How can we help?

  1. Atera Support
  2. Atera MSP
  3. Remote Monitoring and Management (RMM)
  4. Remote Monitoring and Management (RMM) - Become an Expert
Help Center
    Was this helpful?
    15 out of 33 found this helpful

    Troubleshoot the Atera Agent (Windows)

    If after following the instructions for agent installation, you are experiencing any problems with agent stability, alert consistency, agent unavailability or remote connection instability, please verify that you are on .NET Framework 4.5

    Additionally, please check the following:

     

    Allow outbound traffic over port 443 (TCP) in the Anti-Virus, Firewall and Proxy server.

     

    List of servers that the agent is communicating with:

    1. pubsub.atera.com
    2. pubsub.pubnub.com
    3. agentreporting.atera.com
    4. getalphacontrol.com
    5. app.atera.com
    6. agenthb.atera.com
    7. packagesstore.blob.core.windows.net
    8. ps.pndsn.com
    9. agent-api.atera.com
    10. cacerts.thawte.com
    11. agentreportingstore.blob.core.windows.net
    12. atera-agent-heartbeat.servicebus.windows.net
    13. ps.atera.com
    14. atera.pubnubapi.com
    15. appcdn.atera.com

     

    Potential software/devices for blockage:

    • Anti-Virus
        • Add the following paths into the Antivirus whitelist: 
          C:\Program Files\Atera Networks (or C:\Program Files (x86)\ATERA Networks for 32bit) 
          C:\Windows\Temp\AteraUpgradeAgentPackage
        • You may need to enable/add an exemption policy for scanning password-protected ZIP files (or allow unscannable content to pass). 
    • Firewall - In some networks HTTPS traffic is blocked. Make sure to add a rule to allow HTTPS traffic from LAN to WAN (Atera address: agent-api.atera.com).
      In some cases, HTTPS inspection (Deep Packet Inspection/SSL Inspection) can also cause blockages, make sure to disable HTTPS scanning or add Atera and its servers to the whitelist.
      Note: The Great Firewall of China is blocking some of the servers required by the AteraAgent to report the device's availability (online/offline status). Therefore, machines that are located in this country will not be manageable from the console. Using a VPN connection may override these restrictions, however, we cannot provide specific instructions or support for setting up such configurations. 
    • Proxy - Proxy / Web-filtering is very common and can also be an obstacle to stable agent behavior. Make sure to permit outbound traffic (443) and file extensions; ZIP & EXE from our website (Atera address: agent-api.atera.com).
    • Geo-blocking - As an example, SonicWall routers are well known for their Geo-Blocking features.
    • Permit content traffic in addition to TCP (443 ) traffic

     

     

    Additional troubleshooting

     

    1. Proxy under localsystem account

    To check (CMD with admin):

    bitsadmin /util /getieproxy localsystem

    To solve (CMD with admin):

    bitsadmin /util /setieproxy localsystem no_proxy

     

    2. TLS settings that have been applied with the third party tool IIS Crypto

    This is a notorious tool for breaking TLS communications as it adds strange values for registry keys:

    All TLS keys (Enabled/DisabledByDefault) should have a value of 0 or 1 (disabled or enabled).

    https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings

    This tool, IIS crypto, is changing the values to…strange values which break the communication over the protocol.

     

    3. .NET settings for TLS

    Sometimes .NET might be instructed to work with a TLS that’s disabled, which breaks the Atera communication as well (being a .NET app).

    https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls

    To solve this, you can run the following commands in an elevated instance of CMD: 

    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" /v SystemDefaultTlsVersions /t REG_DWORD /d 00000001 /f
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v SystemDefaultTlsVersions /t REG_DWORD /d 00000001 /f

     

    4. FIPS

    The AteraAgent does not support FIPS at the moment. If this protocol is enabled, the agent cannot communicate with the console. 

    To check if FIPS is enabled:

    - Go to Registry Editor and check the presence of the following DWORDs:

    \HKLM\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\Enabled 

    \HKLM\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled

    - If enabled, the value of the DWORDs would be '1'

    - To disable it, change the value to '0' and the agent will start to work properly.

     

    5. Cloned machines

    Atera does not recommend installing the AteraAgent as part of a clone image.

    When the Atera agent is installed, a unique registry entry called AgentId found in Computer\HKEY_LOCAL_MACHINE\SOFTWARE\ATERA Networks\AlphaAgent is created.

    Thus, installing the agent through a cloned image will result in duplicated devices reporting back to the console.

    As a workaround, the image needs to be created with all the registry keys deleted - except for the IntegratorLogin key. This way after the device is set up and it connects to the web, the keys will recreate automatically.

    These registry keys can either be deleted manually or by running the below commands:

    REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\ATERA Networks\AlphaAgent" /f /v AgentId
    REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\ATERA Networks\AlphaAgent" /f /v AccountId
    REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\ATERA Networks\AlphaAgent" /f /v CompanyId
    REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\ATERA Networks\AlphaAgent" /f /v DisableRemote
    REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\ATERA Networks\AlphaAgent" /f /v ServerName

     

    Once the keys are deleted and you created the cloned image, you can restart the AteraAgent service.

    sc stop AteraAgent && sc start AteraAgent

     

     

    Still have a question? Contact us
    Alina Anton

    Related articles