No Checkins
-
Hi All-
Brand new theopenem user here. Just testing it out on a few workstations to evaluate deploying it to more machines. So far, I'm liking what I see.I'm sure I just did something wrong while following the install guide, but I can't figure out what. The four test machines are all showing in TOMES gui, but without any checkin times:
On the client logs, I see this error repeatedly:
2021-07-13 08:57:11,161 ERROR [4] ApiRequest - The Request Was Unauthorized ProvisionedComm/Provision/ConfirmProvisionRequest/
Where to begin troubleshooting this?
FYI, I have the entire TOEM platform running on a Windows Server 2019 VPS in the cloud instead of on our local network, at least during this testing phase. However, about 1/2 of our machines are normally off-network anyways, so we might want to keep the deployment cloud-based anyways. It is not currently connected to our local AD (which is synced with Azure AD for our mobile users).
EDIT- Networking FYI
The VPS firewall is configured to only allow traffic on the following TCP ports from my office's fixed IP: 80, 443, 3389. TCP port 8888 is open to the world.Thanks in advance for your help!
-
Solved my own problem.
For some reason, the toems-ca didn't install to my trusted root stores properly. I reinstalled it (following these directions if anyone else runs into this error) and now everything is working!
If anyone has any comments on my hosting of toem on a VPS or any suggestions to ensure good security apart from my IP filtering rules, I'd love to hear it.
Thanks,
BW -
@brywhi said in No Checkins:
If anyone has any comments on my hosting of toem on a VPS or any suggestions to ensure good security apart from my IP filtering rules, I'd love to hear it
Sounds like you are on the right track already. Open port 80 and 8080 to your office only. Keep 8888 open to the world. 80 and 8080 aren't encrypted by default, you may want to add an ssl cert, mostly just to encrypt your login credentials. The client communication to 8888 is already encrypted but you can also add an ssl cert to that if you want for double encryption.
-
@theopenem_admin
Thanks! I am using a self-signed cert for accessing the web UI. I would normally employ LetsEncrypt, but with port 80 being restricted to only my IP, it's a bit more difficult, so I'm sticking with self-signed.If I similarly used a self-signed cert for 8888, I'm assuming I'd have to add that cert to the domain root CA , or else each client would reject communications with the server. Correct?
What is port 8080 used for? Don't recall seeing that one in the setup documentation, so it currently isn't open.
-
@brywhi said in No Checkins:
If I similarly used a self-signed cert for 8888, I'm assuming I'd have to add that cert to the domain root CA , or else each client would reject communications with the server. Correct?
Yes, or you can just skip it since it's already encrypted with the built in certs.
Port 8080 is used when uploading files through the web ui.