After an apparently successful upload of the Enrollment Bundle, the DLP Cloud Detection Server (CDS) does not appear connected in the Enforce console.

The status of the connection is "Disconnected", and will have the following events reported in Enforce:

[Enforce Console Error Code]: 4201  "Cloud Service enrollment: error requesting client certificate from Symantec Managed PKI Service"

[Error Detail]: ERROR DLP-5000

Note - if the server is not showing the above errors, but is reported as "Unknown" - that is a different issue. See this article: "Monitor Controller performance issues after adding new Detection Servers".

It is possible this issue can happen with either of the following DLP Cloud Services:

• Cloud Detection Server (aka a Cloud Detector, formerly known as the Cloud Service Connector)
• Cloud Service for Email
• Cloud Service for ICAP

This certificate error indicates the Enforce server cannot connect on outbound port 443 to the PKI Manager, which uses the SCEP protocol to issue a digital certificate for Enforce access to the Cloud Service Gateway.

In order to successfully register a CDS, one of the following options is required:

• If no proxy is used, or a transparent proxy is in effect, the Enforce server requires outbound connectivity on port 443 to the PKI Manager and to the Cloud Service Gateway: i.e., outbound access to 0.0.0.0/443.
• Supported DLP versions (15.0 and above) offer an option to configure a Cloud Proxy, where an explicit proxy can be configured to route all Enforce server connections via the proxy.

With either of the options listed above, it needs to be stated the process of requesting a digital certificate from the PKI Manager requires that NO SSL inspection at the packet level be performed. If that is happening, either at a proxy or firewall level, the enrollment will not take place.

URL required for Enforce Server to enroll with the Cloud Service (to obtain the Digital Certificate):

• https://pki-scep.symauth.com/

URL required for Enforce Server to connect to the Cloud Service (to stay connected to the Cloud Service):

US Gateway:

• https://gw.csg.dlp.protect.symantec.com OR https://gw.csg.dlp.protect.broadcom.com

EU Gateway:

• https://gw2.csg.dlp.protect.symantec.com OR https://gw2.csg.dlp.protect.broadcom.com

APJ Gateway:

• https://gw3.csg.dlp.protect.broadcom.com

Nota bene: the "symantec.com" domain was not published for the newest region, but is a valid alias for the US and EU regions.

Test network connectivity from the Enforce server as follows:

• To verify name resolution  – make sure these resolve to an IP address. If name resolution fails – need to diagnose DNS and why the host cannot resolve names:

  • dig pki-scep.symauth.com

  • dig gw.csg.dlp.protect.symantec.com (US Gateway)

  • dig gw2.csg.dlp.protect.symantec.com (EU Gateway)

  • dig gw3.csg.dlp.protect.broadcom.com (APJ Gateway)

(If dig is not installed, you can use nslookup for same purpose)

• To verify connectivity from Enforce server to the PKI Manager (aka the SCEP server):

  • Via command prompt:-

    telnet pki-scep.symauth.com  443

    This should result in a successful connection

  • To verify from a browser:-

    https://pki-scep.symauth.com/

    This should result in a Not Found page error, but SSL should be negotiated.

• Verify base connectivity from Enforce server to the Cloud Service Gateway – you should make a connection and not time out. If the connection times out or is refused immediately – need to work with network team to make sure outbound access is allowed on port 443 to Internet from the Enforce server.

  • Run the following command: 

    telnet gw.csg.dlp.protect.symantec.com 443 (US Gateway)

    telnet gw2.csg.dlp.protect.symantec.com 443 (EU Gateway)
    
    telnet gw3.csg.dlp.protect.broadcom.com 443 (APJ Gateway)

    should result in a successful connection

• Or from a browser:

  https://gw.csg.dlp.protect.symantec.com (US Gateway)

  https://gw2.csg.dlp.protect.symantec.com (EU Gateway)
  
  https://gw3.csg.dlp.protect.broadcom.com (APJ Gateway)

  This should result in a 400 Bad Request error, but SSL should be negotiated (different browsers may indicate SSL cert was not provided).

  If either of these fail, document which one and how it failed (screen shots would be preferred). 

• Verify TLS connectivity – you should get back DigiCert issued certificates. If not, you need to get the network team or group operating the transparent proxy to put in a specific bypass for the Enforce server per the two stated rules above.

  • openssl s_client -showcerts -connect pki-scep.symauth.com:443

  • openssl s_client -showcerts -connect gw.csg.dlp.protect.symantec.com:443 (US Gateway)

  • openssl s_client -showcerts -connect gw2.csg.dlp.protect.symantec.com:443 (EU Gateway)

  • openssl s_client -showcerts -connect gw3.csg.dlp.protect.broadcom.com (APJ Gateway)

If connectivity is confirmed via the tests given above, and there appear to be additional errors or event codes reported during the enrollment process, please look for additional suggestions at the Cloud Services Landing Page for "disconnected" detectors.

There are two additional elements that needs to be reviewed after regarding cloud detectors if connectivity is not the issue:

• Cloud detector showing “disconnected” after bundle upload to Enforce
• Unable to write key store file "enforce_keystore.jks" when registering new Cloud Detection Server

It is also possible the Enrollment Bundle may have expired. Note that Enrollment Bundles are good for 10 days after being issued.

• If the Cloud Detection Server has not been successfully registered within that time, it may need to be reissued.
• Please open a case with DLP Support if you believe you need to have your Enrollment Bundle reissued.

For details on setting up the "Cloud Proxy", which is designed to get around networking limitations for outbound internet access from Enforce, see the Cloud Service for Email Implementation Guide.