Hi igelers (Yes, we need to think on a better name),
We have 2 customers trying to do IGEL Onboarding with Azure AD and always get “Error #37” (Seems to be related to a CA certificate) after login properly with their users.
We tried to re-upload certificate and one of them persists with error #37 and the other shows error #33 (Seems to be related to REST API).
Then, I have some questions to confirm if we are doing something wrong:
• Customer has no external access from/to his UMS from/to devices. Which “UMS Hostname” needs to type on IGEL OS Onboarding Registration? Local IP Address? Internal network URL? Public IP (Not available in this case)?
• Needs he to open port 8443 on UMS server? They only want to access UMS on internal network and register remote device via Onboarding/Customer portal/Azure.
• Customer Portal sends an e-mail to remember a user that needs to renew Client Secret or UMS certificate?
• Is needed to load any configuration on UMS12 to apply on new devices?
Hi Bruno,
on Error 37, here is a great reading: igelcommunity.slack.com/archives/C8GP9JHQE/p1686593469870739?thread_ts=1686234452.330819&channel=C8GP9JHQE&message_ts=1686593469.870739 igelcommunity.slack.com/archives/C8GP9JHQE/p1686593469870739?thread_ts=1686234452.330819&channel=C8GP9JHQE&message_ts=1686593469.870739
1) are the devices only internal or from external? Not getting it clearly.
2) yes, correct: kb.igel.com/howtocosmos/en/onboarding-igel-os-12-devices-77865898.html kb.igel.com/howtocosmos/en/onboarding-igel-os-12-devices-77865898.html
3) would have to check
4) what do you mean?
Hi,
These users don ́t want to use ICG, but I will verify UMS Web certificate, again, to be sure.
1.- Internal devices are already registered and we need to register external/remote devices.
2.- Needs he to open port 8443 on firewall for UMS IP address? They don ́t want to allow any kind of external connection to his UMS server.
3.- I saw the options to replace Client Secret and X.509 certificate, but we need to confirm if there is any reminder. X.509 certificate expires on 2049, but Client Secret is set to 1 year.
4.- I mean, looking for IGEL Onboarding videos I saw that, after user login, appears “Initiated” message and starts to load Citrix or AVD session, wallpaper, etc.
Not sure how this should work without IGEL Cloud Gateway then…kb.igel.com/endpointmgmt-12.01/en/igel-ums-communication-ports-77869550.html kb.igel.com/endpointmgmt-12.01/en/igel-ums-communication-ports-77869550.html
Universal Management Suite listens on 8443 and needs to be able to get the Websocket opening request from OS12 device.
@member Is this statement correct?
“They don ́t want to allow any kind of external connection to his UMS server.”
Without any inbound connectivity then the devices will never communicate with the UMS from an external location.
If you add an ICG you still need external communications open inbound to the ICG – same port 8443.
At the moment I cant see how they will ever work if no communication is allowed :thinking_face:
Needs he to add UMS local IP with port 8443 on his firewall?
Needs he to configure something on remote device firewall/network?
Checkout the diagram
Direction of arrows = communication direction.
So
Internet -> Port 8443 -> UMS
Also for internal communication its:
Local network (LAN) -> Port 8443 -> UMS
If you have an ICG, its not shown on that picture but its essentially:
Internet -> Port 8443 -> ICG <- Port 8443 <-UMS (LAN) (Notice arrow change direction)
Whatever way you implement for external access you need to allow 8443 Inbound from wherever the client is located, likely internet.
Then, If they have some internal devices already registered, port 8443 is configured properly, true?
I think that problem came from another cause, but is complicated to locate.
I mean, after type user e-mail connects to his company Azure account and login properly. Shows “Initiated” and, after a few seconds, shows error 37 and device is not registered.
Sounds like internally its fine, normally wouldnt find a firewall blocking internal comms and it doesnt sound like there is one between the clients and UMS internally.
Can you get into the terminal and look at journalctl see if that gives any pointers?
Yes, seems that Remote Device > IGEL Customer Portal > Azure is OK, but fails Customer Portal > UMS.
I will continue investigating with IGEL tech support to try to find the cause.
Thanks and sorry for my poor network security knowledge. 🫣
No worries, good luck 🙂 (p.s. we all have to start somewhere 👍)
I have clear the issue with customer and error 37 but, What about the other customer with error 33?
He has his UMS server on Azure, too, and opened port 8443. In fact, he can register remote devices with OTP method, but OBS fails.
Any idea? Which is the cause for “Failed to initialize EST API”?
Continue reading and comment on the thread ‘IGEL Onboarding with Azure AD and always get “Error #37″‘. Not a member? Join Here!
Learn more, search the IGEL Knowledge Base
Ask a question or comment on the above message thread?
Join or log in to the IGEL Community to ask us anything and meet other IGEL customers, partners, and EUC enthusiasts.Submit a question, or Join Today!