UAG and Per App Tunnel: error 500 during API call

ErkanValentin · ‎12-13-2019

Hi,

I installed Workspace One UEM 1907 on-premise (with one server in LAN and one server in DMZ), and one UAG server (3.7.2) in DMZ.

I can configure Content gateway -> the service start in UAG.
I can configure Tunnel Proxy -> the service start in UAG.
But when I configure Tunnel Per App in the console, the service not start in UAG (error 500 during API call).

Any idea please?

Thanks,

Mario_Giese · ‎12-13-2019

Hi,
I saw this error too.
I reuploaded the SSL certificate for per App Server Authentication again in the console and after that it worked.
But I am not sure where this error comes from.

BR Mario

ErkanValentin · ‎12-13-2019

Thanks for your answer, I use the Airwatch one, I try to regenerate but I have the same issue. I will try with a wildcard.

ErkanValentin · ‎12-13-2019

On the AW_MDM_API.log of the DMZ server I have a strange error:

2019/12/13 15:19:44.366 WSP1UEM-DMZ *****    [0000000-0000000]   (83) Error WanderingWiFi.AirWatch.BusinessImpl.TunnelTrafficRules.TunnelServerTrafficRulesBusiness.CreateTunnelTrafficRulesConfigForServer *** EXCEPTION ***
System.AggregateException: Une ou plusieurs erreurs se sont produites.   à System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
   à WanderingWiFi.AirWatch.BusinessImpl.Tunnel.Clients.TunnelClient.SendToMicroservice(HttpMethod method, Uri uri, Object body)
   à WanderingWiFi.AirWatch.BusinessImpl.Tunnel.Clients.TunnelClient.GetServerTrafficRules(String tunnelConfigUuid)
   à WanderingWiFi.AirWatch.BusinessImpl.TunnelTrafficRules.TunnelServerTrafficRulesBusiness.GetTunnelServerConfigFromMicroservice(GatewayDetails gatewayDetails)
   à WanderingWiFi.AirWatch.BusinessImpl.TunnelTrafficRules.TunnelServerTrafficRulesBusiness.CreateTunnelTrafficRulesConfigForServer(GatewayDetails gatewayDetails, String userPasswordKey)
System.Net.Http.HttpRequestException: Une erreur s'est produite lors de l'envoi de la demande.System.Net.WebException: La connexion sous-jacente a été fermée : Impossible d'établir une relation de confiance pour le canal sécurisé SSL/TLS.   à System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
   à System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)System.Security.Authentication.AuthenticationException: Le certificat distant n'est pas valide selon la procédure de validation.   à System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
   à System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
Method: AirWatch.Security.Cryptography.X509Certificates.CertificateProvider.Get; LocationGroupID: 570; UserID: 52; UserName: Administrator; Returns: [Subject]
CN=AirWatch Device Services Root

[Issuer]
CN=AirWatch Device Services Root

Mario_Giese · ‎12-13-2019

Hi,

do you have the console and device service server separated?
After the installation the API Urls are pointing to console server.
You should change this to Device Service Server as described here: https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1907/UEM_Installation/GUID-AWT-VERIFY-SITE-URL.h...
Always do this in the global OG.

Afterwards make sure that the secure channel installer (you find it in the console All Settings>System>Advanced>SecureChannelCertificate) is installed on the Device Service Server.
That could cause the Error you see in the log I guess.
Try again to configure the tunnel on UAG to see if the error still exists. (UAG needs to communicate to Device Service Server on 443 for the api call).

Another idea: upload the certificate chain of the certificate of the device service server in the configuration for tunnel service on the UAG to make sure there is no SSL error on communication between them.

BR Mario

ErkanValentin · ‎12-16-2019

Thanks for your help, the service is starting now! 🙂

I change the Site URLs and upload the full chain certificate.

Regards,

All

UAG and Per App Tunnel: error 500 during API call

Device Management