Phone Lines icon GFI Support Home Sign in
Start a conversation
  1. GFI Support
  2. GFI Support - EndPointSecurity Section
  3. Articles

All Agent Machines Appearing Offline and No Events Forwarded to the Main Console Post Installation of EndPointSecurity

Overview

GFI EndPointSecurity has been installed successfully and the required agents have been deployed. However, all agents appear offline and no events are forwarded to the GFI EndPointSecurity main console.

Environment

  • GFI EndPointSecurity
  • All supported environments

Root Cause

This issue may be caused by several reasons. Please refer to the resolution below.

Resolution

Solution 1

Make sure that the agent machines can communicate with the server and that there is no firewall blocking the communication. By default, the agents communicate with the server using port 1116.

NOTE: If the communication port or the IP of the server is changed, the agents need to be updated to start using the new settings.

  1. In the GFI EndPointSecurity console, go to Configuration > Options > Advanced Options > Modify Advanced Options > Communication. Check the port being used.

  2. Open the command prompt and run the following commands: netstat -abn > C:\netstat.txt

  3. Open C:\netstat.txt and search for the port number being used by GFI EndPointSecurity.

  4. Verify that the service associated with this port is esecservice.exe:
    • Example: TCP 0.0.0.0:1116    0.0.0.0:0     LISTENING
    • [esecservice.exe]

  5. If the port is being used by a different process, change the communication port in step 1 to a different port (e.g., 1118).

  6. Restart the GFI EndPointSecurity service.

  7. Redeploy the agents.

Solution 2

If the GFI EndPointSecurity server has multiple Network Interface Cards, the agents may be trying to communicate with the server using an incorrect IP. The IP of the server can be specified manually by performing the following procedure:

  1. On the GFI EndPointSecurity server, browse to: ..\GFI\EndPointSecurity\Data folder.

  2. Make a backup of toolcfg_advancedsettings.xml.

  3. Open toolcfg_advancedsettings.xml with a text editor.

  4. Change the value of mainIP to the required IP address.

  5. Change the value of manualIPConfig to 1.
  6. Save the changes and close the file.

  7. Restart the GFI EndPointSecurity service.

  8. Update the agents from the GFI EndPointSecurity console.

In the following example, the IP address has been manually changed to 192.168.2.101:

<ESECConfiguration Version="4.1">

<Advanced mainIP="192.168.2.101" mainPort="1116" manualIPConfig="1" deploymentThreads="20"
deploymentTimeout="150" agentPassword="ENCRYPTED_PASS" beepInterval="60" enableAgentSec="0">
</Advanced>

</ESECConfiguration>


Solution 3

Ensure that the account which is used to run the GFI EndPointSecurity service is a member of the Administrators group on the local machine and has full access on the GFI EndPointSecurity installation directory and all sub-folders. If this user is not able to write to the configuration files, the status of the agents will not be saved. They will appear offline in the EndPointSecurity console.

When this issue occurs, the following log files are also missing from the ..\GFI\EndPointSecurity\DebugLogs folder:

  • esecservice.csv
  • logesecservice.csv
Choose files or drag and drop files
Was this article helpful?
Yes
No

  1. Priyanka Bhotika

  2. Posted

Comments