Installing An On-Premise Agent With Proxy Servers Or Firewalls

For many networks, security configurations include either proxy servers or firewalls. While TIBCO Scribe® Online is in the Cloud, your On-Premise Agent is installed on a computer, as shown in the following diagram:

TIBCO Scribe® Online Architecture

If your site uses either proxy servers or firewalls, some additional steps are required to allow the TIBCO Scribe® Online On-Premise Agent to access the cloud.

Symptoms that your On-Premise Agent may be behind a network firewall or proxy are:

Note: If you encounter any of these issues, or do not know whether your organization uses advanced security measures, such as a proxy server or firewall traffic filtering, contact your Network Administrator.

Note: When using a proxy server, TIBCO Scribe® Online requires that your TIBCO Scribe® Online Agent use Windows Authentication for access through the proxy server; other authentication methods are not currently supported.

Configuring TIBCO Scribe® Online Agent Firewall Support

Some TIBCO Scribe® Online end users have Firewall servers to add an extra level of security to their environments. In this case, you may need to add exceptions or whitelist entries to the firewall for TIBCO Scribe® Online and other databases, such as Microsoft Dynamics CRM Online and Salesforce, to function properly.

Connecting To TIBCO Scribe® Online

If you are trying to connect to TIBCO Scribe® Online from behind extra security add exceptions to the firewall for TIBCO Scribe® Online for your data center.

Note: For On Premise Agents, if you are using a data center other than the US data center, you must allow access to both your own data center and the US data center.

Data Center

Endpoints

Static IP Addresses

AWS Europe

https://agent-frankfurt.scribesoft.com

  3.94.183.228

  3.210.164.229

  3.210.220.205

  3.219.0.211

  3.219.82.130

  3.222.1.182

  3.224.17.183

  18.204.188.169

  18.211.255.76

  34.192.161.112

  34.199.140.171

  34.230.155.160

  35.158.9.191

  35.174.159.215

  52.1.131.218

  52.2.155.242

  52.3.62.147

  52.7.200.1

  52.20.44.177

  52.23.130.182

  52.28.61.234

  52.29.220.8

  52.45.5.15

  52.58.102.181

  52.58.248.24

  52.70.64.150

  52.73.34.66

  52.73.83.188

  52.203.27.122

  52.205.243.69

  54.82.228.30

  54.86.177.217

  54.93.152.15

AWS US

https://agent.scribesoft.com

  18.205.138.48

  34.197.135.234

  34.197.203.69

  34.199.76.224

  34.233.74.136

  34.237.69.78

  34.238.209.108

  54.83.87.1

  54.84.110.228

  54.86.129.180

  54.88.106.171

AWS US Sandbox

https://sb-agent.scribesoft.com

  3.213.67.3

  3.229.207.198

  34.198.237.167

  34.224.153.250

  52.204.244.28

  54.146.195.161

Azure US *

https://us1-connect-agent-azure.scribesoft.com

  13.77.173.116

Note: The US Azure Data Center is available only when working in TIBCO Scribe® Online as a capability of TIBCO Cloud ™ Integration. In TIBCO Cloud ™ Integration Data Centers are referred to as Regions.

Note: TIBCO may update these IP addresses or URLs. Updates are made after posting a Release Notice and updating the TIBCO Cloud ™ Services Status page. Best practice is to sign up for notifications from the TIBCO Cloud ™ Services Status page.

For additional information on URLs and IP addresses that may need to be whitelisted, see Whitelisting Requirements. For another useful reference on URLs and IP addresses and why they change, see Why do AWS Elastic Load Balancers have 3 IP addresses?

Configuring The On-Premise Agent For Proxy Servers

Setting Up Ports And The Active Directory Account

  1. Make sure that all of the following TCP ports are open. If needed, talk to your IT Administrator:
  2. See the Check Ports In Agent Environment Knowledge Base article for instructions on determining whether or not the appropriate ports can be accessed by the Agent.

  3. Set up an Active Directory account with permissions to go through the proxy that uses these ports on the proxy server.

Editing The Scribe.Core.ProcessorService.exe.config File

To configure the TIBCO Scribe® Online On-Premise Agent to use the Active Directory User account when communicating through the proxy, modify the Scribe.Core.ProcessorService.exe.config file on the computer on which the Agent is installed.

  1. Stop the TIBCO Scribe® Online Agent Windows Service.
  2. Navigate to the TIBCO Scribe® Online Agent folder. The default location is ..\Program Files [(x86)]\Scribe Software\TIBCO Scribe® Online Agent\.
  3. Use a text editor, such as Notepad, to open the Scribe.Core.ProcessorService.exe.config file.

    Note: Make sure to run the text editor as Administrator or the changes to the file may not be saved.

  4. In the Scribe.Core.ProcessorService.exe.config file, find the section that begins with <basicHttpBinding>, as follows:
  5. To the following line:

    <transport clientCredentialType="None"/>

    If you are using a Windows authentication based proxy server add:

    <transport clientCredentialType="None" proxyCredentialType="Windows"/>

    For example:

    If you are using a non-authentication based proxy server add:

    <transport clientCredentialType="None" proxyCredentialType="None"/>

    For example:

  6. In the same file, find the appSettings section. After the line that begins:
  7. <add key="Agent ID" value="21EC2020-3AEA-1069-A2DD-08002B30309D"/>

    Add the following line to explicitly state that any calls made through the network by the TIBCO Scribe® Online Agent use TCP:

    <add key="ServiceBusConnectionMode" value="Tcp"/>

    For example:

  8. Save and close the Scribe.Core.ProcessorService.exe.config file.
  9. Restart the TIBCO Scribe® Online Agent to pick up the changes you made to the Scribe.Core.ProcessorService.exe.config file. See Restarting An On-Premise Agent.

Editing TIBCO Scribe® Online Agent Service Properties

After you modify the Scribe.Core.ProcessorService.exe.config file, you need to change the user account running the service.

  1. From the TIBCO server, open Windows Services, right-click the TIBCO Scribe® Online Agent service and select Properties.
  2. From the Log On tab of the TIBCO Scribe® Online Agent Properties dialog, change the service to log on as the domain user for which your Network Administrator has granted permissions to have access through the proxy.

    Note: As a test, log in to the computer as the domain user, and then try to sign in to TIBCO Scribe® Online. Make sure that Internet Explorer is not set up to use a proxy server. If you can access and sign in to https://agent.scribesoft.com or https://agent-frankfurt.scribesoft.com, then your user has the necessary permissions.

  3. Save the changes you made to the TIBCO Scribe® Online Agent Service properties.
  4. Restart the Agent Service.
  5. Test your changes by signing into TIBCO Scribe® Online and testing a Connection. If you can successfully test a Connection, then the Agent is functioning properly through the proxy server.

In addition to changes for TIBCO Scribe® Online, you may need to make some changes for connectivity to your cloud application, as described below.

Connecting To Microsoft Dynamics CRM Online

Use the following information to connect to Microsoft Dynamics CRM Online from behind extra security.

Dynamics CRM Online Required Exceptions

To allow access to Microsoft Dynamics CRM Online, add exceptions to the firewall for the following sites:

Dynamics CRM Online IP Addresses

For a list of valid IP address ranges see the following Microsoft Support article: Microsoft Dynamics CRM Online IP Address Ranges.

Note: These servers are owned by Microsoft. The IP addresses may change and can be verified by Microsoft at any time.

TIBCO strongly recommends that you whitelist all of the IP addresses in the IP address list so that you are less likely to experience a service disruption if Microsoft makes changes to the IP addresses.

Dynamics CRM Online Ports

Network ports for Microsoft Dynamics CRM

Connecting To Salesforce

Use the following information if your site connects to Salesforce from behind extra security.

Salesforce Required Exception

To allow access to Salesforce, add an exception to the firewall for the following site:

https://*.salesforce.com

Salesforce.com IP Addresses

Please note that these servers are owned by Salesforce. The IP addresses may change and can be verified by Salesforce at any time.

Salesforce.com Ports

Troubleshooting

Proxy And Firewall Server Logs

When the TIBCO Scribe® Online Agent attempts to make an external connection to the cloud, a site, or a database and is denied by environmental security, the Proxy and/or Firewall server typically keeps a log of these attempts. These logs are useful for determining if a site you wish to connect to is being blocked. TIBCO Scribe® Technical Support can help you determine which IP addresses to unblock based on your log files.

Agent Behind Firewall Stops

The URL the On-Premise Agent uses to connect to the Cloud contains a trailing period (.), such as https://agent.scribesoft.com.. Some firewalls do not permit the trailing period (.), which causes the Agent to stop running.

Workaround:

  1. Navigate to the TIBCO Scribe® Online Agent folder. The default location is ..\Program Files [(x86)]\Scribe Software\TIBCO Scribe® Online Agent\.
  2. Use a text editor, such as Notepad, to open the Scribe.Core.ProcessorService.exe.config file.

    Note: Make sure to run the text editor as Administrator or the changes to the file may not be saved.

  3. Locate <add key="AdjustedURL" value="true" /> and make sure that the value = true. This prevents your changes from being overwritten when you restart the Agent. If this entry does not exist. Add it to the add key section just before <add key="AgentApiUrl" value="https://agent.scribesoft.com." />.
  4. Locate <add key="AgentApiUrl" value="https://agent.scribesoft.com." /> and remove the period after scribesoft.com.
  5. Restart the Agent Windows service.

High CPU Usage

If you have not configured your inbound and outbound ports correctly or if you have not added an exception to your firewall for TIBCO Scribe® Online, the computer where your TIBCO Scribe® Online Agent is installed may experience very high CPU usage.

Whitelisting IP Addresses

You may find the following resources useful for information about whitelisting IP addresses:

Related Topics

TIBCO Scribe® Online Agents

Installing A TIBCO Scribe® Online On-Premise Agent

Troubleshooting The TIBCO Scribe® Online Agent

Whitelisting Requirements