Endpoint Troubleshooting Steps-1

Download as pdf or txt
Download as pdf or txt
You are on page 1of 7

Endpoint Troubleshooting Steps

1. Verifying that the Endpoint client is synchronized:

Note that Connection status shows Connected (while on the network) and that the Profile name is not blank. Also, when clicking on the blue link (Updated: 21 July 2010, 17:41) as shown in the screenshot, you should see all entries filled with version numbers. If one of the entries is blank, something is wrong (see policy issues below):

2. Most Endpoint synchronization issues are related to IIS on the Endpoint server (or Manager): a. Check that the Endpoint URL is accessible from the Endpoint client by browsing in IE\FF to: https://<Endpoint Servers name or IP>/EP/EndPointServer.dll You can try the URL using HTTP also. The response should look like this:

If the URL is not accessible (the error number will give you an idea about the problem,

for example, HTTP response 401 Unauthorized is likely to be permissions in IIS), its likely to be an IIS issue or FW ports 80\443 not opened between the Endpoint client and the server. b. If browsing to the Endpoint URL gets you to an HTTP response "500 internal server error" it could be a DLL conflict. DELL servers use the same DLL name DSS uses and it sometimes causes a conflict that prevents the Endpoint server from loading properly. The issue is valid for pre 7.5.0,1,2 versions only. There's a fix in 7.5.3. To resolve the issue: i. Search the server for a file named: xerces-c_2_7.dll ii. Rename all instances of the file that are NOT under %dss_home% iii. Run iisreset. 3. Checking IIS configuration IIS configuration should be checked for all DSS servers. Manager and Endpoint servers. The endpoint clients are connecting to the server via IIS. Also, IIS is involved in the update process (for profile, policies and fingerprints). a. Verify that the IIS configuration is correct. See attached document. It covers all the steps that the script in 3.b. sets automatically. Use this doc to verify IIS configuration before running the script.

IIS Sanity Check.docx

b. Use the fixiis.vbs script to set all IIS configuration properly (usage: run cscript fixiis.vbs on the DSS server). c. Common IIS issues (some are covered by previous steps): i. Make sure the Endpoint server web extension is enabled and has the correct path:

ii. Check the user account on the \EP and \DSS virtual servers in IIS:

Important: The user should be the service account selected during installation (this is done automatically during installation). Retype the password even if there was no change to the user and run iisreset.

4. If the Endpoint client shows connection status as "disconnected": a. Localconfig.xml - Make sure the localconfig.xml file on the endpoint client point to a valid Endpoint server. The file can be found under "x:\Program Files\Websense\Data Security\Websense Data Endpoint". You will normally see 2 entries for each endpoint server. One by IP and one by hostname\fqdn.

b. Certificate mismatch - The Endpoint client uses a certificate for authentication with the Endpoint server. Validate that the certificate on the endpoint client (x:\Program Files\Websense\Data Security\Websense Data Endpoint\ca.cer) is the same as the certificate on the server (%dss_home%\ca.cer). If there's a mismatch you need to reinstall the endpoint client or replace the ca.cer file on the Endpoint with the one that's on the server. 5. If the Endpoint shows as "connected" but can't download a new profile\policy: a. Policy files dependency issues policies have many dependency files that the Endpoint needs to download along with the policy itself. If one of the dependency files is corrupt or missing, the Endpoint will fail to receive a new policy version. You can detect the issue in the Endpoint's logs look for "dependency" errors in x:\Program

Files\Websense\Data Security\Websense Data Endpoint\Logs\EndpointClassifier.log and EndpointAdapter.log. If you encounter this issue, please contact tech support or remove the problematic policy for the time being. 6. Working with logs The Endpoint logs will greatly assist in finding the root cause of a problem. The logs are located at: a. x:\Program Files\Websense\Data Security\Websense Data Endpoint\Logs\EndpointClassifier.log analysis related log b. x:\Program Files\Websense\Data Security\Websense Data Endpoint\Logs\EndpointAdapter.log Communication layer between transactions and analysis and configuration\system status messages. c. x:\Program Files\Websense\Data Security\Websense Data Endpoint\debugdump.txt log for OS hooking, transactions that are sent to analysis and general Endpoint driver related information. To change the logging level: a. Disable the Endpoint's Anti tampering protection by running: " x:\Program Files\Websense\Data Security\Websense Data Endpoint\Wdeutil set DisableAntiTampering=true" b. Change the required topic for the relevant log in (from "error" to "debug"): x:\Program Files\Websense\Data Security\Websense Data Endpoint\conf\EndpointAdapter.log.config and EndpointClassifier.log.config

c. To enable debugdump.txt debug logs: a. In the regedit registry editor, go to: Computer --> HKEY_LOCAL_MACHINE --> SOFTWARE --> Websense --> Agent --> DSE b. Create a new REG_DWORD named debug_mode c. Change the value of debug_mode to 1. 7. EndpointClassifier topics related to communication\synchronization (change to debug): a. Communication b. EndPointClassifierService c. ClientCommunication d. Configuration e. EndpointClassifier f. ConnectionStatus g. IncidentReport 8. Checking Fingerprinting download issues: a. Verify IIS configuration b. Verify that the fingerprints version on the server is the same as on the Endpoint this is an example for a mismatch:

c. Make sure FPNE files are created during fingerprinting (FPNE are the fingerprints that are downloaded by the Endpoint) the number listed here will be different in each DSS setup:

9. Collecting debug data for in house analysis: a. Run x:\Program Files\Websense\Data Security\Websense Data Endpoint\clientinfo.exe and collect the zip file created on the desktop. b. If clientinfo.exe fails to gather the logs for any reason collect the following: INSTALLDIR\DebugDump.txt INSTALLDIR\Logs\ INSTALLDIR\*.xml INSTALLDIR\*.config INSTALLDIR\*.hsw

You might also like