none
Windows Azure Connect and Symantec Endpoint Protection

    Question

  • Hi

    I'm trying to establish a connection from a Web-role to a database (SQL Server 2008 R2), on my local computer.

    I have installede the local endpoint (WACC.exe), on my local computer.

    On the Management Portal, i can see my local computer, in the Activated Endpoints, and I have made a Group, including my Web-role and my local computer. This is indicating, that there is some sort of connection between the Management Portal and my local computer.

    But on my local computer, the Windows Azure Connetion, is (Status: Disconnected).

    I am sure that this is caused by Symantec Endpoint Protection, and that there is missing a rule, but I don't know which.

    I have tried to disable the Symantec Endpoint Protection. That didn't do the trick, but when I uninstalled the Symantec Endpoint Protection, and letting Windows firewall, protect my local computer, i could connect. In this context I experienced, that Windows Azure Connect, on my local computer, added rules to Windows Firewall by itself.

    It is my company's policy, using Symantec Endpoint Protection, so it is not a permanent option, to have it uninstalled.

    My question is, what rules do I have to add to Symantec Endpoint Protection, to make Windows Azure Connect wor properly ?

    I have to ask my company's servicedesk to do this.

    On the Event log I am getting the following error:

    Log Name:      Application
    Source:        RasClient
    Date:          22-03-2011 12:05:35
    Event ID:      20227
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      Z940xxxx.corp.xxxxxxxxx.com
    Description:
    CoId={07630DBC-0275-422C-B0CD-16263D3090A5}: The user SYSTEM dialed a connection named Windows Azure Connect Relay1 1 which has failed. The error code returned on failure is 798.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="RasClient" />
        <EventID Qualifiers="0">20227</EventID>
        <Level>2</Level>
        <Task>0</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2011-03-22T11:05:35.000000000Z" />
        <EventRecordID>63792</EventRecordID>
        <Channel>Application</Channel>
        <Computer>Z940xxxx.corp.xxxxxxxxx.com</Computer>
        <Security />
      </System>
      <EventData>
        <Data>{07630DBC-0275-422C-B0CD-16263D3090A5}</Data>
        <Data>SYSTEM</Data>
        <Data>Windows Azure Connect Relay1 1</Data>
        <Data>798</Data>
      </EventData>
    </Event>

    Tuesday, March 22, 2011 11:41 AM

All replies

  • Hi ohleh,

    From the error message, '798' means "A certificate could not be found that can be used with this Extensible Authentication Protocol".

    I'm not familiar with product Symantec Endpoint Protection, not sure how it stoped the VPN connection. I suggest you also contacting Symantec support to assist you on this issue.

    Thanks,


    Mog Liang
    Please mark the replies as answers if they help or unmark if not.
    If you have any feedback about my replies, please contact msdnmg@microsoft.com.
    Microsoft One Code Framework
    • Marked as answer by Mog Liang Tuesday, March 29, 2011 8:26 AM
    • Unmarked as answer by ohleh Tuesday, March 29, 2011 8:39 AM
    Wednesday, March 23, 2011 7:16 AM
  • My problem isn't solved, by suggesting, that I have to contact Symantec support.

    Why is it Symantec's problem, that you can't provide me with the rules I have to requests, being added to my SEP.

    Regards Ole

    Tuesday, March 29, 2011 8:43 AM
  • Following rules are added in the any end point protection scheme installed on any Windows 7 machines to enabled Windows Azure Connect:

     

    Name

    Group

    Profile

    Enabled

    Action

    Override

    Program

    Local Address

    Remote Address

    Protocol

    Local Port

    Remote Port

    Allowed Users

    Allowed Computers

    Windows Azure Connect Peer Notification

    Windows Azure Connect

    All

    Yes

    Allow

    No

    Any

    <Ipv6 TCP/IP Address Range>

    <Ipv6 TCP/IP Address Range>

    UDP

    <Give Port #>

    Any

    Any

    Any

    Windows Azure Connect RA/RS

    Windows Azure Connect

    All

    Yes

    Allow

    No

    Any

    Any

    Any

    ICMPv6

    Any

    Any

    Any

    Any

     

    I don’t have any experience with SEP however you will need to setup/enable  above rules in your End point protection application (i.e. SEP) so that Windows Azure Connect connection can be established. You can work with SEP to find out how to add above rules.

     

    Azure support:

    http://www.microsoft.com/windowsazure/support/


    bill boyce
    • Proposed as answer by billb08 - MSFT Thursday, March 31, 2011 11:53 AM
    Thursday, March 31, 2011 11:53 AM
  • Hi Bill

    Thank you for the answer.

    It still not solve my problem. But I can add some other detail, that maybe can trigger a solution.

    When the webrole in group, on the Management console, is removed, and only my computer is in the group, and I restart my computer, it can connect. But when I add the webrole to the group, and activate 'refresh policy' on my local computer, the Azure Connect can't connect, and the relay-error, with error '798', mentioned above reappear.

    Ole

    Monday, April 04, 2011 7:20 PM
  • Hi ohleh,

    I had the exact same situation, Symantec et al. I was able to resolve it by adding the .cer certs I used in the Azure portal for the Hosted Services -> Management Certificates to my personal certificates collection via MMC and then rebooting my computer.

    FYI, the way you can tell if you have a connection from your PC to Azure is to click on your computer name in the Azure portal Virtual Network -> Activated Enpoints. When the connection is established you will see an Address property with a IPv6 address.

    Hope that helps.

    • Proposed as answer by DeadCactusLabs Thursday, June 23, 2011 5:16 PM
    Wednesday, June 22, 2011 4:02 PM