I've run into an issue with regard to deploying VMWare Carbon Black within my environment. There are a subset of endpoints that have never connected to the Internet directly and use proxy allowances for Windows Updates, etc. I have requested that the ports and URLs that VMWare Carbon Black uses have allowances so that can register successfully from my environment. For the most part, a majority of the endpoints are able to install the sensor(s) without any issues, however I am getting cert errors for the sensors that fail to register. I've verified that certs in question (GoDaddy) are present in both of the cert stores on the proxy (Palo Alto) and the endpoints After digging a bit, I think the issue for this subset of endpoints failing to install the sensors is due to the policy group that is being applied. I don't see any settings/configuration s for the App-ID specifically for vmware-carbon-black which seems to be tagged as web-browsing and ssl.
Has anyone come across this scenario before in which the method of applying trusts, etc. using ports and urls still fail? If so, were those issues able to be resolved by using App-ID instead?
Some vendors use cert-pinning to detect decryption between connections, EDR/XDR are starting to do this more. You will need to write an exclusion for the domains, if that is what they are doing as that could likely be breaking this. If you look at the exclusion list in your firewall you'll see a whole number of cert-pinning services (okta, etc)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!