If after following the instructions for agent installation, you are experiencing any problems with agent stability, alert consistency, agent unavailability, or remote connection instability, please verify the following:
Trial limitation
During the trial period, you may encounter issues installing the Atera agent on devices that had it installed by a different account. This limitation cannot be rectified for trial accounts. After purchasing an Atera subscription, you can install the agent on these devices by contacting our support team for assistance.
Error 2753
You might encounter error 2753 when attempting to install the Atera Agent on a device. This error occurs when files from a previous installation of the Atera Agent are still present on the device. To resolve this issue, please refer to this article, which provides all the necessary steps to fix the problem.
Supported Versions
Please look at the main article to see which Windows versions are compatible with the Atera agent.
.NET Framework
First, please confirm that the devices experiencing issues have installed .NET Framework 4.5 or a later version.
To verify if .NET Framework 4.5 or higher is installed on your devices, run the following script using Powershell ISE with Admin rights,
# Get the installed .NET Framework version
$dotNetVersion = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\' -Name Version | Select-Object -ExpandProperty Version
# Check if .NET Framework version is found
if ($dotNetVersion) {
Write-Host "Installed .NET Framework Version: $dotNetVersion"
} else {
Write-Host "No .NET Framework installed or unable to determine version."
}
If the .NET Framework is installed, you will get a similar output. Keep in mind, that the version needs to be 4.5 or higher for the Atera agent to work properly.
Server List and Ports
In addition to installing the .NET framework on your device, it is imperative to configure your network settings to enable communication between your devices and our servers.
List of servers that the agent is communicating with, make sure to have these servers whitelisted on your network.
- pubsub.atera.com
- pubsub.pubnub.com
- app.atera.com
- agenthb.atera.com
- packagesstore.blob.core.windows.net
- ps.pndsn.com
- agent-api.atera.com
- cacerts.thawte.com
- agentreportingstore.blob.core.windows.net
- atera-agent-heartbeat.servicebus.windows.net
- ps.atera.com
- atera.pubnubapi.com
- appcdn.atera.com
- atera-agent-heartbeat-cus.servicebus.windows.net
- ticketingitemsstoreeu.blob.core.windows.net
- download.visualstudio.microsoft.com
- a32dl55qcodech-ats.iot.eu-west-1.amazonaws.com
- agentspoliciesprod.blob.core.windows.net
- dotnetcli.azureedge.net
Important Note: Whitelisting our servers is not achievable based on IP addresses; the whitelisting process must exclusively employ the server name.
Ports
Besides whitelisting the servers from above on your network, you will also need to:
- Allow outbound traffic over ports 443 and 8883 (TCP/UDP) in the Antivirus, Firewall, and Proxy servers.
Verify server connection (ps1.)
To evaluate the connection between your device and our servers, run the provided PowerShell script on your affected endpoint with administrative privileges. The script will generate a list indicating blocked and whitelisted servers on your network. Whitelisting a blocked server is essential for proper functionality.
# Define the list of target servers and their corresponding ports (TCP and UDP)
$targets = @{
"pubsub.atera.com" = @(443)
"pubsub.pubnub.com" = @(443)
"app.atera.com" = @(443)
"agenthb.atera.com" = @(443)
"packagesstore.blob.core.windows.net" = @(443)
"ps.pndsn.com" = @(443)
"agent-api.atera.com" = @(443)
"cacerts.thawte.com" = @(443)
"agentreportingstore.blob.core.windows.net" = @(443)
"atera-agent-heartbeat.servicebus.windows.net" = @(443)
"ps.atera.com" = @(443)
"atera.pubnubapi.com" = @(443)
"appcdn.atera.com" = @(443)
"atera-agent-heartbeat-cus.servicebus.windows.net" = @(443)
"ticketingitemsstoreeu.blob.core.windows.net" = @(443)
"download.visualstudio.microsoft.com" = @(443)
"a32dl55qcodech-ats.iot.eu-west-1.amazonaws.com" = @(443, 8883)
}
# Function to resolve all IP addresses for a given server
function Get-AllIPAddresses {
param (
[string]$server
)
try {
$ipAddresses = [System.Net.Dns]::GetHostAddresses($server)
$resolvedIPs = $ipAddresses | ForEach-Object { $_.IPAddressToString }
return $resolvedIPs
}
catch {
return $null
}
}
# Function to test TCP connection to a specific port
function Test-TcpConnection {
param (
[string]$server,
[int]$port
)
$resolvedIPs = Get-AllIPAddresses -server $server
if ($resolvedIPs) {
foreach ($resolvedIP in $resolvedIPs) {
try {
$tcpClient = New-Object System.Net.Sockets.TcpClient
$tcpClient.Connect($resolvedIP, $port)
$tcpClient.Close()
Write-Host ("TCP Connection to $server ($resolvedIP) on port $port is successful.") -ForegroundColor Green
}
catch {
Write-Host ("TCP Connection to $server ($resolvedIP) on port $port failed. Error: $($_.Exception.Message)") -ForegroundColor Red
}
}
} else {
Write-Host "Unable to resolve IP addresses for $server." -ForegroundColor Red
}
}
# Loop through the targets and test both TCP and UDP connections
foreach ($target in $targets.GetEnumerator()) {
$server = $target.Key
$ports = $target.Value
Write-Host "Testing connections to $server..."
# Test TCP connections
foreach ($port in $ports) {
Test-TcpConnection -server $server -port $port
}
# Test UDP connections (you can add specific UDP tests if needed)
# foreach ($port in $ports) {
# Test-UdpConnection -server $server -port $port
# }
Write-Host "" # Add an empty line after testing each server
}
Potential software/devices for blockage
Under your organization's settings, you may need to adjust settings for your Anti-Virus, Firewall, Proxy, or Geo-blocking. The following is a list of configurations that must be applied to all relevant applications.
Anti-Virus
Include the following paths in the Antivirus whitelist:
- C:\Program Files\Atera Networks (or C:\Program Files (x86)\ATERA Networks for 32bit)
- C:\Windows\Temp\AteraUpgradeAgentPackage
You may need to enable/add an exemption policy for scanning password-protected ZIP files (or allow unscannable content to pass).
For testing purposes, consider whitelisting the folder: C:\Windows\Installer
After completing the whitelisting process, proceed to initiate another installation. Remember to remove the whitelist once the testing phase is concluded.
Firewall
In certain network environments where HTTPS traffic is restricted, ensure the addition of a rule permitting HTTPS traffic from LAN to WAN, specifically for the Atera address:
- agent-api.atera.com
Additionally, HTTPS inspection (Deep Packet Inspection/SSL Inspection) may lead to blockages, it is crucial to either disable HTTPS scanning or include Atera and its servers in the inspection whitelist.
Important Note: The Great Firewall of China is currently blocking certain servers essential for AteraAgent to report device availability (online/offline status). Consequently, machines situated in this country may not be manageable from the console. While using a VPN connection may potentially bypass these restrictions, please be advised that we cannot offer specific instructions or support for configuring such setups.
Proxy
Proxy and web-filtering systems are frequently encountered and can impact the stable behavior of the agent.
Ensure that outbound traffic on ports 443 and 8883, as well as file extensions ZIP and EXE from our website (Atera address: agent-api.atera.com), are permitted.
Important Note: Please be aware that Atera does not provide support or guidance for proxy configuration.
Geo-blocking
As an example, SonicWall routers, renowned for their Geo-Blocking features, may require specific configurations.
Ensure the allowance of content traffic, in addition to permitting TCP traffic on ports 443 and 8883, for optimal functionality.
Proxy under local system account
Enabling proxies locally on your device, within a local system account, may impact the proper functioning of the Atera agent. For testing purposes, it is crucial to disable the proxy within the local system account.
To verify the proxy status, execute the following command in CMD with administrative privileges.
bitsadmin /util /getieproxy localsystem
To deactivate the proxy running on your local system account, execute the following command in CMD as an Administrator.
bitsadmin /util /setieproxy localsystem no_proxy
TLS configurations implemented using the third-party tool IIS Crypto
IIS Crypto, is notorious for disrupting TLS communications by introducing unconventional values for registry keys. For optimal security, all TLS keys (Enabled/DisabledByDefault) should strictly adhere to values of 0 or 1, indicating disabled or enabled states, as outlined in the official Microsoft documentation on TLS registry settings:
The alterations made by IIS Crypto result in non-standard values that compromise communication over the protocol.
.NET settings for TLS
Occasionally, .NET may be directed to interact with a disabled TLS, disrupting Atera communication, given that it is a .NET application.
To address this issue, execute the following commands in an elevated CMD instance:
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" /v SystemDefaultTlsVersions /t REG_DWORD /d 00000001 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v SystemDefaultTlsVersions /t REG_DWORD /d 00000001 /f
FIPS
Currently, the AteraAgent does not support FIPS. If this protocol is enabled, communication between the agent and the console is hindered.
To verify FIPS status:
Navigate to the Registry Editor and inspect the existence of the following DWORDs:
- HKLM\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\Enabled
- HKLM\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
If enabled, the DWORD values should be set to '1'.
To deactivate FIPS, modify the values to '0', enabling proper functionality of the agent.
Alternatively, you can execute the following PowerShell script with administrative rights on your device to verify if FIPS is enabled.
# Function to check if FIPS is enabled
function CheckFIPS {
$fipsRegistryKey = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy"
$mdmEnabledRegistryKey = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy"
# Check if the "Enabled" value exists
$enabledValue = Get-ItemProperty -Path $fipsRegistryKey -Name "Enabled" -ErrorAction SilentlyContinue
# Check if the "MDMEnabled" value exists
$mdmEnabledValue = Get-ItemProperty -Path $mdmEnabledRegistryKey -Name "MDMEnabled" -ErrorAction SilentlyContinue
# Display FIPS status based on the "Enabled" value
if ($null -ne $enabledValue) {
if ($enabledValue.Enabled -eq 1) {
Write-Host "FIPS is enabled."
} elseif ($enabledValue.Enabled -eq 0) {
Write-Host "FIPS is disabled."
} else {
Write-Host "Unable to determine FIPS status."
}
} else {
Write-Host "FIPS registry value not found."
}
# Display MDMEnabled status
if ($null -ne $mdmEnabledValue) {
if ($mdmEnabledValue.MDMEnabled -eq 1) {
Write-Host "MDMEnabled is enabled."
} elseif ($mdmEnabledValue.MDMEnabled -eq 0) {
Write-Host "MDMEnabled is disabled."
} else {
Write-Host "Unable to determine MDMEnabled status."
}
} else {
Write-Host "MDMEnabled registry value not found."
}
}
# Call the function to check FIPS and MDMEnabled status
CheckFIPS
Cloned machines
Atera advises against installing the AteraAgent as part of a clone image, as doing so may lead to duplicated devices reporting to the console. For guidance on setting up a golden image with Atera and troubleshooting potential issues related to golden images and cloned machines, refer to the following article.
Outdated Atera agent installers
Using an outdated installer may lead to issues during the Atera agent installation process. It is advised to utilize an up-to-date installer when installing the agent on a new device. To generate an up-to-date installer, simply follow the steps outlined in our main article.