After an apparently successful upload of the Enrollment Bundle, the DLP Cloud Detection Server cannot connect successfully to the Cloud Service.
The status of the connection is "Disconnected", or it might be reporting as "? Unknown".
This article was originally written for DLP installations prior to 14.6, but the content herein may apply to any setup after 14.5.
For related issues specific to 14.6 installations, see link to TECH239588 in "Related Articles".
It is possible this issue can happen with either of the following DLP Cloud Services:
Cloud Detection Server (formerly known as the Cloud Service Connector)
Cloud Service for Email
Note: DLP 14.6 contains a new option to configure a "Cloud Proxy", which is designed to get around networking limitations for outbound internet access from Enforce that may be presented by some customers. For details on setting that up, see the link to the related article containing the Cloud Service for Email Implementation Guide.
[Enforce Console Error Code]: 4201 "Cloud Service enrollment: error requesting client certificate from Symantec Managed PKI Service"
[Error Detail]: ERROR DLP-5000
This certificate error indicates that the Enforce server cannot connect on outbound port 443 to the Cloud Detection Server (CDS).
In order to successfully register a CDS, one of the following options is required:
DLP 14.5 and earlier requires outbound connectivity on port 443 to a Cloud Detection Server: i.e., outbound access to 0.0.0.0/443. There are no exceptions or workarounds to this requirement, except to upgrade.
DLP 14.6 offers an option to configure a Cloud Proxy, where an explicit proxy can be configured to route their Enforce server connection via the proxy. For issues specific to 14.6 installations, see link to TECH239588 in "Related Articles".
Test network connectivity from the Enforce server as follows:
To verify name resolution – make sure that these resolve to an IP address. If name resolution fails – need to diagnose DNS and why the host cannot resolve names:
dig gw.csg.dlp.protect.symantec.com (US Service)
dig gw2.csg.dlp.protect.symantec.com (EU Service)
(If dig is not installed, you can use nslookup for same purpose)
To verify connectivity from Enforce server to SCEP service
Via command prompt:
telnet pki-scep.symauth.com 443
This should result in a successful connection
To verify from a browser:
This should result in Not Found page error, but SSL should be negotiated
Verify base connectivity from Enforce server to Cloud Service – you should make a connection and not time out. If the connection times out or is refused immediately – need to work with network team to make sure that outbound access is allowed on 443 to internet from the Enforce server.
This should result in a 400 Bad Request error, but SSL should be negotiated (different browsers may indicate SSL cert was not provided).
If either of these fail, document which one and how it failed (screen shots would be preferred).
Verify TLS connectivity – you should get back Symantec/VeriSign issued certificates. If not, you need to get the network team or group operating the transparent proxy to put in a specific bypass for the Enforce server per the two stated rules above.