All Apps and Add-ons

Splunk Add-on for Office 365 - Getting errors when trying to configure settings (proxy)

lpino
Path Finder

Hi everybody,

I have a Splunk deployment with 2 IDX, 1 HF and 2 SH all running on Windows Server. All the Splunk instance are 7.3.6.

As per subject, I got a very strange issue when trying to configure the MS Office 365 Add-On (version 2.0.2) on the Heavy Forwarder. On the other hand, when I tried to configure it on a Search Head, everything worked fine and the Add-On is still running properly on such instance since I'm not able to solve the HF issue.
SH and HF were in the same subnet when the issue happened (now the SH has been moved into another one but the issue showed up for the first time when they were in the same subnet).

Here the details of the issue: when just clicking on the "Settings" tab of the application (no settings yet configured) I got a this error message in a red frame on the top of the page:

 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <!-- FileName: index.html Language: [en] --> <!--Head--> <head> <meta content="text/html; charset=UTF-8" http-equiv="Content-Type"> <meta http-equiv="X-UA-Compatible" content="IE=7" /> <title>McAfee Web Gateway - Notification</title> <script src="/mwg-internal/de5fs23hu73ds/files/javascript/sw.js" type="text/javascript" ></script> <link rel="stylesheet" href="/mwg-internal/de5fs23hu73ds/files/default/stylesheet.css" /> </head> <!--/Head--> <!--Body--> <body onload="swOnLoad();"> <table class='bodyTable'> <tr> <td class='bodyData' background='/mwg-internal/de5fs23hu73ds/files/default/img/bg_body.gif'> <!--Logo--> <table class='logoTable'> <tr> <td class='logoData'> <a href='http://www.mcafee.com'> <img src='/mwg-internal/de5fs23hu73ds/files/default/img/logo_mwg.png'></a> </td> </tr> </table> <!--/Logo--> <!--Contents--> <!-- FileName: cannotconnect.html Language: [en] --> <!--Title--> <table class='titleTable' background='/mwg-internal/de5fs23hu73ds/files/default/img/bg_navbar.jpg'> <tr> <td class='titleData'> Cannot Connect </td> </tr> </table> <!--/Title--> <!--Content--> <table class="contentTable"> <tr> <td class="contentData"> The proxy could not connect to the destination in time. </td> </tr> </table> <!--/Content--> <!--Info--> <table class="infoTable"> <tr> <td class="infoData"> <b>URL: </b><script type="text/javascript">break_line("https://127.0.0.1:8089/servicesNS/nobody/splunk_ta_o365/configs/conf-splunk_ta_o365_settings/proxy?output_mode=json&amp;count=0");</script><br /> </td> </tr> </table> <!--/Info--> <!--/Contents--> <!--Policy--> <table class='policyTable'> <tr> <td class='policyHeading'> <hr> Company Acceptable Use Policy </td> </tr> <tr> <td class='policyData'> This is an optional acceptable use disclaimer that appears on every page. You may change the wording or remove this section entirely in index.html. </td> </tr> </table> <!--/Policy--> <!--Foot--> <table class='footTable'> <tr> <td class='helpDeskData' background='/mwg-internal/de5fs23hu73ds/files/default/img/bg_navbar.jpg'> For assistance, please contact your system administrator. </td> </tr> <tr> <td class='footData'> generated <span id="time">2020-09-24 16:21:46</span> by McAfee Web Gateway <br /> python-requests/2.21.0 </td> </tr> </table> <!--/Foot--> </td> </tr> </table> </body> <!--/Body--> </html>

 

This is just the page generated (but not rendered) by the McAfee Web Gateway, and it causes that the application is not able to read the "splunk_ta_o365_settings.conf" file. 

It seems that the URL causing the web gateway error is:  

 

https://127.0.0.1:8089/servicesNS/nobody/splunk_ta_o365/configs/conf-splunk_ta_o365_settings/proxy?output_mode=json&amp;count=0

 

But if I type the URL in the search bar of my browser I got the requested JSON without any problem.

Both SH and HF are under the same Web Gateway proxy configuration/policy.

Any idea about this? Did anyone experience the same issue? 

Thanks in advance

0 Karma

garias_splunk
Splunk Employee
Splunk Employee

I know this is quite an old post but I have seen this error today.

It is a proxy issue. In order to investigate this, you need to run the same request from the command line within the Splunk instance that is having the problem.

In the case I had, the add-on was installed on the HF so we run this from its command line:

 

[root@server123 splunk]# curl -k -u splunk_msuser:myPasswordHere "https://127.0.0.1:8089/servicesNS/nobody/splunk_ta_o365/configs/conf-splunk_ta_o365_settings/proxy?output_mode=json&amp;count=0"

 

 

The response was the same DOCTYPE content, showing it is not an app problem but a proxy issue.

That curl command is basically calling the configs/conf-{file} from the REST API

https://docs.splunk.com/Documentation/SplunkCloud/latest/RESTREF/RESTconf

If that command fails, means there is a restriction in the environment preventing that request to be processed. 

That curl command can be passed to the network team for investigation.

0 Karma

lpino
Path Finder

Hi @garias_splunk,

thanks for the provided information.
In my environment, we migrated the heavy forwarder from Windows server to Linux server for business reasons and we don't have this issue anymore.

I don't know if it was related to the OS or the proxy/env configuration, but now it's working.

Anyway, I will keep in mind your considerations for the future, just in case.

Thank you

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...