Troubleshooting Guide Windows Client

1. Where to find the logs for the client

Client has four different log files which are present at following location:

File Name/Location Default Log Level Max Limit Rollover Remarks

(MB)

hysecurefilter.log %SYSTEMROOT%/TEMP/ACCOPS 5 MB 5 files This file

contains
administr
actions a
logs.

hysecuremanager.log %SYSTEMROOT%/TEMP/ACCOPS 5MB 5 files This is th

file of
HySecure
Manager
Service. T
HySecure
Manager
Service
contains
informati
the tasks
perform b
wheneve
requested

uaclog.log %TEMP%/ACCOPS/ 3 5 MB 5 files

eps.log %TEMP%/ACCOPS/ - 5 MB 5 files

2. Log Level Configuration for Uaclog:

The Log level for HySecure Client can be changed from registry settings.
The HySecure client logs i.e. uaclog.log has following different log levels
 • 0 = NON

• 3 = INFO

• 7= DEBUG

Location/Key Value Name Default Value Remark

[HKLM]\Software\Accops\HySecureClient HySecureLogLevel 3 Default value is set

to 3 mean it
generates only info
level
logs(DISCONTINUED
from 5.1.9.9)

[HKCU]\Software\Fortress HySecureLogLevel VALUE NAME You can use this

IS NOT value name to bump
PRESENT up the log level of
client if either user
does not have
permission to
change HKLM
settings.

3. Can I change the Log location?

NO

4. Anti-Virus deletes HySecure client after download?

The anti-virus software on end user machine may block download and installation of the
HySecure client. Please add the Accops installer in antivirus exception list. Also add following
files and directory in exception list:

c:\Program Files (x86)\Accops HySecure Client

c:\Program Files (x86)\Accops HySecure Client\vFVPNClientExe.exe

c:\Program Files (x86)\Accops HySecure Client\pvpnadmmgr.exe

c:\Program Files (x86)\Accops HySecure Client\progateviewer.exe

5. User is not able to access the web application after login
into HySecure. How to troubleshoot?
Please follow these steps: 1. See that the application is not using IPv6 address. Accops
HySecure client does not support IPv6 at this time. The application may use IPv6 sockets
even if the target application server is only using IPv4 address. An example of such
application is Java based applications. To solve such application, disable IPv6 completely
from network applications. In case the application is a Java based application, refer to
another troubleshooting item in this document.

1. Check if there is a proxy set in Internet explorer. Make sure the domain name of the URL
is added in bypass proxy list in Internet explorer. If not add the domain name in bypass
proxy list and report this issue to Accops support ([email protected]).

2. Make sure the hostname accessed by the application is published in HySecure as an

application. Some web applications may start with one URL, say
http://intranet.company.com, but then may redirect to http://int2.company.com. In such
case, both internet.company.com and int2.company.com must have been published as
two applications on HySecure. Otherwise, HySecure client can not resolve
int2.company.com and will bypass this URL.

3. If DNS mode application used please confirm the name of domain and
DNS_REDIRECT_LIST matches for redirection if it does not then please add an entry in the
DNS_REDIRECT_LIST for the domain name.

4. Please check if the user is using 64bit version of the browser. Name resolution is not
supported for 64bit applications till HySecure client version 5.0.4.0. If yes, follow one of
these solutions:

a. Set the option “Use hosts file for name resolution” in the client preferences on user
machine. This machine is specific to this machine and does not roam with the user.

b. Upgrade client to latest version which has support for name resolution for 64bit
applications

c. Ask user to use 32bit application.

d. Ask user to use the application using IP Address and not using hostname

6. Java based web application does not work through

HySecure?
The latest version of Java based applications are IPv6 enabled by default. Accops HySecure
does not support IPv6 enabled client applications. Java may use IPv6 sockets even if the
target application server is having on IPv4 network address. To force use of IPv4 socket by
Java based application, follow these steps:

1. On end user machine, Go to control panel

2. Open Java control panel icon

3. Go to Java tab

4. And in options append this line: -Djava.net.preferIPv4Stack=true

5. In Windows system settings, create environment variable for system as well as user as

_JAVA_OPTIONS="-Djava.net.preferIPv4Stack=true"

Contact Accops support if your Java based application still does not work.

7. What to do when Remote Meeting does not start on end

user machine?
On some user machine, remote meeting may fail to start. It is mainly because of Anti-virus.
AV sometimes block remote meeting executable (%PROGRAMFILES_x86%\ Accops HySecure
Client \progateviewer.exe). Please add this progate viewer exe on exception list.

8. Message: “Your session has expired”. What does this

message means?
At time of application access sometimes HySecure session expired message will pop up.
This is because on HySecure server user session has been expired. It may be due to idle time
out setting or may be administrator force log out user session from gateway.

9. Error: “Failed to connect to HySecure gateway”. How to

troubleshoot this error?
When user tries to login into HySecure gateway, the user may receive error “Failed to connect
to HySecure gateway”. The reasons are: 1. The user does not have network connectivity. Ask
the user to check Internet connectivity. 2. The anti-virus on user machine might be blocking
access to HySecure gateway. Ask the user to browser https://hysecurehostname in browser
and check if user can access the web page. If the user can access the web page, that means
the local anti-virus is blocking the HySecure client. In this case, add the HySecure client in
exception list. The HySecure directories and files details are provided in this document to be
added to exception list. 3. The proxy set in user’s Internet explorer is blocking access to
HySecure gateway: If there is a proxy set in Internet explorer, disable it and then restart
HySecure client. Test the access. If it works with proxy disabled, then contact the proxy
administrator. 4. In some scenarios, outgoing port 443 might be blocked for the end user. In
this case, contact the local firewall administrator to allow port 443 (HTTPS) traffic access to
HySecure gateway. 5. Check the Proxy Settings on the Users PC.

10. Which error messages indicates access problem in

Accops HySecure gateway:
If user gets following error, please report the same to HySecure administrator:

• “login fail due to network connection”

• “incorrect XML data format”

11. Error: “HySecure license has expired.” Why license expiry

message is showing at the time of login?
If HySecure gateway license is expired, then HySecure client will pop up message like license
is expired and user will not be able to login. If users are getting this message, please contact
HySecure administrator.

12. Error: “HySecure license is full”. Why license full message

is showing at the time of login?
If HySecure gateway license is full, then HySecure client will pop up message like license is
full and user will not be able to login. If users are getting this message, please contact
HySecure administrator.

13. Error: “You are not authorized to login from this device” or
“Your device is waiting for approval, contact your
administrator”. What to do in this case?
These messages mean the HySecure gateway is enabled with device fingerprint checks and
manual approval of the device registration is enabled. When user logs in first time in
HySecure, the device gets registered with HySecure gateway and is set for approval by the
HySecure admin before the user can start accessing services via HySecure. If the admin has
set automatic approval, the device will get automatically approved. In case automatic
approval is not set, the HySecure admin will have to review the device registration and
approve the device. Contact HySecure admin for more information.

14. Error: “You do not have access to any application, please

choose correct organization”
If the user does not have access to any application in HySecure, user may receive such
message. Ask HySecure administrator to check if the user or user’s group is assigned any
applications. This error can also come if there are multiple organizations (realms) created in
HySecure and user is trying to login into invalid organization, in which the user does not have
access to any application.

15. Error: “Failed to start filtering modules” during login, what

should I do?
When user logs into HySecure client for first time, the user may receive error: Reported Error:
"Failed to start HySecure filtering modules. If you have recently upgraded to HySecure client,
please try after rebooting the machine." Steps to troubleshoot based on user machine:

1. Windows 7 32bit
Please install following Microsoft update patch:
<https://www.microsoft.com/en-in/download/details.aspx?id=46078>

2. Windows 7 64 bit
<https://www.microsoft.com/en-in/download/details.aspx?id=46148>

3. All Other OS
Start the client with local administrative rights one time and then login
with the user credentials

4. Windows 10 OS with Secure boot enabled or any other operating system

Enable LSP module from client preference settings and then login again.

16. How to get HySecure Clients Logs on User machine?
HySecure UAC log will create User's "Temp\Accops" directory.

Path : C:\Users\User1\AppData\Local\Temp\Accops.

17. What is purpose and how to reset network adapter socket

using winsock?
Sometime due to Ethernet/network card socket issues, not able to connect to HySecure
Server.

Use below command for reset socket and able to connect to HySecure Server.

Open "cmd" and run "netsh winsock reset" command.

18. How to set HySecure Client launch default browser which

is set on user machine?
In HySecure client click on menu options, Click on Options->Web Application Setting. Select
“use default browser to open web application” check box. If this option is unchecked, then
web application will open in IE browser.

19. How to resolve Antivirus not detecting for EPS policy,

hence user not able to login in HySecure Client even antivirus
is installed?
Open "Windows Powershell" and run below commands:

a. "Get-WmiObject -Namespace Root\SecurityCenter2 -Class AntivirusProduct"

b. " Get-WmiObject -Namespace Root\SecurityCenter2 -Class AntiSpywareProduct"

these commands will fetch and show Installed Antivirus list which is detected by
HySecure Client.

It will detect following points regards installed Antivirus.

a. Product name

b. Version

c. Antivirus is enabled or not

 d. Last Updated Date

20. How to enable debug log for HySecure Full Client (Admin
Client)?
Debug log for HySecure Full (Admin) Client will be enable from Local machine Registry
Settings:

Open "Run"-->"regedit" press enter.

Go to "HKEY_LOCAL_MACHINE\SOFTWARE\Accops\Hysecure Client"

Modify "HySecureLogLevel" and set Value data as "7".

21. How to enable debug log for HySecure On-Demand (Non-

Admin) Client?
Debug log for On-Demand (Non-admin) Client will be enable from Local User Registry
Settings:

Open "Run"-->"regedit" press enter.

Go to "HKEY_CURRENT_USER\SOFTWARE\Fortress"
 Modify "HySecureLogLevel" and set value as "7"

22. How to run HySecure Windows Client in Service mode?

HySecure Admin must enable some options from Client Interface Setting on HySecure Server.
- Login into HySecure Server using Security Officer User. - Go to "Host Configuration"-->"Client
Setting". - Here must disable some option from Client Interface Setting as below

And some option must be enable from Client Interface Setting as below:
 Specify password to stop HySecure Client in Service mode from HySecure Client
Interface Settings:

HySecure administrator can specify the service stop/exit password. So that end user
cannot stop/exit from HySecure Client until knows the exit password.

If service exit password is specified then administrator can stop the HySecure Client
service by entering exit password.

23. How to reset HySecure Client service permission, if

HySecure Client is running in service mode and without set
exit password?
If you have enabled the client in service mode without setting exit password. Then logically
you are struck. You cannot stop the HySecure service without reset service permission: Use
below command to reset service permission:

Open command prompt as admin. If your system is 64-bit then cd to syswow64 and run
below command:

PsExec.exe /s cmd /C sc sdset "hysecure service" D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)

(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)
 (A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPLOCRRC;;;LS)(A;;CCSWWPLORC;;;LS)
(A;;CCDCLCSWRPWPDTLOCRSDRC;;;BU)

Above command will reset the HySecure service permission and now you can stop the
service from Task Manager and login with SO user and add exit password from HySecure
Management Console.

24. How to Bypass Clipboard (Copy-Paste) access for

particular users, if Clipboard Block Policy is Enable on
HySecure Server?
If Clipboard Block Policy is enabling from Network Profile Detection on HySecure Server,
then any user should not able to use clipboard (Copy-Paste) after login into HySecure
Client.

If admin want to bypass some users from Clipboard Policy, hence specified users should
able to use clipboard access.

HySecure Administrator can Bypass Users from Block Clipboard Policy using below
steps:

Take SSH of HySecure Server.

Run below command #vi /home/fes/public/verinfo.js

Then Specify the user list in SECUREDESKTOPBYPASSUSERLIST= tag and save the veeinfo.js
file.

Then specified users should able to use clipboard.

25 . Error “Its seems the essential services to run this

application are not still ready”?
HySecure Client uses WMI (Windows Management Instrumentation) Windows Service for
Capturing Device Details.

WMI Service must be Enable and Running on Windows Machine from where user login
into HySecure Client.

If WMI service is Stopped/Disabled on Windows Machine then User should get the above
error while login into HySecure Windows Client.
26. How to set a browser as default browser for web
application from backend, SO web application will launch only
in specified browser instead of machine's default browser?
There are two tags in verinfo.js file, based on that HySecure Administrator can set default
browser for Web Application.

1. If ISSECURECHROMEONLYCLIENT=true then Web application should launch only in Chrome

browser even if any other browser (Internet Explorere,Microsoft Edge and Mozilla Firefox)
is set as default browser on user machine.

2. HySecure Administrator can set particular browser (Internet Explorer,Microsoft

Edge,Chrome and Firefox) as default browser from back end , Hence Web application
should launch only in specified browser, instead of default browser which is set on user

machine. Example.
ISSECURECHROMEONLYCLIENT=true
ALLOWED_BROWSER=iexplore.exe

Then Web application will launch only in Internet Explorere browser even if chrome browser is
set as default browser on user machine.
27. How to allow Internet access for process if Internet is
blocked?
HySecure Administrator can allow Internet access to single or multiple process
(Teamviewer.exe, AA_v3.exe and AnyDesk.exe etc..) , If Internet Block policy is enable .

Login into HySecure Client using Security Office.

Go to Host Configuration -> Client Settings ->Advance Settings.

Specify comma separated process name(case-insensitive format) in “Specify comma

separated list of process to allow internet if internet is blocked. (like TeamViewer.exe,
AA_v3.exe)” section.

28. How to block Printing from HySecure Management

Console?
There are Two different options for block Printing.

a. Block Printing for Office Profile.

b. Block Printing for Roaming Profile.

HySecure Server Admin (Security officer) can disable Printing for both Profile from below
steps:

Login into HySecure Server Management Console using HySecure Admin User (Security
Officer).

Go to “Host Configuration -> Client Settings -> Profiles Setting.

If admin selected “Block Printing” from Office Profile then Printing get block for VPN
users who are login from Office (Intranet) network.
 If admin selected “Block Printing” from Roaming Profile then Printing get block for VPN
users who are login from external (Internet) network.

29. How to block Clipboard (Copy-paste) from HySecure

Management Console?
There are Two options for block Clipboard. 1- Block Clipboard for Office Profile. 2- Block
Clipboard for Roaming Profile.

HySecure Server Admin (Security officer) can disable Clipboard for both Profile from
below steps:

Login into HySecure Server Management Console using HySecure Admin User (Security
Officer).

Go to “Host Configuration -> Client Settings -> Profiles Setting.

If admin selected “Block Clipboard” from Office Profile then Clipboard get block for VPN
users who are login from Office (Intranet) network.

If admin selected “Block Clipboard” from Roaming Profile then Clipboard get block for
VPN users who are login from external (Internet) network.
30. How to block USB Connection from HySecure
Management Console?
There are Two options for USB blocking 1- Block USB for Office Profile. 2- Block USB for
Roaming Profile

HySecure Server Admin (Security officer) can block USB Connection for both Profile from
below
Steps:

Login into HySecure Server Management Console using HySecure Admin User (Security
Officer).

Go to “Host Configuration -> Client Settings -> Profiles Setting.

If admin selected “Block USB” from Office Profile then USB get block for VPN users who
are login
from Office (Intranet) network.

If admin selected “Block USB” from Roaming Profile then Clipboard get block for VPN
users who are login from external (Internet) network.

31. How to Enable only SO(Security Officer) User Can Give

Remote Meeting Support (Join Remote Meeting)?
Prerequisite: - Application ACL must be created for Security officer Users/Group. - It is
required “REMOTESUPPORT_ONLYSO” tag must be added or true in HySecure
Server“verinfo.js”. - HySecure Admin (Security Officer) user need to take SSH of HySecure
Server. - Go to /home/fes/public directory. - Open “Verinfo.js” file and Add/Set
REMOTESUPPORT_ONLYSO=True . - Then Only Security officer can Give Support using Remote
Meeting.

32. How to enable Particular AD/Native user can Give Support

using Remote Meeting (Join Remote Session)?
The REMOTESUPPORT_ONLYSO and REMOTESUPPORTADMINUSERLIST Tag must be added to
the “verinfo.js” file.

REMOTESUPPORT_ONLYSO tag must be true/false.

HySecure Admin can specify particular AD/Native user id comma separated list in
REMOTESUPPORTADMINUSERLIST tag.

HySecure Admin (Security Officer) user need to take SSH of HySecure Server.

Go to /home/fes/public directory.

Open “Verinfo.js” file and Add/Set “REMOTESUPPORT_ONLYSO=true” and specify the

user id list in “REMOTESUPPORTADMINUSERLIST=user id list” and save the verinfo.js file.

Example: REMOTESUPPORT_ONLYSO=true/false
REMOTESUPPORTADMINUSERLIST=user1,ajay,Rahul,21650

Then only specified user list can Give Remote Meeting Support(Join Remote Meeting).

If “REMOTESUPPORT_ONLYSO=true” then both SO and specified user list can Give

Remote Support Using Remote Meeting .
34. How to troubleshoot if Clipboard, Printing and USB is
disable from HySecure Server still user able to use clipboard,
Printing and USB from HySecure Client?
HySecure Admin can disable clipboard for two different Profiles.

1. Office Profile.
2. Roaming Profile.

1. If disable clipboard, Printing and USB for “Office Profile” then need to verify below steps:
1.1. Firstly verify from HySecure Server that “Enable Network Profile Detection” option
must be enable. 1.2. “Network Profile Detection Interval(In Second)” must be set as “120”.
1.3. Verify OFFICECLIPBOARDBLOCK , OFFICEPTINTBLOCK and OFFICEUSBBLOK tag must be
true .

2. If true from HySecure Server then have to verify uaclog.log file from user local machine.

Go to Local machine and Press “Windows+R” then Run prompt will appear on screen.

Enter “%temp%\accops” in Run Prompt and press Enter Key.

then open “uaclog” file .

 Verify from uaclog file that “Office clipboard Block”,”Office Print Block” and “Office
USB Block”
tags must be true only.

35. How to get Captured Device Details logs on User Machine?

HySecure Client’s captured Device Details log file will create in User Profile “Temp” folder
location.

Example: C:\Users\admin\AppData\Local\Temp\Accops\epslib

36. Error “Invalid User Credentials “while login into HySecure

Client?
If Device ID ACL Policy is enable on HySecure Server and If HySecure client didn’t capture
device details
while login into HySecure Client or any device parameter got blank then HySecure Client
will pop-up
error as “Invalid Credentials “, even if user entering correct Username and Password.

Using “cpuld.vbs” script user can verify device parameters details if any device parameter
getting blank
data Or any parameter getting garbage data then user should get above error.
*Resolution:* - Issue has been fixed in Latest GA Release HySecure Client-5.1.6.5. - Upgrade
Older HySecure Client with latest release 5.1.6.5.

37. How to Capture and check LSP logs from User machine?
Using “DbgView” application user can capture and check LSP logs on User machine.

Run “DbgView” application.

Go to “Capture and Enable “Capture Win32 and Capture Global Win32” Option .
Then set Filter as “[LSP]” in Filter Option as below.

Then Enable “Use LSP Mode” from HySecure Client “Preference” settings and login into
HySecure Client.
Then after login into HySecure Client all LSP network traffic should appear in “DbgView”
application.
38. How to Capture and check NSP logs from User machine?
Using “DbgView” application user can capture and check LSP logs on User machine.

Run “DbgView” application.

Go to “Capture and Enable “Capture Win32,Capture Global Win32 “ Option from Capture
Option.

Then Set Filter as “[NSP]” in filter option.

 Then Enable “Use NSP for Name resolution” from HySecure Client “Preference” settings
and login into HySecure Client.

39. How to capture the Driver logs?

Using “DbgView” application user can capture and check LSP logs on User machine.

Run “DbgView” with administrator privileges.

Go to “Capture and Enable “Capture Kernel,Capture Verbose kernel output“ Option from
Capture Option
40. How can I identify the reason for login failure?
Please check the Response code in the log file against the login request. Login Response
Error code:

0 = Invalid credentials
1 = Success
2 = License is reused. Or License failed on the gateway
5 = 2nd factor authentication is required.
7= EPS policy failed for the user.
-5= Account is disabled
-6 = Password is expired
-7 = No Such User exists
-8 = Authorization failure.
-9 = No Application assigned to the user.

41. How to detect NSP mode is enabled or not

Please check the Menu Options->Preferences and under the Name resolution method NSP
mode is selected after login.

Also You can check logs for following entry

[TID-24532] : [ Date:02-07-2020 Time:14:57:12 ] : Using the Name resolution

method : [2], (1==NSP,2==DNSServer, 3==HostFile)