K1000 - allow kace konea agent to talk via Azure App proxy - certificate issue.


Fairly new to KACE and can't find the answer to this anywhere:
I'm trying to set up Azure App Proxy to allow external users to communicate with KACE (Version: 12.1.168)

The web interface works fine.
However the agent (Konea?) seems to be looking for a different self-signed certificate (maybe C:\ProgramData\quest\kace\konea-<host>.<Domain>.com.pem).

How can I change the agent to require the same certificate as the web portal? Otherwise the agent just connects to the App Proxy, sees the certificate *.<domain>.com on the Azure Proxy doesn't match, and then errors.


0 Comments   [ + ] Show comments

Answers (2)

Posted by: Nico_K 1 month ago
Red Belt

You already know the solutuion. Your proxy encrypts the data with the wrong certificate, therefore you should exclude the KACE communication from it.
See here: https://support.quest.com/kb/111775/which-network-ports-and-urls-are-required-for-the-kace-sma-appliance-to-function and https://support.quest.com/kb/111785/which-directories-and-files-do-i-need-to-whitelist-for-the-sma-agent

  • Correct. However, there is no mechanism I can see to exclude the Konea agent traffic from the Azure App proxy. It uses the same port and URL as the web interface to connect back to the server. So my only other option is to change the konea certificate to be the same as the one used on the proxy. - iworm 1 month ago
    • We tried to do this very same thing and ran into the same issue. There is no way to exclude the konea agent.. the proxy touches the cert and kace will not allow that. If you get this to work Id love to hear how. It was a major set back as we cannot use "kace go" as a result. - barchetta 1 week ago
      • No I couldn't figure a way to get it to work. I did however do the following which is far from ideal, but better than nothing:
        1: Set up Azure App Proxy for the web portal(s) of KACE with a second new DNS name pointed at it.
        2: Leave the direct firewall port open to allow agents to talk to KACE on the original DNS name.
        3:Use the ACL rules within KACE to block access to the web portals & API from exernal IPs. This stops access to the portals from the direct port forward and old DNS. This retains external access to the web portals via Azure App Proxy (as App proxy agent is on internal IP).
        4:Change the email templates in KACE to have the new App Proxy DNS in any URLs included in the emails. - iworm 2 weeks ago
Posted by: barchetta 2 weeks ago
Black Belt

We were going to do same but it still leaves an attack surface that my cio wasnt happy with.   

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login


This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ