Summary

This article provides a list of required online requirements that all customers of Flexera using the Software Vulnerability Manager must ensure before they can complete the integration of the SVM Daemon, Agent, and the plugins for Internet Explorer and System Center Configuration Manager.

Flexera uses the CryptoAPI of Windows to perform encryption and deliver security integrated to your controls when sending collected data. The CryptoAPI of Windows has a standard security validation such as certificate revocation verification, SSL certificates validation of the source and receiver, and it does that by verifying the digital and SSL certificates against the sites hosting the vendor CA originals. 

This is why customers shall consider white-listing the functionality of the SVM and its components by making them trusted in the network. To do so, the organization must ensure that Certificate Revocation is not disabled at the SVM components and the online CRL location are accessible by the clients through the corporate network, the organizational firewalls, white-listed at the Proxy, and other defenses. 

You will also want to make sure that the domain proxy server is not effectively blocking the URLs used for CRL validation online. These online sites are only used to store certificate listings presented by the  Certificate Authority that made them allow computers to connect and do matching validation against the dates and other important properties that deem a security certificate untampered and original. 

If there is a content-inspection solution decrypting transmissions and encrypting them with a corporate certificate, this would break the security chain of events and it will cause a security error and inability of the SVM solution to validate its secure transmission. Set SVM communications to bypass on that one. 

Synopsis

This article only relates to SVM2018 Cloud customers and should only be considered by SVM2018 Cloud products.

The following online URLs are used for validation of the Flexera SVM certificates that digitally signed (digital security non-repudiation) Flexera SVM software components:

• https://*.secunia.com
• http://crl.thawte.com
• http://crl.verisign.net
• http://crl3.digicert.com
• http://crl4.digicert.com
• http://ws.symantec.com
• http://*.symcb.com

The AWS CRL's are below although we do recommend using a wild card to whitelist as shown in the first URL incase AWS change a part of the URL:

• http://*.amazontrust.com
• http://crl.r2m02.amazontrust.com
• http://crl.rootca1.amazontrust.com
• http://crl.sca1b.amazontrust.com
• http://crl.rootg2.amazontrust.com
• http://s.ss2.us

Access to each of these online locations is vitally important for SVM components to work correctly as intended.  All of the URLs in the list shall be directly accessible by client machines that use SVM Agents, Daemon, Plugins, through the corporate Firewall/Proxy servers.

Restriction/Blocking of any of the above at the Proxy/Firewall/GPO/LocalSystem level might result in unexpected technical errors and failing SVM components' functionality that results in delayed vulnerability intelligence gathering for your organization and delayed prioritization programs. 

Refer to SVM2018 Helpnet Guide for more information.

Related KB Articles

WinHttp Error 12175 - CRL Validation Failed

WinHttp Error 12045 - Failure to Publish Packages

Error Occurred While Downloading The File

SCCM Inventory Import and Daemon Certificate Revocation Check Failures by Proxy