Skip to main content
Skyhigh Security

Private Access Connections

Prerequisites for deploying Connectors

  • Provisioning Key - Copy the text string generated from the connector group from the Skyhigh Security UI (User Interface) and supply it as a parameter to the deployment script (infra.sh).

  • Proxy information - If you use a proxy server, then make sure to bypass the IP address of the proxy server along with certain domains. For the list of domains, see Deploy Connectors

  • Gateway IP - Choose the nearest Gateway IP so that Connector establishes a secure tunnel with the private applications through Client Proxy. This is supplied as a parameter to the deployment script. Please refer to the product guide for list of Gateway URLs.

    For more information about deploying connectors, see Deploy Connectors

Troubleshooting connectors

System DNS (Domain Name Service) resolve a URL 

For a Connector to function, the system DNS should be able to resolve both Skyhigh Security URLs and Private Application URLs.

Perform the following to check if the system DNS is resolving both Skyhigh Security and Private Application URLs:

  1. Log on to connector host as a privileged account (root user) using SSH (Secure Shell). 

  1. Execute the script using the following command:  

    • /opt/Mcafee/cwpp/pop/PoPDeployment/PoPCreation/vCenter/pa_connector.sh

  2. Choose option one (Resolve a domain name) in the list of commands.

    Troubleshoot.png

  3. Enter the domain name  

Restart connector services

Perform the following to restart all services that run in a connector:

  1. Log on to connector host as a privileged account (root user) using SSH. 

  1. Execute the script using the following command: 

  • /opt/Mcafee/cwpp/pop/PoPDeployment/PoPCreation/vCenter/pa_connector.sh 
  1. Choose option 2 to restart all services.

Troubleshoot1.png 

Test the HTTP proxy set

Perform the following to test if a Private Application is reachable through a Connector:

  1. Log on to connector host as a privileged account (root user) using SSH. 

  1. Execute the script using the following command: 

  • /opt/Mcafee/cwpp/pop/PoPDeployment/PoPCreation/vCenter/pa_connector.sh 

  1. Choose option 3.

    Troubleshoot2.png

  1. Enter the URL 
    Displays the Connection established message if the Private application is reachable. 

 Test the system proxy

The Cloud API (Application Programming Interface) URLs are accessed through the system proxy. 

Perform the following to test the system proxy, and verify that it is passed as HTTP_PROXY to a Connector:

  1. Log on to connector host as a privileged account (root user) using SSH. 

  1. Execute the script using the following command:

  • opt/Mcafee/cwpp/pop/PoPDeployment/PoPCreation/vCenter/pa_connector.sh 

  1. Choose option four. 

    Troubleshoot3.png

  2. Enter the URL to test the system proxy. 
    Works only when HTTP_PROXY is set. 

 Log collection

Collects logs, configuration, and state of processes, and generates /tmp/connector_state.tar.gz 

  1. Log on to connector host as a privileged account (root user) using SSH. 
  2. Execute the script using the following command:

  • /opt/Mcafee/cwpp/pop/PoPDeployment/PoPCreation/vCenter/pa_connector.sh 

  1. Choose option five. 

    Troubleshoot4.png

  2. You will find the archive file in/tmp/ once the command is executed completely.

  1.  Upload the latest file connector_state_currentdate_time.tar.gz to the support portal for review. 

 Stop a connector

  1. Log on to connector host as a privileged account (root user) using SSH. 
  2. Execute the script using the following command: 

  • /opt/Mcafee/cwpp/pop/PoPDeployment/PoPCreation/vCenter/pa_connector.sh         

  1. Choose option 6.

    Troubleshoot5.png

Start a connector

  1. Log on to connector host as a privileged account (root user) using SSH. 
  2. Execute the script using the following command: 

  • /opt/Mcafee/cwpp/pop/PoPDeployment/PoPCreation/vCenter/pa_connector.sh         

  1. Choose option 7.

    Troubleshoot6.png
     

Tips 

  • Get the Private Access connector pod name using sudo kubectl get pods -n cwpp
  • To log into the pod, run sudo kubectl exec -ti <pod_name> -n cwpp -- bash
  • To install a connector again on the same VM (Virtual Machines), then run the following commands:
    • sudo rm -rf /opt/McAfee/
    • snap remove microk8s 
  • To bring up the VPN (Virtual Private Network) tunnel : Tunnels are created between the  connector and Private Access Gateway.

    • Run ifconfig to check if the tunnels tun0 and tun1 are created with an IP address 10.8.0.x. 

    • Check /mcafee/mount/logs/postRegistration.log and /mcafee/mount/logs/openvpn_client.log

  • Monitor Health Updates:  Check/mcafee/mount/logs/healthUpdate.log to ensure that the VPN tunnel is up. The health update requires the list of private applications monitored by the connector. So, check if the private application list sync is successful and /mcafee/private_apps.json is present.

  • Proxy to private applications: Check/mcafee/mount/logs/debug.log to ensure that an application is reachable and not blocked by the policy. Ensure that the DNS configured on the connector can access private applications and resolve their URLs.

Workaround - common errors

Task When  Error Workaround
Connector Registration Entered incorrect provision key Incorrect provision key

Error decoding the provisioning key

Check the/mcafee/mount/logs/postRegistration.log for incorrect provision key and copy the correct provision key from Skyhigh Security UI and provide it toinfra.sh while deploying a connector. 

  Expired/Invalid client credentials Exception while refreshing access token  Download the new connector package from Skyhigh Security UI and ensure that right provisioning key is used. 
  Connection to registration endpoint  Connection to registration endpoint - failed 
  • Check whether McAfee Cloud API reachable
  • Check the existence of tun0 and tun1 
Bringing up the VPN tunnel  GW or HTTP_PROXY are not reachable
  • Error while resolving hostname
  • Exception while checking Proxy
  • Exception while checking PA Gateway
  • Unable to connect to Proxy
  • Unable to connect to PA Gateway
Connector maintains an outbound VPN tunnel with PA Gateway.
  • Run ifconfig to check tun adapter and the IP address assigned by the Private Access Gateway.
  • Check whether the gateway port 443 provided to infra.sh is reachable from the connector. 
Private Application list sync   Check the /mcafee/mount/logs/paListsync.log if McAfee cloud API is not reachable. If this is not reachable, then ensure it is reachable to synchronize the private application list with the connector. 

 

  • Was this article helpful?