cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Afaria 7 SP3 + Relay Server + iOS Device

Go to solution
former_member198480
Participant

on ‎01-09-2014 11:13 AM

0 Kudos

Dear All,

I hope this question has been asked several times but after banging my head for last few days and reading different discussions, I am not able to figure out the issue.

Communication Sequence

iPad -> Relay Server -> (Afaria Server, Enrollment Server, CA Server)


Afaria Setup:

1- Stand Alone Single Server with following components

    a- Afaria Server and Database

    b- MS Certificate Authority (Enterprise Root)

    c- Afaria Administrator and API Service

    d- Enrollment Server

    e- Package Server

    f- Self Service Portal (I am not using it, directly connecting from Device -> Relay -> Afaria)

2- Relay Server, Configured with

    a- Afaria Server

    b- Enrollment Server

    c- Package Server

3- Hot Fix Installation Sequence

    a- 7SP3AfariaFx06

    b- 7SP3AfariaFx11

    c- 7SP3AfariaFx19

    d- 7SP3AfariaFx30

    e- 7SP3AfariaFx26

    f- 7SP3AfariaFx35

4- Additional Details

   a- All the required ports are opened between Afaria Server and Relay Server.

        i- 80, 81, and 443 from Afaria to Relay Server outbound

        ii- 80 and 443, from Public Internet to Relay Server inbound

   b- Relay Server is working fine and accessible from iPad.

  

5- Attachments

    a- afaria_server_diagnostics shows everything for iOS seems fine on the server

    b- device_communication shows the HTTP port given to Afaria and Relay server address

    c- afaria_device_log shows the ERROR that comes from the device that seems relevant to some secure certificate.

       Error: (SecTrustEvaluate  [leaf AnchorTrusted])


6- Confusions / Questions

     a- While installing Enrollment Server, initially I provided SSL certificate that i generated on Enrollment Server but now I imported the Relay Server

         SSL certificate (generated from Enterprise Root CA installed on same machine) in Afaria machine and give this certificate on Enrollment Server

         installation. Is this Correct or I am missing something?

     b- I need to create an ISAPI Farm and Server in rs.config for Relay Server because Relay Server logs shows error for afaria-farm-IS Outbound

         enabler that is running on Afaria Server. Why is this required?

     c- Device seems not to reach the Relay Server as I saw the Relay Server logs.



I am sorry for the information overloading. Looking forward for a prompt response.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎01-09-2014 11:43 AM
0 Kudos

Hi,

Few more details required.

1. SSL certificate need to create on relay server.

2. Device communication setting unchecked http and device communication path will be http://relayserveraddress.

3. Required the screenshot of CA authority , Enrollment server and package setting .

4. You need to configured the Apple MDM certficate for outbound notfication and required apple root CA and WCCA.

5. Relay server setting on afaria console need to be unchecked.

6. Need to run outbound enabler on afaria server  for server , enrollment and package .

7. Make sure the CA  server setting is by passing to proxy ( You can test from running ServerSCEPTest located in bin folder of aips.

Please check the above requirement met and test

Show replies
Show replies
former_member198480
Participant
‎01-09-2014 1:17 PM
0 Kudos

Dear Chetan,

Thank you for your prompt reply. Please see my answers below.

1. SSL certificate need to create on relay server.

YES

2. Device communication setting unchecked http and device communication path will be http://relayserveraddress.

If I uncheck HTTP option in the Device Communication , I need to uncheck the Relay Server option as you mentioned in point 5 ???

3. Required the screenshot of CA authority , Enrollment server and package setting .

Attached

4. You need to configured the Apple MDM certficate for outbound notfication and required apple root CA and WCCA.

YES. Already Configured.  I have followed the following URL

http://frontline.sybase.com/support/resolutionDetails.aspx?KBID=7779

I used these certificates

   Apple Inc. Root Certificate (.cer file)

    Apple Integration (AAICA) Certificate (.cer file)

    APSP... push certificate (.pfx or .p12 file)

5. Relay server setting on afaria console need to be unchecked.

Do you mean that in Server -> Configuration -> Server -> Relay Server -> "Start Outbound enabler with Afaria Service" should be unchecked ???

6. Need to run outbound enabler on afaria server  for server , enrollment and package .

Correctly Running. But If we uncheck Relay Server on Afaria Server how would Afaria Outbound Enabler Run?

7. Make sure the CA  server setting is by passing to proxy ( You can test from running ServerSCEPTest located in bin folder of aips.

I ran the utility for both Enrollment and Package Server and it seems its runs fine.

Output



CSR Creation: 2048 b




saved SCEP_Received_certificate.cer for both.






CSR creation: 2048 bit RSA key...


Provisioning Server CA Address: http://mobconnect.customer.com/ias_relay_server/client/rs_client.dll/ca-farm/certsrv/mscep/mscep.dll...


new SCEP cert. "My Cert detalils"


saved SCEP_Received_certificate.cer

Many Thanks for your prompt response.

former_member198480
Participant
‎01-09-2014 1:23 PM
0 Kudos

Certificate Authority Screen cap revised.

Former Member
‎01-09-2014 1:38 PM
0 Kudos

Hi,

Yes you need to uncheck the relay server option from the afaria console setting .

You need to create one more RS outbound enabler with a parameter to afaria rs server outbound enabler.

The parameter will be in below format for the rsoe file for server.

Note : Change the input of -f , -t , -cs , -cr according to your server details

-f server

-id uh23

-t 2333333

-cs "host=ipaddress;port=3007"  << This port will be your xnet port

-cr "host=relayserver.com;port=80;url_suffix=/ias_relay_server/server/rs_server.dll

;https=0"

-v 3

-o "C:\Program Files (x86)\Afaria\bin\RSOutboundEnabler\Server.log"

-q

Note this is IMP : Make sure when you unchecked the relay server from afaria console , make sure to clear all the details of relay server setting from console and save.

What i can see from the certificate authority setting you had create Ca-farm , you need to define the same farm in rs file of relay sever and you need to create one more outbound enabler for CA

.

In all you need to run 4 outbound enabler on afaria server

rsoe

rsoe_ios

rsoe_ca

rsoe_portal

former_member198480
Participant
‎01-10-2014 7:42 AM
0 Kudos

Dear Chetan,

I implemented everything as you mentioned but I still can see the same error in IOS logs.

The Afaria Server is a Remote Client Server So I am not sure what else can be hindering from the Device as I can successfully ping the Relay Server and there are no PORT blocking on our side. Client Server is open for 80 and 443 in DMZ.

Following is the Error Log from Device. The Relay Server SSL certificate is generated by my Local CA on the Afaria Server. I suspect that Device is not recognizing the Certificate issued by my own CA, just few random thoughts.

Outbound Enablers:

Also, PFA my Relay Server configuration, Updated Device Communication and Relay on Afaria Console (Administrator) and Long Google URL.

Also, one more clarification as I mentioned in the first POST that when I installed the Enrollment Server, I provided SSL certificate that was generated for Relay Server Machine, mobconnect.customer.com.

Is this correct configuration?

Looking forward for your response.

google_long_URL.txt.zip
rs.txt.zip
Former Member
‎01-10-2014 7:49 AM
0 Kudos

Hi,

The problem indicate for your self signed certificate .

In Certificate authority relay server instead of mobconnect.customer.com please input internal ip address of relay server

former_member198480
Participant
‎01-10-2014 11:52 AM
0 Kudos

You mean that I should regenerate my Relay Server SSL certificate to point to local IP instead of Public DNS. Currently common name for Relay Server SSL certificate is "mobconnect.customer.com"

It is because when i input the Local IP Address instead of Public DNS, the Connectivity test fails. Please see the snapshot below.

Also, I have put the same Public DNS "mobconnect.customer.com" in Afaria Server, Enrollment Server and Package Server Configuration in Afaria Console. Should I update all of them to point to Local IP ???

Many Thanks for your continuous support.

Former Member
‎01-10-2014 1:01 PM
0 Kudos

HI,

Unchecked the entire relay server option save and restart the services and than test the connectivity

former_member198480
Participant
‎01-10-2014 1:28 PM
0 Kudos

I cannot check directly with Afaria because Afaria Server is not open to the Public IP. I am connecting my device remotely and cannot connect directly to Afaria, has to go through Relay Server

Former Member
‎01-10-2014 1:30 PM
0 Kudos

did you test:

Unchecked the entire relay server option save and restart the services and than test the connectivity.

former_member198480
Participant
‎01-13-2014 7:52 AM
0 Kudos

Dear Chetan,

I have tried following three things but no success.

1- Unchecked the entire relay server option, save and restart all services  and than test the connectivity by creating new Enrollment Code.

In this case my Google URL points to a local IP of Afaria (10.1.11.80) that is not accessible from my device because I am outside the Client network.


2- I tried to point CA server to Relay server Local IP (10.1.11.96) instead of Public FQDN (mobconnect.customer.com) but it failed to connect. I double checked with ServerSCEPTest utility but it also fails on Local IP. It only connects with Public FQDN

3- I also tried following with NO success

1 - Create a new Relay Server SSL certificate with Local IP (10.1.11.96),

2- Import this SSL Certificate in Afaria Server.

3- Re-install Enrollment Server and provide the imported SSL certificate in Step 2.

4- Restart all services and generate new Enrollment Code.

Please suggest what else can be wrong? I found this comment on another issue.

1-  Following URL should be accessible from the Device

    a- https://mobconnect.customer.com/ias_relay_server/client/rs_client.dll/afaria-enrollment-farm/aips,

          I got login page and when i put credentials, it shows Directory not Found 404

     b- https://mobconnect.customer.com/ias_relay_server/client/rs_client.dll/afaria-enrollment-

          farm/aips2 and

        I got Popup for Certificate Identity, and after continue,it shows Directory not Found 404

     c- https://mobconnect.customer.com/ias_relay_server/client/rs_client.dll/ca-farm/CertSrv.

          I got Popup for Certificate Identity, and after continue,it shows Directory not Found 404

How can i Ensure that above URL are working fine on the Device???

Also, Please tell if I can install the Self Service Portal on Relay Server Machine and try to enroll the device from that?

Looking forward for your favorable response.

Former Member
‎01-13-2014 8:32 AM
0 Kudos

Hi,

error 404 on relay server .

Try below soultion.

1 .On the right-hand column, click the "Edit Feature Settings.."2147483648"

2.WCF Activation feature and the Windows Process Activation Service feature are enabled in IIS.: You need to disabled.

3.The .NET 3.5.1 "WCF Activation" feature is not installed on the Afaria iPhone Provisioning Server (AIPS).: You need to install

former_member198480
Participant
‎01-16-2014 10:52 AM
0 Kudos

Dear Chetan,

I have checked all above and fixed Issue number 2.

Rest of the configuration was same.

I restarted both Afaria and Relay Server but issue is still the same. 404 from Relay Server to

Enrollment and 404 from Relay Server to Certificate Authority.

I also checked following on the Afaria KB.

http://frontline.sybase.com/support/resolutionDetails.aspx?KBID=6823

and I have seen this error in my NDES log

The Network Device Enrollment Service received an http message without the "Operation" tag, or with an invalid "Operation" tag.

I checked the Request Filtering but they are correct in certSrv and ias_relay_server directory

Also, In my IIS -> Default Web Site -> ias_relay_server -> Request Filtering, I can see a long list of file extensions that are Allowed = "False", am not sure if it does effect?


Looking forward for your response.

Former Member
‎01-16-2014 12:33 PM
0 Kudos

Hi,

Can you confirm the relayserver services is running with which account , if it is running with local admin please change with the local administrator id

former_member198480
Participant
‎01-17-2014 6:56 AM
0 Kudos

Relay Server Service is running with Domain User who is Administrator on Local system as well as Domain Administrator on the Network.

I managed to involve Client team and we tested connections directly to Afaria Server from Device within Client's Network but still there are Errors.

I have removed the following Relay Server Configuration from Afaria


1- Relay Server in Server -> Configuration -> Already Unchecked

2- Remove Relay Server from CA, Enrollment and Package Server

3- Reset the Device Communication to Default (XNET)

4- I Re-installed the Enrollment Server and Provide SSL Certificate for the Afaria Server instead of Relay Server.


There are following Errors in the iPhone logs

<pre _modifiedtitle="true" jivemacrouid="_13899410768893965" ___default_attr="plain" jivemacro="code" class="jive_text_macro jive_macro_code jivemacrouid_13899410768893965">


<Warning>: [EnrollmentCodeSeedDataDownloader connection:didFailWithError:

Error Domain=NSURLErrorDomain Code=-1012 "The operation couldnt be completed. (NSURLErrorDomain error -1012.)"

UserInfo=0x176a4d80 {NSErrorFailingURLKey=https://goo.gl/SVy43c, NSErrorFailingURLStringKey=https://goo.gl/xxxxx}]






All the following URLs are accessible from Device


1- https://<Afaria_IP>/aips

2- https://<Afaria_IP>/certSrv

3- The Google URL is correctly pointing to the Server


https://10.1.11.80/aips/aipService.svc/GetEnrollmentSeedData?ID=%7Bee7e125b-0561-4b14-88cd-05aec2679...


Former Member
‎01-17-2014 7:06 AM
0 Kudos

Hi,

You are working on HTTPS for enrollment ,Can you confirm me about the SSL certificate is been install on afaria server because you are not using relay server now, also confirm the common name used for SSL certificate because i can see you are using IP address instead of DNS .

Common name for certficate is IP address or DNS?

former_member198480
Participant
‎01-17-2014 1:12 PM
0 Kudos

Yes, Common Name is pointing to IP Address (10.1.11.80).

Former Member
‎01-17-2014 1:23 PM
0 Kudos

Hi,

Ip address of relay server ? and you are enrolling without relay server .

also ssl certificate self signed certificate or third party ?

former_member198480
Participant
‎01-20-2014 6:35 AM
0 Kudos

As mentioned in my last POST, I am now enrolling through Afaria Server by involving Client IT Team. This is to make sure that at least Afaria Server is working fine.

SSL certificate is Self Signed Certificate from my own CA Server installed on the same Machine (Afaria Server) . Do I need to do additional steps in order to make it work?

Former Member
‎01-20-2014 6:45 AM
0 Kudos

Hi,

If possible can you try with Third party ssl certficate and not with self signed certficate?

former_member198480
Participant
‎01-20-2014 6:49 AM
0 Kudos

Is there any open source (Free) third party certificate authority that is recommended with Afaria?

Former Member
‎01-20-2014 6:56 AM
0 Kudos

Hi,

There are many third party SSL certificate available in market .

Former Member
‎01-20-2014 6:57 AM
0 Kudos

Hi,

Its a paid. i think there are few certificate vendor which provide 30 days trial.

former_member198480
Participant
‎01-20-2014 7:32 AM
0 Kudos

I will try Verisign free 30 days trial just to check.

Meanwhile could you please see these settings if they are correct while I am connecting without Relay Server.

Former Member
‎01-20-2014 9:03 AM
0 Kudos

Hi,

Instead of xnet://ip:3007 you can mention https://ip:443.

Make sure Relay server setting on afaria console should be blank clear all the fields (ports, ip details) and save and restart the services : It happens many time even the relay server setting is disabled on console it still don't clear the old data .

former_member198480
Participant
‎01-20-2014 9:47 AM
0 Kudos

BUT on Https:443 IIS server is running. Won't it be a PORT conflict?

Former Member
‎01-20-2014 9:56 AM
0 Kudos

it will connect the same when you are not using the relay server it will default connect the https .

Answers (0)

Ask a Question