2. FAQ - WAPT Server Issues¶

2.1. WAPT Server behind a reverse proxy¶

Attention

The support of reverse proxy (WAF, etc.) doing TLS interceptions or TLS terminaison is no longer supported. If you have a reverse proxy in front of the WAPT server, it has to be configured as a simple TLS forwarding proxy based on SNI (cf. ngx_stream_core_module on nginx server for example).

First you need to check if the stream module package (libnginx-mod-stream on Debian/Ubuntu, nginx-mod-stream on RedHat and derivatives) is installed on the NginX Reverse Proxy server.
Then you can insert the following content into /etc/nginx/modules-enabled/80-stream.conf of the NginX Reverse Proxy server:

stream {
tcp_nodelay on;

map $ssl_preread_server_name $https_upstream {
  wapt.mydomain.com  192.168.2.5:443;   # 192.168.2.5 is the local IP address of the WAPT server
}

server {
  listen 443;

  resolver 127.0.0.1;

  proxy_pass $https_upstream;
  ssl_preread on;
}
}

Similar configuration is possible using HAProxy TLS Passthrough module but we do not provide support. Please refer to the corresponding documentation for details.

2.2. Resetting the WAPT Linux Server password¶

It sometimes happens to setup a WAPT Server and then forget its password.

To reset the WAPT Console SuperAdmin password you have to relaunch the post-configuration process on the WAPT Server:

Connect to the WAPT Server with SSH.
Connect with user root (or use sudo).
Launch the post-configuration script.

2.3. Problems when enabling enable-check-certificate¶

2.3.1. Message « Certificate CN ### sent by the WAPT Server does not match URL host ### »¶

This means that the CN in the certificate sent by the WAPT Server does not match the value of the wapt_server attribute in the wapt-get.ini file of the WAPT Agent.

There are 2 solutions:

Check the value of wapt_server in the wapt-get.ini file of the WAPT Agent.

If the value is correct, this surely means that an error has happened during the generation of the self-signed certificate during the WAPT Server post-configuration (typing error, …).

You MUST then regenerate your self-signed certificates.

On the WAPT Server, delete the content of the /opt/wapt/waptserver/apache/ssl/ folder.

Then, relaunch the post-configuration script (the same as the one used during initial installation, with the same arguments and values).

Then, be sure that the value of FQDN for the WAPT Server is correct.

You may now retry enable-check-certificate.

2.4. What can go wrong during the upgrades of WAPTserver ?¶

The most common issue with the upgrading process is the local antivirus blocking the installation (WAPT is a software installer that keeps a websocket opened to a central management server, so this behavior may be flagged as suspicious by an antivirus, even though this method is the basis of end point management…). If you have an issue when deploying the upgrade, please check your antivirus console and whitelist the waptagent.exe. Another option is to re-sign the waptagent.exe binary if your organization has an internal code signing certificate.
The second most common issue is that for some reason another program is locking a DLL that ships with WAPT. This can happen with poorly designed software installers that pick up the local %PATH% variable first and then find WAPTs own openssl or python DLL.
The third most common issue is a defective Windows install, that does not run scheduled tasks properly, and yes we have seen this!