct Access route will only help Windows users.

All Answers

0
check the logs of the agents.
I assume your TMG is inspecting the packets and reencrypt it using the wrong SSL certificate.

The agents use their own certificate to be able to communicate encrypted also with a plain non SSL appliance
Answered 05/24/2017 by: Nico_K
Red Belt

  • Thanks for the reply.

    Maybe. I am using SSL bridging...

    agent---ssl--->TMG---ssl--->KACE

    which works for the web interface.

    is it a DNS name thing? The external name is kace1000.external.com and internally it is kace1000.internal.org but again this works fine for the web console.

    Do I need a separate rule for the agent access? Besides than the web console rule?
  • d'Oh! Just checked the listener and I've got the wrong cert applied...chrome allows me to ignore the cert error however I don't think the agent does...well konea.log shows it doesn't like it!
    • that doesn't work - i dont think this is possible as the konea service uses its own cert something like

      konea-kace.work.com.pem

      with a trusted 3rd paty cert I get

      |ERROR|serverconn.go:355:createSession | Could not Negotiate |{"err":"x509: certificate is valid for kace.work.com, not konea"}

      so ssl offloading cannot be done? I'd have to have to put the KACE appliance on the "internet" in the "DMZ"
      • as I said: your TMG is applying the wrong certificate. The one for your appliance and not the needed KONEA one.
        Currently there is only one solution: Exclude the konea (the KACE ONE AGENT) traffic in your TMG
      • remember: The appliance uses two certificates:
        one for the appliance (the webui etc) and one for the agents (konea), which should not be mixed or you run in this issue. if your TMG cannot handle two certs exclude the agent traffic from it
  • Ok thanks. Shame I need to get my remote clients to VPN in to connect to KACE.

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ