Check Point Identity Agent – HTTPS Connections fail for Terminal Services / Citrix users with Multi User Home (MUH) Agent installed

Symptoms
Users connected to Terminal Services / Citrix XenDesk / Citrix XenApp, randomly cannot connect to HTTPS resources on the internet or intranet when the Identity Awareness MUH
Agent is installed.
The following text might be seen within an Application event in Windows Event Viewer:
Log Name: Application
Source: Application
Date: 3/10/2017 9:00:00 AM
Event ID: 0
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: serverName
Description:
The description for Event ID 0 from source Application cannot be found.
Either the component that raises this event is not
installed on your local computer or the installation is corrupted.
You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
System.Net.WebException: Unable to connect to the remote server
System.Net.Sockets.SocketException: Only one usage of each socket address
(protocol/network address/port) is normally permitted X.X.X.X:443
at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket,
IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)
The problem is not seen when the MUH Agent is uninstalled.
Cause
A race condition creates a connection collision.
Solution
Enable the PortProbing mechanism on the MUH Agent:
Note: The machine Registry should be backed up before implementing the following procedure.
1. Using regedit, create a DWORD key on the Terminal Services/Citrix server:
32-bit Windows: HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\UIP\EnablePortProbing = 1
64-bit Windows: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\CheckPoint\UIP\EnablePortProbing = 1
2. Reboot the server to apply the change.
PortProbing checks to see if the ports (source or destination) being used for a connection are available for use.

Leave a Reply

You must be logged in to post a comment.