All Apps and Add-ons

Splunk Add-on for Office 365 - Getting errors when trying to configure settings (proxy)

Loves-to-Learn

Hi everybody,

I have a Splunk deployment with 2 IDX, 1 HF and 2 SH all running on Windows Server. All the Splunk instance are 7.3.6.

As per subject, I got a very strange issue when trying to configure the MS Office 365 Add-On (version 2.0.2) on the Heavy Forwarder. On the other hand, when I tried to configure it on a Search Head, everything worked fine and the Add-On is still running properly on such instance since I'm not able to solve the HF issue.
SH and HF were in the same subnet when the issue happened (now the SH has been moved into another one but the issue showed up for the first time when they were in the same subnet).

Here the details of the issue: when just clicking on the "Settings" tab of the application (no settings yet configured) I got a this error message in a red frame on the top of the page:

 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <!-- FileName: index.html Language: [en] --> <!--Head--> <head> <meta content="text/html; charset=UTF-8" http-equiv="Content-Type"> <meta http-equiv="X-UA-Compatible" content="IE=7" /> <title>McAfee Web Gateway - Notification</title> <script src="/mwg-internal/de5fs23hu73ds/files/javascript/sw.js" type="text/javascript" ></script> <link rel="stylesheet" href="/mwg-internal/de5fs23hu73ds/files/default/stylesheet.css" /> </head> <!--/Head--> <!--Body--> <body onload="swOnLoad();"> <table class='bodyTable'> <tr> <td class='bodyData' background='/mwg-internal/de5fs23hu73ds/files/default/img/bg_body.gif'> <!--Logo--> <table class='logoTable'> <tr> <td class='logoData'> <a href='http://www.mcafee.com'> <img src='/mwg-internal/de5fs23hu73ds/files/default/img/logo_mwg.png'></a> </td> </tr> </table> <!--/Logo--> <!--Contents--> <!-- FileName: cannotconnect.html Language: [en] --> <!--Title--> <table class='titleTable' background='/mwg-internal/de5fs23hu73ds/files/default/img/bg_navbar.jpg'> <tr> <td class='titleData'> Cannot Connect </td> </tr> </table> <!--/Title--> <!--Content--> <table class="contentTable"> <tr> <td class="contentData"> The proxy could not connect to the destination in time. </td> </tr> </table> <!--/Content--> <!--Info--> <table class="infoTable"> <tr> <td class="infoData"> <b>URL: </b><script type="text/javascript">break_line("https://127.0.0.1:8089/servicesNS/nobody/splunk_ta_o365/configs/conf-splunk_ta_o365_settings/proxy?output_mode=json&amp;count=0");</script><br /> </td> </tr> </table> <!--/Info--> <!--/Contents--> <!--Policy--> <table class='policyTable'> <tr> <td class='policyHeading'> <hr> Company Acceptable Use Policy </td> </tr> <tr> <td class='policyData'> This is an optional acceptable use disclaimer that appears on every page. You may change the wording or remove this section entirely in index.html. </td> </tr> </table> <!--/Policy--> <!--Foot--> <table class='footTable'> <tr> <td class='helpDeskData' background='/mwg-internal/de5fs23hu73ds/files/default/img/bg_navbar.jpg'> For assistance, please contact your system administrator. </td> </tr> <tr> <td class='footData'> generated <span id="time">2020-09-24 16:21:46</span> by McAfee Web Gateway <br /> python-requests/2.21.0 </td> </tr> </table> <!--/Foot--> </td> </tr> </table> </body> <!--/Body--> </html>

 

This is just the page generated (but not rendered) by the McAfee Web Gateway, and it causes that the application is not able to read the "splunk_ta_o365_settings.conf" file. 

It seems that the URL causing the web gateway error is:  

 

https://127.0.0.1:8089/servicesNS/nobody/splunk_ta_o365/configs/conf-splunk_ta_o365_settings/proxy?output_mode=json&amp;count=0

 

But if I type the URL in the search bar of my browser I got the requested JSON without any problem.

Both SH and HF are under the same Web Gateway proxy configuration/policy.

Any idea about this? Did anyone experience the same issue? 

Thanks in advance

0 Karma