The Real-Time Status of User Agent is Shown as Unknown

Introduction

After deploying a Sourcefire User Agent, you may notice the Real-Time Status remains unknown after following all of the configuration steps. This document provides instruction on how to change the status from Unknown to Available.

Symptom

The Domain Controller's firewall settings prevent the required RPC connections from being established.  The User Agent uses RPC Dynamic Port connections to attach to the Domain Controller and establish real-time monitoring.

Solution

Create an inbound firewall rule on the targeted Domain Controller using the Windows Firewall with Advanced Security console, allowing the necessary connection from the User Agent to take place. An example of settings and steps are shown below:

1.  On the General tab, name the rule and select Allow the Connections.

2.  On the Protocols and Ports tab, select the following items:

• Protocol type: TCP
• Local port: Dynamic RPC
• Remote port: All Ports

3.  On the Scope tab, add the Remote IP address. Click Add to enter the IP address of User Agent host.

4.  On the Advanced tab, select appropriate Profiles.

Save the firewall rule, enable it and restart the Sourcefire User Agent service.  Your real-time connection status should now change from Unknown to Available.