# Troubleshooting Agent-Server Communication Failure ## Domain Reachability Server domains/IP addresses should be whitelisted in firewalls, proxies, antivirus software, web filters, etc. Find the list of domains [here](https://www.manageengine.com/products/desktop-central/help/domains-required-for-agent-communication.html). To verify domain reachability: Open your browser, type `https://`, and check whether the HTTPS requests are successful without requiring any user intervention. ## Proxy Configuration To make the agent communicate via proxy, the proxy should be configured for remote offices. This can be done by navigating to **Agent -> Remote Offices -> Edit Remote Office**. **NOTE:** - Existing agents need to be reinstalled with new agent binaries to apply proxy details in the agent. - The agent will not use system proxy. - If the agent is unable to reach the proxy server, it will try to contact the Endpoint Central server without a proxy. ## Ensure TLS 1.2 is the Default Mode of Communication Transport Layer Security (TLS) is the security protocol used for encrypting communication between web servers and endpoints. Support for older versions 1.0 and 1.1 has been withdrawn due to security concerns. TLS 1.2 is made mandatory for communicating with the cloud server ([Link](https://www.zoho.com/blog/general/end-of-support-for-older-tls-versions-in-zoho.html)). In some legacy Windows devices such as Windows 7, Windows Server 2008 R2, and Windows Server 2012, TLS 1.2 is not enabled by default. Navigate to the following link to enable TLS 1.2: [Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows](https://support.microsoft.com/en-us/topic/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-winhttp-in-windows-c4bd73d2-31d7-761e-0178-11268bb10392) ## Proxy Certificates Missing in Trusted Certificate Store Some proxies might intercept agent-server communication by providing their own self-signed certificate. In such cases, a proxy root certificate has to be installed in the machine's trust store. Manual certificate installation steps and certificate installation via GPO steps are provided below. ## Third-Party Root Certificate Is Missing from the Windows Trusted Root Certificate Store Root certificates are used to authenticate a website's identity and enable encrypted communication with the server. The Windows Root Certificate Program enables trusted root certificates to be distributed automatically in Windows. Some reasons for missing root certificates include: - The administrator removed the root certificate from the system. - The system might not be patched with the Windows Root Certificate Program Update. - The system doesn't have internet connectivity, which is needed to perform an automatic root certificate update. - The system administrator might have deployed a GPO Policy that disables certificate auto-download. | Registy Path | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\AuthRoot | |---|---| | Registry Name | DisableRootAutoUpdate | | Registry Value | 1 [REG_DWORD] | **The following root certificates are used to authenticate the server domains:** [link](https://downloads.zohocorp.com/dnd_120/Endpoint_Central/gZl0znE9lhlA0gk/ca-certs.zip). If the root certificate is missing on some machines, the certificate can be installed manually. ## Steps to Import Root Certificate Manually 1. Run `mmc.exe`. 2. Select **File -> Add/Remove Snap-in**, select Certificates (certmgr) in the list of snap-ins, and then click **Add**. 3. Select that you want to manage certificates of the local Computer account. ![](https://www.manageengine.com/products/desktop-central/images/agentcommunication.png) 4. Click **Next -> OK -> OK**. 5. Expand the Certificates node -> Trusted Root Certification Authorities Store. This section contains a list of trusted root certificates on your computer. 6. If the above-mentioned root certificates are not available in the trusted store, right-click **Trusted Root Certification Authorities Store**, select **All Tasks -> Import** to import the root certificates into the trusted store. **If the root certificate is missing on many machines, certificates can be installed via GPO. Refer to the following steps for Certificate Installation via GPO:** [link](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute-certificates-to-client-computers-by-using-group-policy)