Home » Features » Agent communication failure

Possible causes for an agent communication failure

Domain reachability

Server domains/IP addresses should be whitelisted in firewall, proxy, anti-virus, web filters etc. Find the list of domains here.  To verify domain reachability - Open your browser, type https://domain name and check whether the https requests are successful without requiring any user intervention.

Proxy configuration

To make agent communicate via proxy - proxy should be configured for remote office. This can be done by navigating to Agent -> Remote Offices -> Edit Remote Office.

  • Existing agents need to be reinstalled with new agent binaries to apply proxy details in agent.
  • Agent will not use system proxy.
  • If the agent is not able to reach the proxy server, the agent will try to contact the Patch Manager Plus server without proxy.

Ensure TLS 1.2 is set as the default mode of communication

Transport Layer Security (TLS) is the security protocol used for encrypting the communication between web servers and endpoints. Support for older version of versions 1.0 and 1.1 are withdrawn due to security concerns. TLS1.2 is made mandatory for communicating with the cloud server (Refer here). In some legacy windows devices such as windows 7, windows server 2008 R2, windows server 2012, TLS1.2 is not enabled by default. Navigate to the following link to enable TLS1.2. 

Proxy certificates missing in the trusted certificate store

Some Proxies might intercept the agent-server communication by providing their own self-signed certificate. In such cases, a proxy root certificate has to be installed in the machine's trust store. Manual Certificate Installation Steps, Certificate Installation via GPO steps are attached below.

Third party root certificate is missing from the Windows trusted root certificate store

Root Certificates are used to authenticate a website's identity and enable encrypted communication with the server. Windows Root Certificate Program enables trusted root certificates to be distributed automatically in Windows.

Some of the reasons for the missing root certificates:

  • The administrator removed the Root certificate from the system.
  • The System might not be patched with Windows Root Certificate Program Update.
  • The system doesn't have internet connectivity, which is needed to perform a automatic root certificate update.
  • System administrator might have deployed a GPO Policy which disables certificate auto-download. 
Registy Path  HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\AuthRoot 
Registry Name   DisableRootAutoUpdate 
Registry Value 1 [REG_DWORD] 

The following root certificates are used to authenticate the server domains. If the root certificate is missing in few machines, the certificate can be installed manually.

Steps to import root certificate manually

  1. Run mmc.exe
  2. Select File -> Add/Remove Snap-in, select Certificates (certmgr) in the list of snap-ins -> Add
  3. Select that you want to manage certificates of local Computer account
  4. Next -> OK -> OK
  5. Expand the Certificates node -> Trusted Root Certification Authorities Store. This section contains a list of trusted root certificates on your computer.
  6. If above mentioned root certificates are not available in the trusted store, Right click Trusted Root Certification Authorities Store, select All Tasks -> Import to import the root certificates into the trusted store.

If root certificate is missing in many machines, certificates can be installed via GPO. Refer the following steps for Certificate Installation Via GPO.