Verfasst: 22. Jun 2017, 21:10
von ctearney
A system connected to the external Depot server will check in, download the PM3 install from Configurator\Packages\Matrix42\PM3Client\16.1 and begin to execute. You can see the C:\EmpirumAgent\PatchManagement_v3 folder get created and the PM3.exe running in Task Manager but after 10 seconds or so it stops. If you look at the SWDepot log files you will see the below:

15.06.2017 15:21:44, Section [WriteInstallationResultMessage], Line 1:
ErrorLogMsg: Initialization failed!

Communication with Matrix42.Platform.Service.Host (UAF) is not available!
Agent template not compatible! or
Cannot download the catalog from the server! or
Check Windows Update Service, please!

If you check the log files in the C:\EmpirumAgent\PatchManagement_v3 folder you will see this:
2017-06-15 15:29:07.825 [PM3Client] Downloading Shavlik Catalogs...
2017-06-15 15:29:07.825 [PM3Download] Starting enumerate job, server uri: ... r/Packages, relative path: PatchManagement_v3\Catalog
2017-06-15 15:29:07.825 [PM3Download] Got value False for Key Matrix42.Platform.Service.Processor.Transfer.AcceptOnlyTrustedSsl
2017-06-15 15:29:07.825 [PM3Download] Got value False for Key Matrix42.Platform.Service.Processor.Transfer.UseClientCertificate
2017-06-15 15:29:07.825 [PM3Download] Got value for Key Server.ClientCertificateSerial
2017-06-15 15:29:09.028 [PM3Download] Enumerate job failed, ... v3/Catalog. The remote server returned an error: (403) Forbidden.

Since the Shavlik catalog files cant be downloaded, extracted, and checked against by the scan mechanism the distribution failes. If the same system connects to the internal depot server there are no issues. The catalog files get pulled down to the system and all runs as expected.

it is confusing that the agent can download everything else but when it comes to the 2 catalog files it acts like it does not have access. Anyone seen this before with a DMZ depot?

Verfasst: 23. Jun 2017, 08:39
von Hendrik_Ambrosius
Did you assign the PM sync template ESubdepot_PM3 to the depot server?
Sync status?
Compare the \Configurator\Packages\PatchManagement_v3 directories.

Verfasst: 23. Jun 2017, 15:21
von ctearney
Yes, I have checked the IIS settings, repushed the Webservices Depot package, applied the latetest 16.1.3 patch/ hotfix, and even deleted the directories and did a full resync. I cant seem to pinpoint why just the catalog files dont download.

I am suspecting that the issue sits with PM3 Scan script as it is the one that calls out for the download of the catalog files. I tried runing debugview to capture someting but was not successful, my next steps is to see if wireshark will pick up anything.

Verfasst: 27. Jun 2017, 17:59
von ctearney
We got this fixed. The issue was with IIS having an account listed in the WebDAV authentication settings that it did not recognize. Even though the correct account was there the unrecognized account was causing IIS to not authenticate properly. (i.e. we had our standard domain service accoutn which is what the agent works off of listed as well as the local accoutn that we use on the depot as it is not a member of the domain and in the dmz).