To verify if Internet connectivity is available to support MiCollab Client Deployment, it is recommended that you run the diagnostic test provided on this page against a deployment profile. This diagnostic test performs three functions:
Verifies that the MiCollab Client Deployment service can connect to the Redirect Server. The MiCollab Client Deployment service must be able to reach the Redirect Server (https://mcdiagnostics.easydeploy.net:443) on the Internet.
NOTE: MiCollab Server needs to verify the identity of the Redirection Server. Therefore Proxy Server is not supported for MiCollab Client Deployment.
Validates that the MiCollab Clients on the public Internet can reach the MiCollab Client Deployment service. This diagnostic test validates that the MiCollab Clients can reach the MiCollab Client Deployment service to download their configuration. During the test, the Redirect Server attempts to open an https connection to the MiCollab Client Deployment service residing on the MiCollab Server. Note that the Redirect Server only initiates a connection to the MiCollab Client Deployment service when you run this test. It does not deploy the client. However, after you have completed MiCollab Client Deployment configuration, MiCollab Clients will be able to connect to the MiCollab Server to update their configurations whenever required.
The test uses the "Config download host" configuration from the selected MiCollab Client Deployment profile; all other MiCollab Client Deployment parameters are not relevant to this test. The test relies on the MBG Remote proxy services configuration.
The following limitations apply:
Configuration issues with the local Wi-Fi, the local split-DNS or with local firewalls can cause the deployment process to fail on the mobile client even though this test validates the connection between the MiCollab Clients on the internet and the MiCollab Client Deployment service.
It is possible that the connection between MiCollab Clients on the internet and the MiCollab Client Deployment service fails validation while deployment to the Mobile Clients is successful. This can occur if the MiCollab server has no public IP address or if an MBG is not included in the deployment configuration. Typically, this type of deployment configuration would only be found in a lab environment during testing.
The test relies on the MiCollab connector being enabled within the MBG's Application Integration area.
To run the Diagnostic test:
Select the Deployment Profile that you want to test.
Click Run test. The results are presented on the screen.
If the tests are successful, you can proceed with client deployment.
If one or both tests fail, refer to the following tables to interpret the results. The tables list possible error messages and provide tips on how to troubleshoot a particular network issue. In most of the cases, a network trace containing DNS traffic port 53 and tcp port 443 will help identify the problem.
To run the Diagnostic test with MiCloud deployments:
For MiCloud deployments, users belong to different customer sites. Therefore, you must set the 'ConfigDownloadHost' field in the deployment profile to the configuration download hostname of the user's site in order for the Diagnostic test to function correctly. To run the Diagnostic test for a user on a specific customer site:
Access the Deployment Profiles tab.
Create a copy the default deployment profile.
Access the User tab.
Open (Modify) the user that you want to test.
Copy the hostname from the "MiCollab Client Service host" field.
Access the Deployment Profiles tab.
Edit the newly created profile and copy the hostname into the "ConfigurationloadHost" field.
Access the Diagnostics tab.
Select the newly created Deployment Profile.
Click Run test. The results are presented on the screen.
Table 1: Connection test to Redirect Server
Error Message |
Meaning |
ConnectionError: [Errno -2] Name or service not known |
The DNS server of the MiCollab Server cannot resolve the name mcdiagnostics.easydeploy.net Note: Changing the DNS server might require a restart of the server. |
ConnectionError: [Errno -3] Temporary failure in name resolution |
The DNS server configured on your MiCollab Server is not reachable. |
ConnectionError: [Errno 110] Connection timed out |
The MiCollab Client Deployment service cannot reach the server tcp:mcdiagnostics.easydeploy.net:443. Packets are being dropped, most likely because of a firewall. |
ConnectionError: [Errno 111] Connection refused |
The MiCollab Client Deployment service cannot reach the server. |
ConnectionError: [Errno 113] No route to host |
There is no route to the Redirect Server. Check the IP configuration and the routing (that is, the default route). |
SSLError: hostname 'mcdiagnostics.easydeploy.net' doesn't match either of '*.somehostname.com', 'somehostname.com' |
There is transparent TLS-proxy or another device (can also be a MITM) between the MiCollab Client Deployment service and the Redirect Server which intercepts the TLS traffic. |
SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed |
There is transparent TLS-proxy or another device (can also be a MITM) between the MiCollab Client Deployment service and the Redirect Server which intercepts the TLS traffic. |
Table 2: MiCollab Client Deployment test from public internet
Error Message |
Meaning/Corrective Action |
ERROR: query A ENOTFOUND |
The “Config download host” DNS entry configured in the "Deployment Profile" cannot be resolved. |
ERROR: ETIMEDOUT (400 Bad Request) from host 12.12.12.12 |
The "Config download host" does not reply. Most likely, the incoming packets are dropped by a firewall before reaching the MBG. |
The MBG cannot reach the MiCollab-Server due to dropped packets or no route to host (DMZ-firewall, routing between MiCollab and MBG) |
|
The MBG cannot send the request to the MiCollab server. Check DNS and configuration on the MBG. |
|
Cannot reach MiCollab Client Deployment service (503 Service Unavailable) from host 12.12.12.12 |
The MBG cannot reach the MiCollab-server (DMZ-firewall). |
ERROR: connect ECONNREFUSED (400 Bad Request) from host 12.12.12.13
|
Packets are rejected by a firewall. |
ERROR: connect EHOSTUNREACH (400 Bad Request) from host 12.12.12.14 |
“Config download host” configured in the MiCollab Client Deployment service’s deployment profile may point to the wrong machine. |
ERROR: SELF_SIGNED_CERT_IN_CHAIN (400 Bad Request) from host 12.12.12.15 |
The configured "Config download host" in the MiCollab Client Deployment service’s deployment profile may point to the wrong machine and/or the certificate is not correctly installed on the MBG. |
ERROR: UNABLE_TO_VERIFY_LEAF_SIGNATURE |
TLS Certificate issue. The certificate chain is missing or not properly installed. Verify that the right intermediate certificates are installed on the internet facing Web Proxy Server (MBG). |
Cannot reach MiCollab Client Deployment service (404 Not Found) from host 12.12.12.13 |
The configured "Config download host" in the MiCollab Client Deployment service points to the wrong machine. |
Check that the IP address 12.12.12.13 belongs to the MBG which serves your MiCollab Server. Check the MBG configuration. |
|
Check that the "Config download host" resolves internally to the IP address of the MiCollab Server and not the MBG IP address. |
|
Cannot reach MiCollab Client Deployment service (401 Unauthorized) from host 12.12.12.12 |
The MBG does not forward the request to a MiCollab Server but to another machine or web server. |
Invalid MiCollab Client Deployment Config download host configured (host: 12.12.12.12) |
The Remote Proxy Services does not allow access to the MiCollab Client Deployment Service. Check the MBG Remote Proxy Services configuration. |
Incorrect “Configuration download host” configured in the deployment profile of the MiCollab Client Deployment service. |
Table 3: Connection test from public internet to MiCollab Client Service
Error Message |
Meaning |
ERROR: queryA ENOTFOUND |
The DNS name of the MiCollab Client Service cannot be resolved from the internet. |
Error: connect ECONNREFUSED |
The MiCollab Client Service is not started or not reachable. UCA websocket requests for the TCP port 36008 are blocked by a firewall. The MiCollab Client connector on the MBG is not enabled or is configured incorrectly. |
Error: connect ETIMEDOUT |
The MiCollab Client Service is not reachable or requests for the TCP port 36008 are blocked by a firewall. |
Error: socket hang up |
The MiCollab Client Service does not respond. Most likely a connection issue between MBG and MiCollab Server. |
Error: read ECONNRESET |
The MiCollab Client Service does not respond. Most likely a connection issue between MBG and MiCollab Server. |
Error: DEPTH_ZERO_SELF_SIGNED_CERT |
TLS certificate issue. The certificate
of the MiCollab Client Service is self-signed. Make sure that
the certificate is correctly installed on both MBG and MiCollab
Server. |
Error: SELF_SIGNED_CERT_IN_CHAIN |
TLS certificate issue. Run the following
command from any other host on the internet in order get more
details: |
Error: UNABLE_TO_VERIFY_LEAF_SIGNATURE |
TLS Certificate issue. The certificate chain is missing or not properly installed. Verify that the right intermediate certificates are installed on the internet facing MBG. The MBG might require a reboot after certificate installation to activate them. |
Error: Hostname/IP doesn't match certificate's altnames |
TLS certificate issue. The name of the
certificate does not match to the name used by the MiCollab Client
server. Run the following command from any other host on the internet
in order get more details: |
Error: Server responded with a non-101 status: 200 Response Headers Follow: content-type: text/html |
The connection test gets a reply for the TCP port 36008, but the connection could not be identified as a websocket connection. For some reason a different service or server responds to the request, but not the MiCollab Client service. |
|
|