Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Enabling Apex One features is stuck at "Pending: Managed Server deploying" status

    • Updated:
    • 23 Jun 2020
    • Product/Version:
    • Apex Central All
    • Apex One 2019
    • Platform:
Summary

Users may not be able to activate managed product licenses (Application Control, Endpoint Sensor, Vulnerability Protection), or may not be able to send the enhanced security policies to Security Agents across the network successfully when managing the Apex One server from the Apex Central web console.

The policy deployment from Apex Central is stuck on "Pending: Managed Server Deploying" status.

Pending: Managed Server deploying

Root Cause Analysis

In Apex One Server ofcdebug.log located at..\Trend Micro\Apex One\PCCSRV\Log\, HTTP Error 403.16 appears when Apex One server fails to access https://:/officescan/osfwebapp/api/v1/SystemCall:

[][ofcservice.exe]BoostHTTPContext::prepareContext - prepare context scheme=[https], 
    host=[<FQDN or IP of Apex One Server>], port=[4343], target=[/officescan/osfwebapp/api/v1/SystemCall] - [libosfsvcclienthttpcontext.cpp(236)]
 
[][ofcservice.exe]BoostHTTPClient::receive - http response code=403 - [libosfsvcclienthttpclient.cpp(103)]
[CMDHO2][ofcservice.exe]SendOSFServiceCall - OSF Web Service Response status=[403], http version=[11] - [cmdho2_osf.cpp(2495)]
[CMDHO2][ofcservice.exe]SendOSFServiceCall - OSF Web Service Response bytes=[5171], body=[
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>IIS 10.0 Detailed Error - 403.16 - Forbidden</title>

This issue occurs when the Apex One Server web certificate is not trusted by IIS. Therefore, Apex One server fails to access https://<FQDN or IP of Apex One Server>:<https port>/officescan/osfwebapp/api/v1/SystemCall due to invalid certificate.

Windows Server 2012 implements checks for a higher level of trust for certificate authentication. This issue occurs because a certificate that is not self-signed was installed in the Trusted Root Certification Authorities store. For example, customer uses a non-self-signed certificate (e.g. 3rd party signed certificate) as the Apex One Server web certificate.

Details
Public
  1. If Apex One server website uses a 3rd party certificate (e,g, a certificate signed by corporate Certificate Authority), please follow Step 6 described in this KB article: Configuring Apex One to use a certificate signed by corporate Certificate Authority.
    1. Move any non–self-signed certificates out of the Trusted Root Certification Authorities certificate store and into the Intermediate Certification Authorities certificate store.
    2. Turn on the Exclusive CA Trust mode on the OS:
      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel]
      Name: ClientAuthTrustMode
      Type: REG_DWORD Value: 2
  2. (Optional) If Apex One Server uses self-signed certificate and is already expired, please follow the steps below to renew Apex One Server web site certificate.
    1. Renew Apex One Server web site certificate.
      1. On the OfficeScan server, open a command prompt.
      2. Go to the \Program Files\Trend Micro\OfficeScan\PCCSRV directory.
      3. Run the following command to add a new certificate to the IIS certificate store:
        svrsvcsetup –GenIISCert
    2. Confirm the renewal of the certificate.
      1. Open the IIS Manager console (inetmgr.exe).
      2. In the IIS Manager, expand the Sites folder and highlight the OfficeScan virtual site.
      3. In the Actions pane, click Bindings... to open the Site Bindings window.
      4. In the Site Bindings window, select type="https" and click Edit.... The Edit Site Binding window will appear.
      5. From the SSL Certificate section, click the Select... button and verify that the certificate expiration date has been extended, or select the certificate with the latest expiration date.
      6. Click OK to close the window.
    3. Remove old web site certificate.
      1. Open the Certificates MMC Snap-In.
      2. Navigate to the Local Computer/Personal store, and find the expired certificate.
      3. Right-click on the certificate, then select Delete.

Make sure the certificates exist and is valid:

  • Trusted Root Certificate Authorities > Certificates > OfcOSFWebRootCA

    OfcOSFWebRootCA

  • OfcOSF > Certificates > OfcOSFWebApp

    OfcOSFWebApp

  1. To verify if the steps performed worked, run the command:
    Test “OSFWebApp” > svrsvcsetup.exe -testOSFWebApp
    Result should return HTTP 200 status if issue has been resolved.
  2. Re-deploy policies again from Apex Central.

If the issue persists:

Premium
Internal
Partner
Rating:
Category:
Troubleshoot
Solution Id:
000250012
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.