Hi Dave,
Thank you for your post. You may have been impacted by a recent change at MaaS360. More information about this transition is found here...
IBM Maas360 Upgrade of Communication technology in Cloud Extender
You'll need to follow the steps in this article to ensure you have a stable connection to our new service. You have already confirmed the link is accessible but you will also need to ensure you have a proper SSL/TLS certificate. Below is a snippet from the linked article:
Use one of the following URLs to validate that the Cloud Extender can access the URL:
-
https://mpnsv2.m1.maas360.comhttps://mpnsv2.m2.maas360.comhttps://mpnsv2.m3.maas360.comhttps://mpnsv2.m4.maas360.comhttps://mpnsv2.m6.maas360.com
Here is the successful response from the website:
- The browser displays a payload response. Ignore the text
'Not Found' in the response.
- The connection is secure, and the certificate is issued by DigiCert, Inc. Click the icon (View site information) on the address bar before the URL name to view the certification information. If the name is different than DigiCert, Inc, see Troubleshooting connection issue.
If there is a connection failure, the web browser displays an error message that the website is not reachable. See Troubleshooting connection issue.
If your network environment uses an HTTP proxy with SSL decryption, you must allowlist the MaaS360 endpoint service URLs to maintain uninterrupted connectivity for SSL decryption.
To verify whether your network uses a proxy with SSL decryption and allowlisting, follow these steps:
- Access any secure website and verify the certificate chain.
SSL decryption can occur if the proxy's certificate authority (CA) issues the certificate instead of the website's original CA.
If SSL decryption is enabled for the website, then verify the Issued By details on the Certificate Viewer : <website> window like Common Name (CN), Organization (O), and Organization Unit (OU).
For example, if SSL decryption is enabled for the website https://google.com then the Issued By details on the Certificate Viewer :www.google.com window is displayed Common Name (CN) as Web Proxy, Organization (O) as Example Corp., and Organization Unit (OU) as IT
- Refer to your proxy provider's documentation for guidance on how to exclude specific domains from SSL decryption.
If you require further assistance with allowlisting the broker URL, contact IBM Support.
All other requirements for our platform are found here.
If you have any further issue, please open a case on https://www.ibm.com/mysupport
Thank you.
------------------------------
Dustin Lick
------------------------------
Original Message:
Sent: Mon October 14, 2024 07:23 PM
From: Dave Common
Subject: Cloud extender end point communication
We recently had an issue with our Cloud Extender and being unable to authenticate users through the MAAS360 portal.
Running both user visibility and user authentication tests on the Cloud Extender were successful the service account and LDAP lookup was ok.
The status on our Cloud Extender was showing it unable to connect to Real-time Notifications.
Checking the firewall rules we allow outbound traffic explicitly over ports 80 and 443 to a defined list of endpoints.
Port 443 traffic goes to
services.m3.maas360.com
mpns.m3.maas360.com
remediate02.m3.maas360.com
maas-central.maas360.com
maas-central-03.maas360.com
dl.m3.maas360.com
upload.fiberlink.com
m3.maas360.com
mpnsv2.m1.maas360.com
mpnsv2.m2.maas360.com
mpnsv2.m3.maas360.com
mpnsv2.m4.maas360.com
mpnsv2.m6.maas360.com
Port 80 traffic to
internettest.fiberlink.com
As a test we allowed outbound to any address and the Cloud Extender connected to Real-time Notifications. Reinstating the rule has had no impact on the connection and we're now able to authenticate again.
Does anyone have a list of the necessary endpoints for the Cloud Extender to connect to from an Australian instance.
------------------------------
Dave Common
------------------------------