Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Potential issues with HTTPS communication in OfficeScan XG SP1

    • Updated:
    • 14 Jun 2018
    • Product/Version:
    • OfficeScan XG.All
    • Platform:
    • Windows 10
    • Windows 2003 32-Bit
    • Windows 2003 64-Bit
    • Windows 2008 32-Bit
    • Windows 2008 64-Bit
    • Windows 2012
    • Windows 2012 Server R2
    • Windows 2016
    • Windows 7 32-Bit
    • Windows 7 64-Bit
    • Windows 8 32-Bit
    • Windows 8 64-Bit
    • Windows 8.1 32-Bit
    • Windows 8.1 64-Bit
Summary

OfficeScan XG SP1 moves the communication between agents and server to HTTPS. By moving to HTTPS, the communication port on the server will also change from the HTTP port (default of 8080) to the HTTPS port ( same as the Web Console, default of 4343).

Some environments may encounter HTTPS communication issues due to various factors (e.g. inconsistent SSL/TLS environments, firewalls blocking the HTTPS port, etc.). This can result in agents showing offline, failing to upgrade, and not uploading logs or quarantined files.

Details
Public

TLS

Windows will negotiate the highest mutually supported version of SSL/TLS supported by the server and client. For example:

  • If the server and client both support TLS 1.2, they will negotiate and use TLS 1.2.
  • If the server supports TLS 1.1 and 1.2, but the client only supports TLS 1.0 and 1.1, they will negotiate and use TLS 1.1.
  • If the server supports TLS 1.2, but the client only supports TLS 1.0, they will fail to negotiate and a connection will not be established.

You can use the following article as an example: Windows 7/2008/2008R2 agents shown as offline after upgrading to OfficeScan XG SP1.

Older operating systems may require specific patches to support newer protocols. Please refer to our PCI Data Security Standard Compatibility with OfficeScan article for advice on TLS 1.1 and 1.2.

Network Traces showing TLS connections from Agent to Server, both successful and failed

TCP 3-way handshake

18:19:56.533860                711         40.643720            10.0.3.50              10.0.2.105            TCP        66           50420 → 4343 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
18:19:56.546115 712 40.655975 10.0.2.105 10.0.3.50 TCP 66 4343 → 50420 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1400 WS=256 SACK_PERM=1713
18:19:56.546195 713 40.656055 10.0.3.50 10.0.2.105 TCP 54 50420 → 4343 [ACK] Seq=1 Ack=1 Win=263168 Len=0

Then the Client Hello – Client informs the server what it would like to use (TLS 1.2) and what ciphers it supports. The server must agree to the same protocol and cipher suite to continue with communication.

  18:19:56.601626        714 40.711486      10.0.3.50             10.0.2.105            TLSv1.2  243    Client Hello

Frame 714: 243 bytes on wire (1944 bits), 243 bytes captured (1944 bits) on interface 0
Ethernet II, Src: Microsof_68:54:07 (00:15:5d:68:54:07), Dst: Microsof_68:54:06 (00:15:5d:68:54:06)
Internet Protocol Version 4, Src: 10.0.3.50, Dst: 10.0.2.105
Transmission Control Protocol, Src Port: 50420, Dst Port: 4343, Seq: 1, Ack: 1, Len: 189
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 184
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 180
Version: TLS 1.2 (0x0303)
Random: 5aea014c62e61f9d0e8749f2a52a8533890b9e6be56cad78...
Session ID Length: 0
Cipher Suites Length: 42
Cipher Suites (21 suites)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Compression Methods Length: 1
Compression Methods (1 method)
Extensions Length: 97
Extension: server_name (len=11)
Extension: status_request (len=5)
Extension: supported_groups (len=8)
Extension: ec_point_formats (len=2)
Extension: signature_algorithms (len=20)
Extension: SessionTicket TLS (len=0)
Extension: application_layer_protocol_negotiation (len=14)
Extension: extended_master_secret (len=0)
Extension: renegotiation_info (len=1)

Once successful, the server sends the Server Hello. This includes the same protocol as the agent (TLS 1.2), the chosen cipher, and the server’s certificate.

18:19:56.613664        716 40.723524      10.0.2.105            10.0.3.50             TLSv1.2  679    Server Hello, Certificate, Server Key Exchange, Server Hello Done

Frame 716: 679 bytes on wire (5432 bits), 679 bytes captured (5432 bits) on interface 0
Ethernet II, Src: Microsof_68:54:06 (00:15:5d:68:54:06), Dst: Microsof_68:54:07 (00:15:5d:68:54:07)
Internet Protocol Version 4, Src: 10.0.2.105, Dst: 10.0.3.50
Transmission Control Protocol, Src Port: 4343, Dst Port: 50420, Seq: 1401, Ack: 190, Len: 625
[2 Reassembled TCP Segments (2025 bytes): #715(1400), #716(625)]
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Multiple Handshake Messages
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 2020
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 90
Version: TLS 1.2 (0x0303)
Random: 5aea014c61794843f79d0c71490f191bea899c92229a00ad...
Session ID Length: 32
Session ID: f71900007caa18c93b400632a898f775aa5b0a959cefca22...
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Compression Method: null (0)
Extensions Length: 18
Extension: application_layer_protocol_negotiation (len=5)
Extension: extended_master_secret (len=0)
Extension: renegotiation_info (len=1)
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 1618
Certificates Length: 1615
Certificates (1615 bytes)
Handshake Protocol: Server Key Exchange
Handshake Type: Server Key Exchange (12)
Length: 296
EC Diffie-Hellman Server Params
Handshake Protocol: Server Hello Done
Handshake Type: Server Hello Done (14)
Length: 0

After the Server Hello and receipt of the server’s certificate, the client will use that certificate to begin the encryption handshake using the negotiated protocol and cipher.

18:19:56.615223        718 40.725083      10.0.3.50             10.0.2.105            TLSv1.2  147    Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message

Frame 718: 147 bytes on wire (1176 bits), 147 bytes captured (1176 bits) on interface 0
Ethernet II, Src: Microsof_68:54:07 (00:15:5d:68:54:07), Dst: Microsof_68:54:06 (00:15:5d:68:54:06)
Internet Protocol Version 4, Src: 10.0.3.50, Dst: 10.0.2.105
Transmission Control Protocol, Src Port: 50420, Dst Port: 4343, Seq: 190, Ack: 2026, Len: 93
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Client Key Exchange
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 37
Handshake Protocol: Client Key Exchange
Handshake Type: Client Key Exchange (16)
Length: 33
EC Diffie-Hellman Client Params
TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
Content Type: Change Cipher Spec (20)
Version: TLS 1.2 (0x0303)
Length: 1
Change Cipher Spec Message
TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 40
Handshake Protocol: Encrypted Handshake Message

The server will use this information and follow with its portion of the handshake.

18:19:56.631367        719 40.741227      10.0.2.105            10.0.3.50             TLSv1.2  105    Change Cipher Spec, Encrypted Handshake Message

Frame 719: 105 bytes on wire (840 bits), 105 bytes captured (840 bits) on interface 0
Ethernet II, Src: Microsof_68:54:06 (00:15:5d:68:54:06), Dst: Microsof_68:54:07 (00:15:5d:68:54:07)
Internet Protocol Version 4, Src: 10.0.2.105, Dst: 10.0.3.50
Transmission Control Protocol, Src Port: 4343, Dst Port: 50420, Seq: 2026, Ack: 283, Len: 51
Secure Sockets Layer
TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
Content Type: Change Cipher Spec (20)
Version: TLS 1.2 (0x0303)
Length: 1
Change Cipher Spec Message
TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 40
Handshake Protocol: Encrypted Handshake Message

Communication will now proceed successfully with encryption.

TCP 3-way handshake

16:09:20.590777                346         37.286887            10.0.3.50              10.0.2.105            TCP        66           49840 → 4343 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
16:09:20.592941 347 37.289051 10.0.2.105 10.0.3.50 TCP 66 4343 → 49840 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1400 WS=256 SACK_PERM=1
16:09:20.593575 348 37.289685 10.0.3.50 10.0.2.105 TCP 54 49840 → 4343 [ACK] Seq=1 Ack=1 Win=263168 Len=0

Then the Client Hello – Client informs the server what it would like to use (TLS 1.1) and what ciphers it supports. The server must agree to the same protocol and cipher suite to continue with communication.

16:09:20.673698        349 37.369808      10.0.3.50             10.0.2.105            TLSv1.1  191    Client Hello

Frame 349: 191 bytes on wire (1528 bits), 191 bytes captured (1528 bits) on interface 0
Ethernet II, Src: Microsof_68:54:07 (00:15:5d:68:54:07), Dst: Microsof_68:54:06 (00:15:5d:68:54:06)
Internet Protocol Version 4, Src: 10.0.3.50, Dst: 10.0.2.105
Transmission Control Protocol, Src Port: 49840, Dst Port: 4343, Seq: 1, Ack: 1, Len: 137
Secure Sockets Layer
TLSv1.1 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.1 (0x0302)
Length: 132
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 128
Version: TLS 1.1 (0x0302)
Random: 5afda9303ee62dad4c67806844112542e8746c73e46e56ea...
Session ID Length: 0
Cipher Suites Length: 14
Cipher Suites (7 suites)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Compression Methods Length: 1
Compression Methods (1 method)
Extensions Length: 73
Extension: server_name (len=11)
Extension: status_request (len=5)
Extension: supported_groups (len=8)
Extension: ec_point_formats (len=2)
Extension: SessionTicket TLS (len=0)
Extension: application_layer_protocol_negotiation (len=14)
Extension: extended_master_secret (len=0)
Extension: renegotiation_info (len=1)

Once successful, the server sends the Server Hello. This includes the same protocol as the agent (TLS 1.2), the chosen cipher, and the server’s certificate.

16:09:20.678780        351 37.374890      10.0.2.105            10.0.3.50             TLSv1.1  677    Server Hello, Certificate, Server Key Exchange, Server Hello Done

Frame 351: 677 bytes on wire (5416 bits), 677 bytes captured (5416 bits) on interface 0
Ethernet II, Src: Microsof_68:54:06 (00:15:5d:68:54:06), Dst: Microsof_68:54:07 (00:15:5d:68:54:07)
Internet Protocol Version 4, Src: 10.0.2.105, Dst: 10.0.3.50
Transmission Control Protocol, Src Port: 4343, Dst Port: 49840, Seq: 1401, Ack: 138, Len: 623
[2 Reassembled TCP Segments (2023 bytes): #350(1400), #351(623)]
Secure Sockets Layer
TLSv1.1 Record Layer: Handshake Protocol: Multiple Handshake Messages
Content Type: Handshake (22)
Version: TLS 1.1 (0x0302)
Length: 2018
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 90
Version: TLS 1.1 (0x0302)
Random: 5afda930739cc7dc97c4e53d4d4e189e4bc26cfee1517337...
Session ID Length: 32
Session ID: b61a000002965c0ab15f31c1cefdf906555772354b27dd76...
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Compression Method: null (0)
Extensions Length: 18
Extension: application_layer_protocol_negotiation (len=5)
Extension: extended_master_secret (len=0)
Extension: renegotiation_info (len=1)
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 1618
Certificates Length: 1615
Certificates (1615 bytes)
Handshake Protocol: Server Key Exchange
Handshake Type: Server Key Exchange (12)
Length: 294
EC Diffie-Hellman Server Params
Handshake Protocol: Server Hello Done
Handshake Type: Server Hello Done (14)
Length: 0

After the Server Hello and receipt of the server’s certificate, the client will use that certificate to begin the encryption handshake using the negotiated protocol and cipher.

16:09:20.684151        353 37.380261      10.0.3.50             10.0.2.105            TLSv1.1  171    Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message

Frame 353: 171 bytes on wire (1368 bits), 171 bytes captured (1368 bits) on interface 0
Ethernet II, Src: Microsof_68:54:07 (00:15:5d:68:54:07), Dst: Microsof_68:54:06 (00:15:5d:68:54:06)
Internet Protocol Version 4, Src: 10.0.3.50, Dst: 10.0.2.105
Transmission Control Protocol, Src Port: 49840, Dst Port: 4343, Seq: 138, Ack: 2024, Len: 117
Secure Sockets Layer
TLSv1.1 Record Layer: Handshake Protocol: Client Key Exchange
Content Type: Handshake (22)
Version: TLS 1.1 (0x0302)
Length: 37
Handshake Protocol: Client Key Exchange
Handshake Type: Client Key Exchange (16)
Length: 33
EC Diffie-Hellman Client Params
TLSv1.1 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
Content Type: Change Cipher Spec (20)
Version: TLS 1.1 (0x0302)
Length: 1
Change Cipher Spec Message
TLSv1.1 Record Layer: Handshake Protocol: Encrypted Handshake Message
Content Type: Handshake (22)
Version: TLS 1.1 (0x0302)
Length: 64
Handshake Protocol: Encrypted Handshake Message

The server will use this information and follow with its portion of the handshake.

16:09:20.686772        354 37.382882      10.0.2.105            10.0.3.50             TLSv1.1  129    Change Cipher Spec, Encrypted Handshake Message

Frame 354: 129 bytes on wire (1032 bits), 129 bytes captured (1032 bits) on interface 0
Ethernet II, Src: Microsof_68:54:06 (00:15:5d:68:54:06), Dst: Microsof_68:54:07 (00:15:5d:68:54:07)
Internet Protocol Version 4, Src: 10.0.2.105, Dst: 10.0.3.50
Transmission Control Protocol, Src Port: 4343, Dst Port: 49840, Seq: 2024, Ack: 255, Len: 75
Secure Sockets Layer
TLSv1.1 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
Content Type: Change Cipher Spec (20)
Version: TLS 1.1 (0x0302)
Length: 1
Change Cipher Spec Message
TLSv1.1 Record Layer: Handshake Protocol: Encrypted Handshake Message
Content Type: Handshake (22)
Version: TLS 1.1 (0x0302)
Length: 64
Handshake Protocol: Encrypted Handshake Message

Communication will now proceed successfully with encryption.

TCP 3-way handshake

16:28:58.861976                61           3.211254              10.0.2.104            10.0.2.105            TCP        66           50440 → 4343 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM=1
16:28:58.862262 62 3.211540 10.0.2.105 10.0.2.104 TCP 66 4343 → 50440 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
16:28:58.862567 63 3.211845 10.0.2.104 10.0.2.105 TCP 54 50440 → 4343 [ACK] Seq=1 Ack=1 Win=262144 Len=0

Then the Client Hello – Client informs the server what it would like to use (TLS 1.2) and what ciphers it supports. The server must agree to the same protocol and cipher suite to continue with communication.

16:28:58.865301         64 3.214579       10.0.2.104            10.0.2.105            TLSv1.1  261    Client Hello

Frame 64: 261 bytes on wire (2088 bits), 261 bytes captured (2088 bits) on interface 0
Ethernet II, Src: Microsof_2c:1e:23 (00:15:5d:2c:1e:23), Dst: Microsof_2c:1e:38 (00:15:5d:2c:1e:38)
Internet Protocol Version 4, Src: 10.0.2.104, Dst: 10.0.2.105
Transmission Control Protocol, Src Port: 50440, Dst Port: 4343, Seq: 1, Ack: 1, Len: 207
Secure Sockets Layer
TLSv1.1 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 202
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 198
Version: TLS 1.2 (0x0303)
Random: 5afdadca810d2ca16a5ea1c9dec9aadd5e3399c46869a418...
Session ID Length: 0
Cipher Suites Length: 38
Cipher Suites (19 suites)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Compression Methods Length: 1
Compression Methods (1 method)
Extensions Length: 119
Extension: server_name (len=23)
Extension: status_request (len=5)
Extension: supported_groups (len=8)
Extension: ec_point_formats (len=2)
Extension: signature_algorithms (len=20)
Extension: SessionTicket TLS (len=0)
Extension: application_layer_protocol_negotiation (len=14)
Extension: extended_master_secret (len=0)
Extension: token_binding (len=6)
Extension: renegotiation_info (len=1)

This time, since the server doesn’t support TLS 1.2, it counters with the highest that it does support – TLS 1.1.

16:28:58.867066         66 3.216344       10.0.2.105            10.0.2.104            TLSv1.1  617    Server Hello, Certificate, Server Key Exchange, Server Hello Done

Frame 66: 617 bytes on wire (4936 bits), 617 bytes captured (4936 bits) on interface 0
Ethernet II, Src: Microsof_2c:1e:38 (00:15:5d:2c:1e:38), Dst: Microsof_2c:1e:23 (00:15:5d:2c:1e:23)
Internet Protocol Version 4, Src: 10.0.2.105, Dst: 10.0.2.104
Transmission Control Protocol, Src Port: 4343, Dst Port: 50440, Seq: 1461, Ack: 208, Len: 563
[2 Reassembled TCP Segments (2023 bytes): #65(1460), #66(563)]
Secure Sockets Layer
TLSv1.1 Record Layer: Handshake Protocol: Multiple Handshake Messages
Content Type: Handshake (22)
Version: TLS 1.1 (0x0302)
Length: 2018
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 90
Version: TLS 1.1 (0x0302)
Random: 5afdadca99776c037d5174f25839dd8a9f464bcc5b2cc19b...
Session ID Length: 32
Session ID: ed1e00007de53e9b61c9ff044f564834a2c8e33b08b51f18...
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Compression Method: null (0)
Extensions Length: 18
Extension: application_layer_protocol_negotiation (len=5)
Extension: extended_master_secret (len=0)
Extension: renegotiation_info (len=1)
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 1618
Certificates Length: 1615
Certificates (1615 bytes)
Handshake Protocol: Server Key Exchange
Handshake Type: Server Key Exchange (12)
Length: 294
EC Diffie-Hellman Server Params
Handshake Protocol: Server Hello Done
Handshake Type: Server Hello Done (14)
Length: 0

If the agent accepts the TLS 1.1, it continues as it would as if it initially offered TLS 1.1.

TCP 3-way handshake

16:44:22.880115                4241       8.801447              10.0.2.104            10.0.2.105            TCP        66           50200 → 4343 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
16:44:22.884801 4246 8.806133 10.0.2.105 10.0.2.104 TCP 66 4343 → 50200 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
16:44:22.885278 4247 8.806610 10.0.2.104 10.0.2.105 TCP 54 50200 → 4343 [ACK] Seq=1 Ack=1 Win=262656 Len=0

Then the Client Hello – Client informs the server what it would like to use (TLS 1.1) and what ciphers it supports. The server must agree to the same protocol and cipher suite to continue with communication.

16:44:22.887075       4248 8.808407       10.0.2.104            10.0.2.105            TLSv1.1  191    Client Hello

Frame 4248: 191 bytes on wire (1528 bits), 191 bytes captured (1528 bits) on interface 0
Ethernet II, Src: Microsof_2c:1e:23 (00:15:5d:2c:1e:23), Dst: Microsof_2c:1e:38 (00:15:5d:2c:1e:38)
Internet Protocol Version 4, Src: 10.0.2.104, Dst: 10.0.2.105
Transmission Control Protocol, Src Port: 50200, Dst Port: 4343, Seq: 1, Ack: 1, Len: 137
Secure Sockets Layer
TLSv1.1 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.1 (0x0302)
Length: 132
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 128
Version: TLS 1.1 (0x0302)
Random: 5afdb1662620bc243a189e5aa5b002f2367e8e6cedf00a90...
Session ID Length: 0
Cipher Suites Length: 14
Cipher Suites (7 suites)
Compression Methods Length: 1
Compression Methods (1 method)
Extensions Length: 73
Extension: server_name (len=11)
Extension: status_request (len=5)
Extension: supported_groups (len=8)
Extension: ec_point_formats (len=2)
Extension: SessionTicket TLS (len=0)
Extension: application_layer_protocol_negotiation (len=14)
Extension: extended_master_secret (len=0)
Extension: renegotiation_info (len=1)

As the TLS version offered by the agent is lower than the lowest supported by the server, the server rejects the connection with a TCP Reset.

16:44:22.891009                4249       8.812341              10.0.2.105            10.0.2.104            TCP        54           4343 → 50200 [RST, ACK] Seq=1 Ack=138 Win=0 Len=0

Certificates

Using HTTPS also creates the need for certificates and certificate validation.

All OfficeScan XG SP1 agents have their own self-signed certificate they use for communication and verification with the OfficeScan server. This can be a problem in environments that deploy HTTPS Inspection gateways. With HTTPS Inspection, the Security Gateway can inspect the traffic that is encrypted by HTTPS.

The Security Gateway uses certificates and becomes an intermediary between the client computer and the secure website. This causes a problem as OfficeScan will not trust the Security Gateway’s certificate.

Thus, OfficeScan traffic must be excluded from HTTPS Inspection on Security Gateway products.

Revert to HTTP Traffic

In some instances for compatibility or network inspection purposes, traffic may need to be reverted to HTTP.

To revert to pre-OfficeScan XG SP1 communications:

  1. Verify that you are on a version of OfficeScan XG SP1 at or later than Build 4453.
  2. Make a copy of ofcscan.ini (C:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV).
  3. Stop the OfficeScan Master Service.
  4. Make the following changes to ofcscan.ini i.e. run Notepad as Administrator to save the changes:

    [Global Setting]
    UseSocketHTTPAdapter = 1
    ASE = 0

  5. Save the file as ofcscan.ini.
  6. Restart the OfficeScan Master Service.
  7. Log in to the OfficeScan web console and click on Agents > Global Agent Settings.
  8. Click Save even if there were no changes.
  9. Wait a few moments and check the newly saved ofcscan.ini and verify that the ASE value is "0".
  10. Unload and reload the OfficeScan Agent on the test agent machine.
  11. To confirm the changes on the agent machine, check the following registry entries:
    • for x64 platform: [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\]
    • for x86 platform: [HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\]

    Key: ASE
    Type: REG_DWORD
    Value: 0

Contacting Support

If you are still having difficulty resolving this issue, please have the following information ready for support when opening a case if possible:

  1. Go to the Trend Micro Download Center and download the Case Diagnostic Tool.
  2. Run this on a problem endpoint and the OfficeScan server.
  3. Put a check-mark next to OSCE_12Agent for the endpoint and OSCE_12Server on the server, and check Basic Information and Connectivity Issue.
  4. Click Next and click the Start Debug Mode button and until it's indicated ON on both.
  5. Start a network trace using Wireshark or the built-in Windows tracing:

    Windows has the ability to run in-depth traces in Windows 7/Server 2008 R2 and later. At an Admin Command Line you can run this following command:

    Netsh trace start capture=yes maxsize=2048 persistent=yes tracefile=C:\%computername%.etl

    • Capture tells it to capture the network traffic.
    • Scenario allows us to capture more Windows internal provider information during the trace.
    • MaxSize limits the file size (in MB) so that it doesn’t fill up the disk. May need to be adjusted larger. (please do not go above 4GB per trace)
    • Persistent allows it to pick right back up after a machine restart. This is not always needed but useful if we need a trace of what happens during a restart or when a machine is coming back up.
    • Tracefile tells it where to save the trace. Folder must already exist on the machine.

    Ideally, if possible, we would want a simultaneous trace from both ends of the communication. If this is not possible, please still collect from one of the machines.

  6. On the OfficeScan Agent on the problem endpoint, choose Update Now.
  7. Once complete, click Stop Debug Mode.
  8. Stop Wireshark or Run netsh trace stop to stop the Windows trace.
    • If using Windows trace, it will then save and correlate the information. Once complete, you will have a .cab and .etl file that you can upload. Please zip them together for upload.
    • If using Wireshark, zip the pcapng file for upload.
  9. Click Next in the CDT.
  10. Select Today's Logs and click Next.
  11. Note the name of the zip created and click the Open Folder button.
  12. Upload that zip file, as well as the zipped PCAPNG or ETL/CAB from the network trace to your support case when provided with an upload link.
Premium
Internal
Rating:
Category:
Configure
Solution Id:
1120052
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.