If you have a proxy server in your environment and you try to enroll the Symantec Protection Engine scanner with centralized cloud console, you may encounter the following issues:

• Scanner enrollment fails.
• Scanner enrollment succeeds but CAF service stops functioning.
• Scanner enrollment succeeds but centralized cloud console does not receive events.

Certificate pinning does not work correctly when communication between CAF (Common Agent Framework) and centralized cloud console (CWP Server) happens through a proxy. The certificate chain sent by server is not correctly received across proxy. Either proxy modifies the chain or sends its own certificate.

To resolve this issue, you must disable the certificate pinning.

To disable certificate pinning manually

1. Unenroll the scanner if you have not disabled certificate pinning before enrolling the scanner with the centralized cloud console.
   See Unenrolling scanners from centralized console 
2. Take a backup of CAFStorage.ini file and delete it.
   Windows: C:\ProgramFiles\Symantec\CommonAgentFramework\CAFStorage.ini
   Linux: /opt/Symantec/cafagent/bin/CAFStorage.ini
   Note: Skip the steps 1 and 2 if the scanner is not enrolled yet.
3. Open CAFConfig.ini in the text editor.
   Windows: C:\Program Files\Symantec\Common Agent Framework\CAFConfig.ini
   Linux: /etc/caf/CAFConfig.ini
4. Remove the following two lines:
   [ssl-config]
   Https_CertFilePath=certs
5. Enroll the scanner with the centralized cloud console.
   See Enrolling the scanners with the centralized console