This article describes an error which can occur with the SecureAuth Transaction Log Service when connectivity is blocked. This error can manifest in three different ways. First when working through a SecureAuth workflow users receive a SOAP error message while trying to complete the post-auth portion. Second if the Test function in System Info is run for Trx Log Service URL the following error message is received "Exception: There was no endpoint listening at http://cloud.secureauth.com/SATransaction/Transaction.svcthat could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details. Inner exception: Unable to connect to the remote server. " Finally, in extreme cases, the application pool can fail causing a HTTP 503 Service Unavailable message to users and render the appliance unusable.
This error is caused when connectivity to cloud.gosecureauth.com is blocked by either a Firewall on the customers network or the Windows Firewall with Advanced Security running on the SecureAuth appliance.
HTTP 503 Error
If your SecureAuth appliance is displaying a 503 service unavailable error please ensure that both your corporate firewall(s) and the Windows Advanced Firewall on the appliance are allowing access to cloud.gosecureauth.com (220.127.116.11) on TCP/80. Please note that although this communication is occurring over port 80 (HTTP) it's still secure. The SecureAuth appliance will encrypt the data prior to transmission.
To resolve the error first work with the customers and ensure that outbound connectivity to cloud.gosecureauth.com (18.104.22.168) on TCP/80 is allowed from the SecureAuth appliance. Next it is necessary to ensure that access to cloud.gosecureauth.com is allowed by the Windows Firewall with Advanced Security running on the SecureAuth appliance as well. Appliances provisioned prior to October 2013 may not have a properly configured policy in the firewall.
NOTE - The IP address is automatically updated on the local Windows Advanced firewall by the SecureAuth 7.4.3 or later update package.
Below please find instructions to verify if the proper configuration is present and if not add it to the Windows Firewall.
Click Start, click All Programs, click Administrative Tools, and then click Windows Firewall with Advanced Security.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
- Select Outbound Rules in the left column of the Windows FireWall with Advanced Security window.
- Locate the SecureAuth HTTP OUTBOUND policy and double-click it.
- In the SecureAuth HTTP OUTBOUND Properties window navigate to the Scope tab.
- In the Remote IP address section confirm there is an entry of 22.214.171.124. If there is no entry proceed to step 7.
- Click the Add button in the Remote IP Address section.
- In the IP Address window in the field This IP address or subnet enter 126.96.36.199 and click OK.
- In the SecureAuth HTTP OUTBOUND Properties window click OK.
Once you have verified that the proper firewall policies are in place on the customers network and on the appliance you should run the Transaction Service test function in the System Info tab. This will allow you to validate the proper operation of the function after all the network changes have been made.