Security

We are currently running clearpass cluster with version 6.9.13 and want to make an integration with Microsoft Intune. Our cluster is behind a firewall that normally has no internet access. We use a proxy server to retrieve firmware updatec, etc. Downloading firmware etc works fine with a proxy server.

Now we want to install the Microsoft Intune extension and get the following error message: Error creating extension instance: Download failed with status 500.

When we make a wireshark trace, we see that clearpass wants to go directly to the internet and not via the proxy server. According to the clearpass documentation, the proxy settings of the cppm should be inherited.

Is anyone familiar with this problem?

IIRC I've downloaded extensions with a proxy configured under the server settings in the past.  This was on 6.10 though. 

https://community.arubanetworks.com/blogs/esupport1/2022/12/02/firewallproxy-host-whitelist-for-clearpass-extensions

We are currently running clearpass cluster with version 6.9.13 and want to make an integration with Microsoft Intune. Our cluster is behind a firewall that normally has no internet access. We use a proxy server to retrieve firmware updatec, etc. Downloading firmware etc works fine with a proxy server.

Now we want to install the Microsoft Intune extension and get the following error message: Error creating extension instance: Download failed with status 500.

When we make a wireshark trace, we see that clearpass wants to go directly to the internet and not via the proxy server. According to the clearpass documentation, the proxy settings of the cppm should be inherited.

Is anyone familiar with this problem?

We are currently running clearpass cluster with version 6.9.13 and want to make an integration with Microsoft Intune. Our cluster is behind a firewall that normally has no internet access. We use a proxy server to retrieve firmware updatec, etc. Downloading firmware etc works fine with a proxy server.

Now we want to install the Microsoft Intune extension and get the following error message: Error creating extension instance: Download failed with status 500.

When we make a wireshark trace, we see that clearpass wants to go directly to the internet and not via the proxy server. According to the clearpass documentation, the proxy settings of the cppm should be inherited.

Is anyone familiar with this problem?

There is a known issue CP‑49373/CP‑49665: the configured HTTP Proxy settings were not used when downloading ClearPass Extensions.

Fixed in 6.11.3 (so alexs-nd, please open a TAC case if you see this on 6.11.4); 

https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.x.x/Default.htm#ReleaseNotes/Resolved/Resolved-6.11.3.htm?Highlight=49373

This issue seems to be in 6.10 as well, so maybe also in 6.9 but I can't find the full details on versions. Best would be to open a TAC case as they seem to be able to fix this issue for you.

We are currently running clearpass cluster with version 6.9.13 and want to make an integration with Microsoft Intune. Our cluster is behind a firewall that normally has no internet access. We use a proxy server to retrieve firmware updatec, etc. Downloading firmware etc works fine with a proxy server.

Now we want to install the Microsoft Intune extension and get the following error message: Error creating extension instance: Download failed with status 500.

When we make a wireshark trace, we see that clearpass wants to go directly to the internet and not via the proxy server. According to the clearpass documentation, the proxy settings of the cppm should be inherited.

Is anyone familiar with this problem?

There is a known issue CP‑49373/CP‑49665: the configured HTTP Proxy settings were not used when downloading ClearPass Extensions.

Fixed in 6.11.3 (so alexs-nd, please open a TAC case if you see this on 6.11.4); 

https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.x.x/Default.htm#ReleaseNotes/Resolved/Resolved-6.11.3.htm?Highlight=49373

This issue seems to be in 6.10 as well, so maybe also in 6.9 but I can't find the full details on versions. Best would be to open a TAC case as they seem to be able to fix this issue for you.

We are currently running clearpass cluster with version 6.9.13 and want to make an integration with Microsoft Intune. Our cluster is behind a firewall that normally has no internet access. We use a proxy server to retrieve firmware updatec, etc. Downloading firmware etc works fine with a proxy server.

Now we want to install the Microsoft Intune extension and get the following error message: Error creating extension instance: Download failed with status 500.

When we make a wireshark trace, we see that clearpass wants to go directly to the internet and not via the proxy server. According to the clearpass documentation, the proxy settings of the cppm should be inherited.

Is anyone familiar with this problem?

I can't speak to 6.11.4, but I can confirm that the bug is still present (or was re-introduced) in 6.11.7. 

I see proxy being honored for initial request to clearpass.arubanetworks.com, then a subsequent direct connection attempt to registry-1.docker.io which we block. This results in a 500 when attempting to install the UAP extension: "Error creating extension instance: Download failed with status 500".

There is a known issue CP‑49373/CP‑49665: the configured HTTP Proxy settings were not used when downloading ClearPass Extensions.

Fixed in 6.11.3 (so alexs-nd, please open a TAC case if you see this on 6.11.4); 

https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.x.x/Default.htm#ReleaseNotes/Resolved/Resolved-6.11.3.htm?Highlight=49373

This issue seems to be in 6.10 as well, so maybe also in 6.9 but I can't find the full details on versions. Best would be to open a TAC case as they seem to be able to fix this issue for you.

We are currently running clearpass cluster with version 6.9.13 and want to make an integration with Microsoft Intune. Our cluster is behind a firewall that normally has no internet access. We use a proxy server to retrieve firmware updatec, etc. Downloading firmware etc works fine with a proxy server.

Now we want to install the Microsoft Intune extension and get the following error message: Error creating extension instance: Download failed with status 500.

When we make a wireshark trace, we see that clearpass wants to go directly to the internet and not via the proxy server. According to the clearpass documentation, the proxy settings of the cppm should be inherited.

Is anyone familiar with this problem?