Solved: Re: "no https resonse" MXP Endpoints in TMS

CGL · ‎04-29-2018

Hi all,

We are migrating some systems to our new TMS server and encountering an issue in TMS where MXP endpoints show an error as "no https response"

We are running Windows Server 2016 and TLS is enabled by default on that so no issue there.

I can access the systems through the browser using Chrome but not IE from the server directly.

The software on the endpoints is 9.3.3 and the TMS is 15.6.1

Can anyone please assist, thanks.

Nick Halbert-Lillyman · ‎04-29-2018

Was it running a different version of Windows? And could you browse OK from IE on that version?

If so, Windows Server 2016 may have disabled older versions of TLS and/or weak cyphers.

View solution in original post

CGL · ‎05-03-2018

Just in-case anyone come's across the same issue in the future I figured out two workarounds:

I telnet'd into the MXP's and disabled the https via the following commands:

telnet IP

password

xconfiguration https mode: off

xcommand boot

We had a script made up that handle this process automatically for the 170 systems.

This allowed the system to register correctly with the TMS and we pushed the update to the 170 systems to F9.3.4, where we then enabled https.

Secondly, a method we didn't try but was provided by another source was to enable the RC4 cipher within server 2016 using the following:

Here are the RC4 keys:

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4

40/128\Enabled

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4

56/128\Enabled

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4

64/128\Enabled

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4

128/128\Enabled

You probably need MD5, SHA1 and TLS 1.0 as well (DisabledByDefault should be

0x0):

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5\

Enabled

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA\

Enabled

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\T

LS 1.0\Client\Enabled

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\T

LS 1.0\Client\DisabledByDefault

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\T

LS 1.0\Server\Enabled

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\T

LS 1.0\Server\DisabledByDefault

Finally the cipher suites, they are are TLS_RSA_WITH_RC4_128_SHA and TLS_RSA_WITH_RC4_128_MD5. You can use the Group Policy Editor to set those to the top of the list or in the registry here:

HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002

Thanks again!

View solution in original post

Nick Halbert-Lillyman · ‎04-29-2018

Try upgrading the MXP's to 9.3.4, there were some changes to the supported cyphers which may correlate with HTTPS version compatibility.

CGL · ‎04-29-2018

Thank Nick,

We had no issues on our previous TMS server with the same environment but running 15.6.0?

Would the update to 15.6.1 be the cause of the issue?

Cheers!

Nick Halbert-Lillyman · ‎04-29-2018

Was it running a different version of Windows? And could you browse OK from IE on that version?

If so, Windows Server 2016 may have disabled older versions of TLS and/or weak cyphers.

CGL · ‎04-29-2018

Yes, it was running Windows Server 2012, I don't have access to that network to check the IE question unfortunately.

I have checked the TLS settings of Windows 2016 and I believe they are enabled.

Nick Halbert-Lillyman · ‎04-29-2018

Definitely suggest trying an upgrade on one of the MXPs if you can't browse from IE

CGL · ‎04-29-2018

Thanks Nick, I will see what I can do and report back.

CGL · ‎04-30-2018

Hi Nick,

I updated the test environment to 9.3.4 and it fixed the issue.

Looks to be a weak cipher on the MXP endpoints causing issues with Server 2016.

Thanks again for your advice!

JFerello · ‎04-30-2018

Make sure the following setting is disabled in Windows on the TMS server:

1) Click start, then in the search area type secpol.msc and hit enter

2) Expand 'Local Policies'

3) Click on 'Security Options'

4) Scroll down to 'System cryptography: Use FIPS compliant algorithms for encryption....' and 'Disable' this

5) Reboot, then try to re-add the endpoints to TMS

Also make sure TLS v1.0 and or 1.1 is enabled as the MXPs only support up to 1.1

Make sure SNMP is enabled on the server as I am not sure that MXPs can use HTTP/HTTPs for management from TMS.

Lastly, check the proxy mode for the local accounts:

The are 2 very common causes for no https responce. One is the use of a proxy server:

To follow up with what Artem posted, the bitsadmin utility is built into Windows Server 2008. If you are running Windows Server 2003, you will need to download the Windows Server 2003 Service Pack 2 32-bit Support Tools:

http://www.microsoft.com/en-us/download/details.aspx?id=15326

Run the command prompt by right-clicking it and select "run as administrator". There are three commands you will need to run:

bitsadmin /util /getieproxy localsystem

bitsadmin /util /getieproxy localservice

bitsadmin /util /getieproxy networkservice

If you receive "AUTO" as a response, run the command:

nslookup wpad

The "AUTO" setting sets Windows to do a DNS resoltuion for wpad. Besure *NOT* to do the FQDN including your DNS domain. Windows will auto-append its known DNS domains to wpad. If wpad returns a response that resolves to a proxy server, or if bitsadmin returns a manually configured list, verify if the TMS services need to use a proxy server to managed its registered devices. If i does not, run the following command to clear the proxy settings:

bitsadmin /util /setieproxy localsystem no_proxy

bitsadmin /util /setieproxy localservice no_proxy

bitsadmin /util /setieproxy networkservice no_proxy

If the TMS server does require the use of a proxy server to manage its endpoints, besure that the proxy configuration allows a bypass for those devices that TMS does not need to use a proxy for. Also, besure that the proxy server does not require authentication for the TMS services to access the devices it needs to use a proxy for. Keep in mind that proxy settings could be getting applied via Active Directory Group Policies. If this is the case, you will need to work with the AD Administrators to verify tha tthe correct settings are applied to the TMS server.

Thanks,
Justin Ferello

CGL · ‎04-30-2018

Thanks for the tips Justin,

I just finished updating the software to 9.3.4 from 9.3.3 and it fixed the issue within the test environment.

Looks to be an issue with the weak 64bit Cipher on the MXP if I am not mistaken.

Thanks!

CGL · ‎05-03-2018

Just in-case anyone come's across the same issue in the future I figured out two workarounds:

I telnet'd into the MXP's and disabled the https via the following commands:

telnet IP

password

xconfiguration https mode: off

xcommand boot

We had a script made up that handle this process automatically for the 170 systems.

This allowed the system to register correctly with the TMS and we pushed the update to the 170 systems to F9.3.4, where we then enabled https.

Secondly, a method we didn't try but was provided by another source was to enable the RC4 cipher within server 2016 using the following:

Here are the RC4 keys:

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4

40/128\Enabled

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4

56/128\Enabled

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4

64/128\Enabled

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4

128/128\Enabled

You probably need MD5, SHA1 and TLS 1.0 as well (DisabledByDefault should be

0x0):

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5\

Enabled

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA\

Enabled

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\T

LS 1.0\Client\Enabled

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\T

LS 1.0\Client\DisabledByDefault

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\T

LS 1.0\Server\Enabled

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\T

LS 1.0\Server\DisabledByDefault

Finally the cipher suites, they are are TLS_RSA_WITH_RC4_128_SHA and TLS_RSA_WITH_RC4_128_MD5. You can use the Group Policy Editor to set those to the top of the list or in the registry here:

HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002

Thanks again!