Overview

This article addresses the issue where GFI LanGuard program updates fail with the error "A connection with the server could not be established" on the step to download wsusscn2.cab.

This problem occurs when the server cannot establish a secure connection to required update URLs, often due to missing or misconfigured cipher suites. Ensuring that Internet Explorer is installed and configuring the appropriate cipher suites resolves the issue. Internet Explorer needs to be functional, as LanGuard relies on the WinINet API.

Testing

When you attempt the various solutions below, you can use this PowerShell script to test: WinINet WinHTTP Test 

The script references the https://catalog.s.download.windowsupdate.com/microsoftupdate/v6/wsusscan/wsusscn2.cab endpoint, but it can be modified easily to point to another endpoint.

Both WinINet and WinHTTP should successfully download wsusscn2.cab in order for LanGuard to be able to update. 

Solution

To resolve the issue, follow these steps:

1. Verify Internet Explorer Installation

• GFI LanGuard relies on Internet Explorer on the server (not the agents) for accessing update URLs.
• If Internet Explorer is missing on the LanGuard server, install it via Features on Demand or any other alternative means.

2. Ensure Accessibility to Required URLs

• Confirm that Internet Explorer on the LanGuard server can access the following URLs:
  • https://catalog.s.download.windowsupdate.com/microsoftupdate/v6/wsusscan/wsusscn2.cab (this is if you configured it as per the Updating WSUSSCN2.CAB Download URL in GFI LanGuard article), OR
  • http://go.microsoft.com/fwlink/?LinkID=74689 (by default).
• Allow these URLs through your firewall or proxy if needed.
• If you see a TLS connection error, proceed to step 3, else, skip to step 4.

3. Configure TLS Cipher Suites

• Internet Explorer also requires specific TLS cipher suites for secure communication.
• Use the Local Group Policy Editor (or something like IISCrypto) to configure the required cipher suites:
  1. Open gpedit.msc and navigate to Computer Configuration > Administrative Templates > Network > SSL Configuration Settings > SSL Cipher Suite Order.
  2. Enable the setting and configure the cipher suites in the following order:

     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
     TLS_RSA_WITH_AES_128_CBC_SHA
     TLS_RSA_WITH_AES_256_CBC_SHA
     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
     TLS_RSA_WITH_AES_128_GCM_SHA256
     TLS_RSA_WITH_AES_256_GCM_SHA384
     

  3. Apply the policy and restart the server to ensure the changes take effect.

4. Ensure that Internet Explorer Enhanced Security Configuration is Disabled

• On Windows Server, IE Enhanced Security Configuration can block WinINet or Internet Explorer from accessing the download URL (particularly if using an https link) and therefore prevent's LanGuard from being able to access and download the file. 
• To disable IE Enhanced Security Configuration on the server:
  • Open Server Manager.
  • Click Local Server.
  • Find IE Enhanced Security Configuration and set it to Off.
  • Restart Internet Explorer and attempt opening the wsusscn2.cab file again.
    • If successful, try updating LanGuard once more.

5. Verify Updates

• Once the above configurations are complete, ensure that you can access the URLs listed in step 2, and reattempt the update process in GFI LanGuard.