Bug ID 599392: Edge Client for Windows cannot be installed on PCs without Internet Access.

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP All(all modules)

Known Affected Versions:
11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1

Opened: Jun 15, 2016

Severity: 3-Major

Related Article: K97056438

Symptoms

The following error may occur and the BIG-IP Edge client setup process exits: Error: BIG-IP Edge Client Setup Wizard ended prematurely. Client not installed successfully. Example log entries from the F5 Edge client (logterminal.txt) when the behavior occurs: 2016-06-14,21:09:45:304, 2768,1960,SETUP, 48, \certinfo.cpp, 922, CCertInfo::IsSignerTrusted(), the file is signed by F5 Networks certificate 2016-06-14,21:09:45:304, 2768,1960,SETUP, 48, \urSmartUpdateEx.cpp, 2288, USmartUpdateEx::VerifyCABEx(), NOT silent mode and call WinVerifyTrust directly 2016-06-14,21:09:45:350, 2768,1960,SETUP, 48, \urSmartUpdateEx.cpp, 2328, USmartUpdateEx::VerifyCABEx(), exit, 2148204810 2016-06-14,21:09:45:350, 2768,1960,SETUP, 1, \urSmartUpdateEx.cpp, 658, USmartUpdateEx::RunObjectProc(), EXCEPTION - VerifyCAB() failed, 2148204810 2016-06-14,21:09:45:350, 2768,1960,SETUP, 1, \urSmartUpdateEx.cpp, 721, , EXCEPTION caught 2016-06-14,21:09:45:350, 2768,1960,SETUP, 48, \urSmartUpdateEx.cpp, 723, USmartUpdate::RunObjectProc(), exit, -2146762486

Impact

It is not possible to install Edge Client on Windows PCs without Internet access.

Conditions

The BIG-IP Edge Client requires certificate verification by the Windows installer process in order to validate successfully. The certificate verification must take place over the Internet. The F5 signing certificate issued by "Entrust Root Certificate Authority - G2" is used to sign cabinet files in the Edge Client installer. Certain Windows clients may not have the necessary root certificates. When this occurs the Windows Cryptographic Application Programming Interface (CAPI) function WinVerifyTrust() is unable to build a certificate chain causing a signature verification failure.

Workaround

If there is Internet connectivity, the Windows CAPI downloads the root certificate according to Authority Information Access (AIA) and verifies the chain and signature successfully. The Windows CAPI also adds the root certificate into trusted Root certificate store. Once updated, subsequent WinVerifyTrust() calls succeed with or without internet connectivity. Please refer to the following Microsoft links for more information and resources for this issue: https://support.microsoft.com/en-us/help/2813430/an-update-is-available-that-enables-administrators-to-update-trusted-and-disallowed-ctls-in-disconnected-environments-in-windows The Windows client may need an Entrust Certificate Authority included in this update from Microsoft: http://download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips