HP JetAdvantage Security Manager 10 Device E-LTU Manual de usuario descargar pdf (Pagina 30)

client and server, may be preventing traffic from reaching the server on TCP port 135. The client may

be unable to reach the server at all due to a general network problem.

The following troubleshooting steps should help to resolve these issues.

1. Check the policy settings again for accuracy, especially the Certificate Authority Server and

Certificate Authority. Ping the server by name from the client to verify that the name resolves

to the correct IP address. If it doesn’t, verify that the client and server are both using the

correct DNS servers, which must be inside the domain and will typically be domain

controllers. Try an IP Address instead of a hostname for the server in case the hostname isn’t

resolving. It’s also possible the Key Length or Signature Algorithm values in the policy aren’t

supported by the device either as a value that can be created in a CSR if Jetdirect is chosen

as source or as a value in the certificate itself.

2. Check the Certificate Authority settings again to ensure that the account running the HPSM

service has the rights to submit requests to the CA. By default the Network Service account

runs the HPSM service, and Network Service manifest itself remotely as the machine name

(machine$).

3. Check the CA Template settings again to ensure that the account running the HPSM service

has the rights for Read and Enroll and that Authenticated Users has Read permissions. Make

sure Submit in Request is selected in the template settings under the Subject Name tab,

otherwise the certificate will be created for the Security Manager server and not the printer.

4. If the CA server is on a different domain as the HPSM server, and no trust relationship exists

between the domains, an error will appear claiming the template does not exist. Even though

the template clearly exists, templates must be published into Active Directory in order for

clients to use them, and the lack of trust relationship is keeping Security Manager from seeing

the template. The easiest resolution is to place the Security Manager server on the same

domain as the CA server

5. Check firewall settings for ports being blocked. Security Manager uses DCOM over RPC, just

like workstations do for auto-enrollment of certificates, and DCOM uses port 135 for

certificate enrollment. If the firewall is enabled on the Security Manager server, make sure

traffic on TCP port 135 is allowed to pass. If workstations are successfully auto-enrolling for

certificates, it can be reasonably assumed the CA server firewall is not blocking port 135.

The certutil tool can simulate the behavior Security Manager performs to submit a request and

retrieve a certificate by checking for the port being blocked or not:

certutil -ping “CA server”

Examples of an unsuccessful attempt to connect to a non-resolvable FQDN and a

successful attempt to the IP Address:

6. The PortQry command-line utility or PortQryui.exe user interface utility can be used to test

connectivity from the client to the server and determine which ports are open on the server. It

includes support for RPC and can be used to determine which services have dynamic ports

registered with RPC and which specific ports they use.

1 2 ... 25 26 27 28 29 30 31

Sin comentarios

HP JetAdvantage Security Manager 10 Device E-LTU Manual de usuario Pagina 30