|
Hi On 4 or 5 may we upgraded PASM 5.6 to 5.7 on our central service and all of our customers satellites. Everything was ok until 9 may. At that day, 2 of more than 20 satellites were displayed as disconnected (nearly at the same minute). Trough RDP to the remote host, i saw nothing unusual at both sarellites, except they both said the central host was denying connection (message tells to yake a look at firewall settings). The 2 satellite are both hosted by old Windows Server 2003 R2 and i cannot browse to my https://centralservice_url from them (I don't have the ssl warning but a failure). Someting appears to be linked with this disconnection, in the few minutes before disconnection the PASM central service has generated a new self signed certificate. Let me say we have done nothing to make this happen (the host server have not been restarted nor the central service) Only those 2 satellites lost connection in the 5 following minutes. At a time, i've suspected Win 2003 but a third Windows Server 2003 R2 doesn't have any connection after the new certificate event. We've already tried to remove the CA directory form the central service with the same result. At one remote site, i've suppressed the disconnected satellite form central service and reinstalled satellite (without registry cleanup) with no success. Help us please |
|
Hi PERSATL This is almost certainly an issue with Win 2003's limited ability to do SSL (compared to newer OS's). First step: On the central server, look at Settings -> HTTP Server Settings. Make sure you are only using the Normal settings Second: Very interesting that the SSL certificate had just regenerated. It looks like between 5.6 and 5.7 the certificates went from being generated with SHA1 (which is now considered insecure) to SHA256 also known as SHA2. There is apparently a patch for Windows 2003 to support SHA256 which you can find by Googling "Windows 2003 SHA256". If you need to downgrade your certificate, use a text editor and edit: C:\Program Files (x86)\PA Server Monitor\MakePACA.cmd Search for MSG_DIG. Remove the 'rem' in front of the two lines that say: set MSG_DIG=sha1 and add 'rem' to the front of the two lines that say set MSG_DIG=sha256 Then delete the CA folder and new lower-security certificates will be generated that work with Windows 2003. |
|
Hi Doug 1st step : already checked Today one of the two satellites is back. There was MS update waiting for reboot and after reboot today the connection is back again. So i didn't try the SHA256 hotfix on this system. The other Windows 2003 is waiting for MS update but cannot be restarted today. I will see next week. I will keep you informed after |