All Apps and Add-ons

Splunk Add-on for Office 365 - Getting errors when trying to configure settings (proxy)

lpino
Path Finder

Hi everybody,

I have a Splunk deployment with 2 IDX, 1 HF and 2 SH all running on Windows Server. All the Splunk instance are 7.3.6.

As per subject, I got a very strange issue when trying to configure the MS Office 365 Add-On (version 2.0.2) on the Heavy Forwarder. On the other hand, when I tried to configure it on a Search Head, everything worked fine and the Add-On is still running properly on such instance since I'm not able to solve the HF issue.
SH and HF were in the same subnet when the issue happened (now the SH has been moved into another one but the issue showed up for the first time when they were in the same subnet).

Here the details of the issue: when just clicking on the "Settings" tab of the application (no settings yet configured) I got a this error message in a red frame on the top of the page:

 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <!-- FileName: index.html Language: [en] --> <!--Head--> <head> <meta content="text/html; charset=UTF-8" http-equiv="Content-Type"> <meta http-equiv="X-UA-Compatible" content="IE=7" /> <title>McAfee Web Gateway - Notification</title> <script src="/mwg-internal/de5fs23hu73ds/files/javascript/sw.js" type="text/javascript" ></script> <link rel="stylesheet" href="/mwg-internal/de5fs23hu73ds/files/default/stylesheet.css" /> </head> <!--/Head--> <!--Body--> <body onload="swOnLoad();"> <table class='bodyTable'> <tr> <td class='bodyData' background='/mwg-internal/de5fs23hu73ds/files/default/img/bg_body.gif'> <!--Logo--> <table class='logoTable'> <tr> <td class='logoData'> <a href='http://www.mcafee.com'> <img src='/mwg-internal/de5fs23hu73ds/files/default/img/logo_mwg.png'></a> </td> </tr> </table> <!--/Logo--> <!--Contents--> <!-- FileName: cannotconnect.html Language: [en] --> <!--Title--> <table class='titleTable' background='/mwg-internal/de5fs23hu73ds/files/default/img/bg_navbar.jpg'> <tr> <td class='titleData'> Cannot Connect </td> </tr> </table> <!--/Title--> <!--Content--> <table class="contentTable"> <tr> <td class="contentData"> The proxy could not connect to the destination in time. </td> </tr> </table> <!--/Content--> <!--Info--> <table class="infoTable"> <tr> <td class="infoData"> <b>URL: </b><script type="text/javascript">break_line("https://127.0.0.1:8089/servicesNS/nobody/splunk_ta_o365/configs/conf-splunk_ta_o365_settings/proxy?output_mode=json&amp;count=0");</script><br /> </td> </tr> </table> <!--/Info--> <!--/Contents--> <!--Policy--> <table class='policyTable'> <tr> <td class='policyHeading'> <hr> Company Acceptable Use Policy </td> </tr> <tr> <td class='policyData'> This is an optional acceptable use disclaimer that appears on every page. You may change the wording or remove this section entirely in index.html. </td> </tr> </table> <!--/Policy--> <!--Foot--> <table class='footTable'> <tr> <td class='helpDeskData' background='/mwg-internal/de5fs23hu73ds/files/default/img/bg_navbar.jpg'> For assistance, please contact your system administrator. </td> </tr> <tr> <td class='footData'> generated <span id="time">2020-09-24 16:21:46</span> by McAfee Web Gateway <br /> python-requests/2.21.0 </td> </tr> </table> <!--/Foot--> </td> </tr> </table> </body> <!--/Body--> </html>

 

This is just the page generated (but not rendered) by the McAfee Web Gateway, and it causes that the application is not able to read the "splunk_ta_o365_settings.conf" file. 

It seems that the URL causing the web gateway error is:  

 

https://127.0.0.1:8089/servicesNS/nobody/splunk_ta_o365/configs/conf-splunk_ta_o365_settings/proxy?output_mode=json&amp;count=0

 

But if I type the URL in the search bar of my browser I got the requested JSON without any problem.

Both SH and HF are under the same Web Gateway proxy configuration/policy.

Any idea about this? Did anyone experience the same issue? 

Thanks in advance

0 Karma

garias_splunk
Splunk Employee
Splunk Employee

I know this is quite an old post but I have seen this error today.

It is a proxy issue. In order to investigate this, you need to run the same request from the command line within the Splunk instance that is having the problem.

In the case I had, the add-on was installed on the HF so we run this from its command line:

 

[root@server123 splunk]# curl -k -u splunk_msuser:myPasswordHere "https://127.0.0.1:8089/servicesNS/nobody/splunk_ta_o365/configs/conf-splunk_ta_o365_settings/proxy?output_mode=json&amp;count=0"

 

 

The response was the same DOCTYPE content, showing it is not an app problem but a proxy issue.

That curl command is basically calling the configs/conf-{file} from the REST API

https://docs.splunk.com/Documentation/SplunkCloud/latest/RESTREF/RESTconf

If that command fails, means there is a restriction in the environment preventing that request to be processed. 

That curl command can be passed to the network team for investigation.

0 Karma

lpino
Path Finder

Hi @garias_splunk,

thanks for the provided information.
In my environment, we migrated the heavy forwarder from Windows server to Linux server for business reasons and we don't have this issue anymore.

I don't know if it was related to the OS or the proxy/env configuration, but now it's working.

Anyway, I will keep in mind your considerations for the future, just in case.

Thank you

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...