Reset Search
 

 

Article

KB16543 - [OAC] Tips for troubleshooting OAC and Agentless ESAP download problems

« Go Back

Information

 
Last Modified Date8/2/2015 9:15 PM
Synopsis
Useful information for troubleshooting client side ESAP (Endpoint Security Assessment Plug-in) download issues.
Problem or Goal
How to troubleshoot client side ESAP download issues.
Cause
Solution
How do I determine what version of ESAP am I running?
The UnifiedSDK.ini notes the current version of ESAP being used by either OAC or Agentless.

Where are the ESAP packages and the UnifiedSDK.ini file located?
Agentless stores them in…

For XP:  C:\Documents and Settings\<logged in user>\Application Data\Juniper Networks\UAC Host Checker
For Vista\Windows 7:  C:\Users\<logged in user>\AppData\Roaming\Juniper Networks\UAC Host Checker

OAC stores them in…

For XP:  C:\Program Files\Common Files\Juniper Networks\TNC Client
For Vista\Windows 7:  C:\Program Files\Common Files\Juniper Networks\TNC Client

Does OAC and Agentless use the same ESAP package?
The answer is yes, the contents of the UnifiedSDK.zip are the same for both, but each will download the ESAP packages to different locations.
When is the ESAP package installed?
The ESAP package is installed and updated when OAC and the Agentless (agent) is installed or upgraded. The install.log located in both ESAP stores contains a history of this activity.

The ESAP package is also updated when either a OAC or Agentless connection requires a hostcheck policy the uses OPSWAT. This occurs if the hostcheck policy is set to evaluate or enforce.
What files are included in the UnifiedSDK.zip?
The UnifiedSDK.ini lists all the files included in the UnifiedSDK.zip, see example below.

[SDK]
ESAP_VERSION=1.5.1
FILE_LIST=AVManagerUnified.dll,CAntiVirusCOM.dll,CFireWallCOM.dll,efc.dat,FWManager.dll,Impl_AntivirusLib.dll,
Impl_FirewallLib.dll,Impl_SoftwareProductLib.dll,OESISCore.dll,OPSWATProcessesScanner.dll,scpt.dat,tables.dat
RUNTIME_DEPS=msvcp60.dll

How do you diagnose ESAP install issues?
The first place to look is in the logs of your respective client.  Remember that with OAC make sure to have level 5 logging enabled. For Agentless logging, be sure to enable the Host Checker log feature on the IC under Log/Monitoring\Client Logs.

Agentless logs can be found here...

XP: 
Vista\Windows 7:  C:\Users\Public\Juniper Networks\Logging\debuglog.log

While OAC logs are located here...

XP:  C:\Documents and Settings\All Users\Application Data\Juniper Networks\Logging
Vista\Windows 7:  C:\Users\Public\Juniper Networks\Logging

Where do I find log messages regarding the ESAP download?
Search the log for instances of “UnifiedSDK.zip, FileDownloader, or “https”. Below is an example of OAC log from a failed download.

00404,09 2009/12/30 17:12:52.484 5 SYSTEM jTnccService.exe Unknown_Module p1712 t6C4 eacConsole.cpp:308 - 'TNCC' hcimc(ID: 0x5): 'HCIMC:FileDownloader' [::onDownloadRequest] Enter - URL=https://NameofIC.something/dana-na/hc/hcif.cgi?cmd=getzipfile&f=OPSWAT/Unified/dlls/UnifiedSDK, DEST=C:\Program Files\Common Files\Juniper Networks\TNC Client\1.5.5\UnifiedSDK.zip, HASH=496a3d3ce955ed2f67859e2c1fc6b350

What is the process flow of the ESAP download and install?
  1. A connection is made to the PPS via OAC or Agentless
  2. Host checks are performed at the realm or role
  3. If OPSWAT is involved in the host check the PPS verifies the version of ESAP on the client end point.
  4. If the client is running an older version the client is instructed to open an SSL connection back to the PPS.
  5. The UnifiedSDK.zip file will be copied to a temporary directory named after the version of ESAP package being used. In the example above a 1.5.5 folder is created.
  6. Once the UnifiedSDK.zip file is fully downloaded the zip file is extracted to the appropriate directory for the client being used.
  7. The temporary directory and the UnifiedSDK.zip are then deleted.


What does it mean if the temporary directory is present after a failed ESAP download?
This would indicate that client was able to create a channel to the PPS and that the download had started and was either interrupted or timed out. Unlike Agentless, OAC has a 30 second timer.  If the ESAP package fails to download in the time allowed the connection is terminated.  A new connection and download will then be attempted.

If bandwidth is in question, which could cause the download to take longer than 30 seconds, attempt an Agentless connection.

Can I just download the ESAP file to my client machine?
No
Related Links
Attachment 1 
Created ByData Deployment

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255