Installing An On-Premise Agent With Proxy Servers Or Firewalls
For many networks, security configurations include either proxy servers or firewalls. While TIBCO Scribe® Online is in the Cloud, your On-Premise Agent is installed on a computer, as shown in the following diagram:
TIBCO Scribe® Online Architecture
If your site uses either proxy servers or firewalls, some additional steps are required to allow the TIBCO Scribe® Online On-Premise Agent to access the cloud.
Symptoms that your On-Premise Agent may be behind a network firewall or proxy are:
- You are unable to establish a connection to https://agent.scribesoft.com , https://us1-connect-agent-azure.scribesoft.com, or https://agent-frankfurt.scribesoft.com.
- When installing a TIBCO Scribe® Online On-Premise Agent, you receive the following error:
- When running a TIBCO Scribe® Online Solution, the status displays Starting or In Progress for extended periods of time with no records being processed.
- You cannot create any Connections using your On-Premise Agent or receive a message that No Connectors were found.
- The rolling log for the TIBCO Scribe® Online Agent, stored in ..\Scribe Software\TIBCO Scribe® Online Agent\logs, contains the following error message:
(407) Proxy Authentication Required
Note: If you encounter any of these issues, or do not know whether your organization uses advanced security measures, such as a proxy server or firewall traffic filtering, contact your Network Administrator.
Note: When using a proxy server, TIBCO Scribe® Online requires that your TIBCO Scribe® Online Agent use Windows Authentication for access through the proxy server; other authentication methods are not currently supported.
Configuring TIBCO Scribe® Online Agent Firewall Support
Some TIBCO Scribe® Online end users have Firewall servers to add an extra level of security to their environments. In this case, you may need to add exceptions or whitelist entries to the firewall for TIBCO Scribe® Online and other databases, such as Microsoft Dynamics CRM Online and Salesforce, to function properly.
Connecting To TIBCO Scribe® Online
If you are trying to connect to TIBCO Scribe® Online from behind extra security add exceptions to the firewall for TIBCO Scribe® Online for your data center.
Note: For On Premise Agents, if you are using a data center other than the US data center, you must allow access to both your own data center and the US data center.
Data Center |
Endpoints |
Static IP Addresses |
---|---|---|
AWS Europe |
https://agent-frankfurt.scribesoft.com |
• 3.94.183.228 • 3.210.164.229 • 3.210.220.205 • 3.219.0.211 • 3.219.82.130 • 3.222.1.182 • 3.224.17.183 • 18.204.188.169 • 18.211.255.76 • 34.192.161.112 • 34.199.140.171 • 34.230.155.160 • 35.158.9.191 • 35.174.159.215 • 52.1.131.218 • 52.2.155.242 • 52.3.62.147 • 52.7.200.1 • 52.20.44.177 • 52.23.130.182 • 52.28.61.234 • 52.29.220.8 • 52.45.5.15 • 52.58.102.181 • 52.58.248.24 • 52.70.64.150 • 52.73.34.66 • 52.73.83.188 • 52.203.27.122 • 52.205.243.69 • 54.82.228.30 • 54.86.177.217 • 54.93.152.15 |
AWS US |
https://agent.scribesoft.com |
• 18.205.138.48 • 34.197.135.234 • 34.197.203.69 • 34.199.76.224 • 34.233.74.136 • 34.237.69.78 • 34.238.209.108 • 54.83.87.1 • 54.84.110.228 • 54.86.129.180 • 54.88.106.171 |
AWS US Sandbox |
https://sb-agent.scribesoft.com |
• 3.213.67.3 • 3.229.207.198 • 34.198.237.167 • 34.224.153.250 • 52.204.244.28 • 54.146.195.161 |
Azure US * |
https://us1-connect-agent-azure.scribesoft.com |
• 13.77.173.116 |
Note: The US Azure Data Center is available only when working in TIBCO Scribe® Online as a capability of TIBCO Cloud ™ Integration. In TIBCO Cloud ™ Integration Data Centers are referred to as Regions.
Note: TIBCO may update these IP addresses or URLs. Updates are made after posting a Release Notice and updating the TIBCO Cloud ™ Services Status page. Best practice is to sign up for notifications from the TIBCO Cloud ™ Services Status page.
For additional information on URLs and IP addresses that may need to be whitelisted, see Whitelisting Requirements. For another useful reference on URLs and IP addresses and why they change, see Why do AWS Elastic Load Balancers have 3 IP addresses?
Configuring The On-Premise Agent For Proxy Servers
Setting Up Ports And The Active Directory Account
- Make sure that all of the following TCP ports are open. If needed, talk to your IT Administrator:
- Port 443. This port is required for outbound Agent communication with the TIBCO Scribe® Online website. TIBCO Scribe® Online can respond to Agent communication using port 443. If this port is not open, the TIBCO Scribe® Online Agent is not fully accessible from the TIBCO Scribe® Online website.
- Port 80. This port is required for outbound communication for SSL Certificate validation.
- Ports 5671 and 5672, and 9350 through 9354. These are outbound ports used by the Agent to communicate with the Enterprise Service Bus (ESB). The ESB can respond to Agent communication using the same port. If your network policies prohibit you from opening these outbound ports, contact TIBCO Support for assistance with an alternate configuration.
Important: Performance is slower when the Enterprise Service Bus (ESB) is not used.
If you have not configured your inbound and outbound ports correctly or if you have not added an exception to your firewall for TIBCO Scribe® Online, the computer where your TIBCO Scribe® Online Agent is installed may experience very high CPU usage.
- Set up an Active Directory account with permissions to go through the proxy that uses these ports on the proxy server.
See the Check Ports In Agent Environment Knowledge Base article for instructions on determining whether or not the appropriate ports can be accessed by the Agent.
Editing The Scribe.Core.ProcessorService.exe.config File
To configure the TIBCO Scribe® Online On-Premise Agent to use the Active Directory User account when communicating through the proxy, modify the Scribe.Core.ProcessorService.exe.config file on the computer on which the Agent is installed.
- Stop the TIBCO Scribe® Online Agent Windows Service.
- Navigate to the TIBCO Scribe® Online Agent folder. The default location is ..\Program Files [(x86)]\Scribe Software\TIBCO Scribe® Online Agent\.
- Use a text editor, such as Notepad, to open the Scribe.Core.ProcessorService.exe.config file.
Note: Make sure to run the text editor as Administrator or the changes to the file may not be saved.
- In the Scribe.Core.ProcessorService.exe.config file, find the section that begins with <basicHttpBinding>, as follows:
- In the same file, find the appSettings section. After the line that begins:
- Save and close the Scribe.Core.ProcessorService.exe.config file.
- Restart the TIBCO Scribe® Online Agent to pick up the changes you made to the Scribe.Core.ProcessorService.exe.config file. See Restarting An On-Premise Agent.
To the following line:
<transport clientCredentialType="None"/>
If you are using a Windows authentication based proxy server add:
<transport clientCredentialType="None" proxyCredentialType="Windows"/>
For example:
If you are using a non-authentication based proxy server add:
<transport clientCredentialType="None" proxyCredentialType="None"/>
For example:
<add key="Agent ID" value="21EC2020-3AEA-1069-A2DD-08002B30309D"/>
Add the following line to explicitly state that any calls made through the network by the TIBCO Scribe® Online Agent use TCP:
<add key="ServiceBusConnectionMode" value="Tcp"/>
For example:
Editing TIBCO Scribe® Online Agent Service Properties
After you modify the Scribe.Core.ProcessorService.exe.config file, you need to change the user account running the service.
- From the TIBCO server, open Windows Services, right-click the TIBCO Scribe® Online Agent service and select Properties.
- From the Log On tab of the TIBCO Scribe® Online Agent Properties dialog, change the service to log on as the domain user for which your Network Administrator has granted permissions to have access through the proxy.
Note: As a test, log in to the computer as the domain user, and then try to sign in to TIBCO Scribe® Online. Make sure that Internet Explorer is not set up to use a proxy server. If you can access and sign in to https://agent.scribesoft.com or https://agent-frankfurt.scribesoft.com, then your user has the necessary permissions.
- Save the changes you made to the TIBCO Scribe® Online Agent Service properties.
- Restart the Agent Service.
- Test your changes by signing into TIBCO Scribe® Online and testing a Connection. If you can successfully test a Connection, then the Agent is functioning properly through the proxy server.
In addition to changes for TIBCO Scribe® Online, you may need to make some changes for connectivity to your cloud application, as described below.
Connecting To Microsoft Dynamics CRM Online
Use the following information to connect to Microsoft Dynamics CRM Online from behind extra security.
Dynamics CRM Online Required Exceptions
To allow access to Microsoft Dynamics CRM Online, add exceptions to the firewall for the following sites:
- https://*.login.live.com
- https://*.crm.dynamics.com
- https://*.crm4.dynamics.com
- https://*.crm5.dynamics.com
- https://*.microsoft.com
- https://*.microsoftonline.com/
Dynamics CRM Online IP Addresses
For a list of valid IP address ranges see the following Microsoft Support article: Microsoft Dynamics CRM Online IP Address Ranges.
Note: These servers are owned by Microsoft. The IP addresses may change and can be verified by Microsoft at any time.
TIBCO strongly recommends that you whitelist all of the IP addresses in the IP address list so that you are less likely to experience a service disruption if Microsoft makes changes to the IP addresses.
Dynamics CRM Online Ports
Network ports for Microsoft Dynamics CRM
Connecting To Salesforce
Use the following information if your site connects to Salesforce from behind extra security.
Salesforce Required Exception
To allow access to Salesforce, add an exception to the firewall for the following site:
https://*.salesforce.com
Salesforce.com IP Addresses
Please note that these servers are owned by Salesforce. The IP addresses may change and can be verified by Salesforce at any time.
- 204.14.232.0/23 — East Coast Data Center
- 204.14.237.0/24 — East Coast Data Center
- 96.43.144.0/22 — Midwest Data Centers
- 96.43.148.0/22 — Midwest Data Centers
- 204.14.234.0/23 — West Coast Data Center
- 204.14.238.0/23 — West Coast Data Center
- 182.50.76.0/22 — Japan Data Center
Salesforce.com Ports
- 80: This port only accepts HTTP connections.
- 443: This port only accepts HTTPS connections.
- 1024–66535 (inclusive): These ports accept HTTP or HTTPS connections.
Troubleshooting
Proxy And Firewall Server Logs
When the TIBCO Scribe® Online Agent attempts to make an external connection to the cloud, a site, or a database and is denied by environmental security, the Proxy and/or Firewall server typically keeps a log of these attempts. These logs are useful for determining if a site you wish to connect to is being blocked. TIBCO Scribe® Technical Support can help you determine which IP addresses to unblock based on your log files.
Agent Behind Firewall Stops
The URL the On-Premise Agent uses to connect to the Cloud contains a trailing period (.), such as https://agent.scribesoft.com.. Some firewalls do not permit the trailing period (.), which causes the Agent to stop running.
Workaround:
- Navigate to the TIBCO Scribe® Online Agent folder. The default location is ..\Program Files [(x86)]\Scribe Software\TIBCO Scribe® Online Agent\.
- Use a text editor, such as Notepad, to open the Scribe.Core.ProcessorService.exe.config file.
Note: Make sure to run the text editor as Administrator or the changes to the file may not be saved.
- Locate <add key="AdjustedURL" value="true" /> and make sure that the value = true. This prevents your changes from being overwritten when you restart the Agent. If this entry does not exist. Add it to the add key section just before <add key="AgentApiUrl" value="https://agent.scribesoft.com." />.
- Locate <add key="AgentApiUrl" value="https://agent.scribesoft.com." /> and remove the period after scribesoft.com.
- Restart the Agent Windows service.
High CPU Usage
If you have not configured your inbound and outbound ports correctly or if you have not added an exception to your firewall for TIBCO Scribe® Online, the computer where your TIBCO Scribe® Online Agent is installed may experience very high CPU usage.
Whitelisting IP Addresses
You may find the following resources useful for information about whitelisting IP addresses:
- CIDR notation — https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation
- IPv4 subnetting reference — https://en.wikipedia.org/wiki/IPv4_subnetting_reference
Related Topics
Installing A TIBCO Scribe® Online On-Premise Agent