Windows Roaming Client Troubleshooting

Article author
Josh Lamb
  • Updated

This guide is for troubleshooting any issues associated with the Roaming Client.

This guide assumes that the Tray Icon has been enabled at install time, which is contextually important for troubleshooting the Roaming Client.

If you are in the testing phase of deploying the Roaming Client, it’s recommended to keep the Tray Icon enabled until initial issues which prevent wider deployment are resolved.

If you are beyond the testing phase of deploying the Roaming Client and do not have the Tray Icon enabled, all troubleshooting steps will need to be followed.

Conflicting Software

This first thing to check when diagnosing problems with the Roaming Client is to check for software conflicts. Some software applications have a known conflict with the Roaming Client and their settings will need to be adjusted or turned off to ensure smooth operation.

Browsers, VPNs, and Security Software

Our Software Conflicts article has a list of software that we have identified will need to be adjusted for DNSFilter to work properly on your network and on Roaming Clients. Check this article to see if any of the applications listed are being used in your environment.

Hyper-V 

While the Hyper-V hypervisor itself or its virtual machines do not conflict with the Roaming Client, we have seen issues with some services that the Hyper-V system uses.  The chief culprit is the "Internet Connection Sharing" (ICS) service, which automatically runs a DNS server on 0.0.0.0:53 (all interfaces), which prevents the Roaming Client system service from being able to start.

The error logs for your agent will show an error about being unable to bind to port 53.

If the Roaming Client service (DNS Agent/DNSFilter Agent) starts BEFORE the ICS service, the ICS service can start with no issues, so as a work around there are two approaches:

1. You can stop the "Host Network Service" (HNS) service (required before you can stop the ICS service) and then stop the "Internet Connection Sharing" service, then start the Roaming Client service, and then restart the "Host Network Service" service (which will automatically restart the ICS service as well).

2. If you set the HNS and ICS services to "Delayed Start" as a startup type, this may give the RC service enough time to start before them on a reboot and avoid having to have manual stop/start of services to get the RC to run.

Windows Defender Application Guard

If you are not running any virtual machines, it could be that a Windows Defender feature called Application Guard (which uses Hyper-V) is turned on. This feature uses Hyper-V to open untrusted sites in an isolated container in the Microsoft Edge browser. If you run an environment where Edge is your primary browser, you may want to consider switching to Chrome Enterprise.

If Application Guard is in use, you may see the same behaviour as you do with the Hyper-V example above, and the issue can be resolved in a similar fashion, as the Application Guard service will also use ICS.

Microsoft NCSI

In exceptional situations, after the client is installed, Windows will display a limited network connectivity indicator (a yellow triangle) in the tray menu.

e1b3524-win10_Baseline_Running_2018-11-05_17-43-32.png

Limited Connectivity

Here are a few possible causes and solutions:

  1. A limitation in NCSI - Microsoft’s Network Connectivity Status Indicator (NCSI) feature . Since the Fall 2017 Creator’s Update of Windows 10, this can be easily remedied by running the below line in an Administrative Command Prompt:
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\Windows\NetworkConnectivityStatusIndicator" /v UseGlobalDNS /t REG_DWORD /d 1 /f
  1. NCSI is blocked - Especially true if you have a heavily-restricted policy. Whitelist the domain msftncsi.com in your policy.

d5e0e12-Dashboard__DNSFilter_2019-05-31_16-43-17.png

Whitelisting msftncsi.com

 

Conflicting Hardware

USB Wi-Fi and HotSpots

Most USB-based Wi-Fi and HotSpot devices enforce their own DNS servers on the network adapter that is created when plugged in. As a result, they will likely not be compatible. Testing is encouraged.

Juniper SRX Firewall

If you are using the Juniper SRX Firewall, DNS Doctoring will need to be disabled, which is only available in the Command Line Interface. More information available In Juniper’s Documentation

Roaming Client Malfunction

If you have checked for known software and hardware conflicts and believe that the Roaming Client is malfunctioning, there are a few troubleshooting steps that you can take:

Check Service Status (Started/Stopped)

The tray icon for the Roaming Client should be Blue or Green. If is is Red, this is an indication that the client is not actively filtering DNS queries. There may be a problem with the system service. Verify the status of the service by:

  1. Press ⊞ Win + R to open the Run dialog. Type in services.msc and hit Enter.
  2. Scroll down to the service called DNSFilter Agent or DNS Agent (MSP Version). You may also check this via the command-line using:
SC QUERY "DNSFilter Agent"

or for the MSP version below:

SC QUERY "DNS Agent"

The Agent status should be “started” and “running”. If the Agent is “stopped”, you can restart it from the services menu or by running:

SC START "DNSFilter Agent"

or for the MSP version below:

SC START "DNS Agent"

Check Port Bindings

In addition to checking the service status of the Roaming Client, you will want to check that no other applications are binding to DNS ports on the local machine (127.0.0.X:53).

You can discover this by running the following prompt command:

netstat -ban | findstr :53 

The image below illustrates the ideal output of the command. The first line shows that the local listen address and port (TCP) 127.0.0.2:53 is listening for connections from any address (0.0.0.0:0). The LISTENING message shows that this connection is actively bound by the Roaming Client and listening for traffic. The second line shows the same thing for UDP (although the connection is not active). **If there are other connections listening on 127.0.0.X:53, there may be a port binding conflict between that software and the Roaming Client.

2de7519-netstat.png

Netstat showing proper Roaming Client binding

 

Check Transparent Proxying

If the service is started, and the Roaming Client ports are properly bound, you should check to see if DNS requests are being proxied on your network or by your ISP. Our Transparent Proxying article goes into detail on this subject.

Roaming Client Not Filtering

When the tray icon is a green or blue color, filtering should be occurring. If domains which should be blocked are not being blocked, there could be software or network settings which interfere with the DNS queries (usually the response, as opposed to the query).

 

VPNs

If using a VPN, try disabling the VPN to see if it’s interfering with the ability to filter DNS requests. You may need to contact support with the brand/version of the VPN to investigate further.

Juniper SRX (DNS Doctoring)

If you are using the Juniper SRX Firewall, DNS Doctoring will need to be disabled, which is only available in the Command Line Interface. More information available In Juniper’s Documentation

If neither of these apply, please review the Enabling Logging section below.

Enable Logging

Enabling and sending DNSFilter Support the logs is the best way for DNSFilter to diagnose the issue. If a computer with the Roaming Client installed is continually having an issue which can be replicated, please follow these steps:

  1. Open the Wordpad application as an Administrator.b0e9d41-file-UuCxyfFoBT.png
  2. Open the following file in Wordpad: C:FilesAgentAgent.exe.config -> The file will likely only display as “DNS Agent.exe” - without the appended .config extension -> (If you are an MSP, the folder will be: C:\Program Files\DNS Agent) 

    The file is located here "C:\Program Files\DNSFilter Agent\DNSFilter Agent.exe.config" unless you are an MSP which is shown above in step 2.

    Pro Tip: When searching for the Agent config file, you may notice that the DNS Agent or DNSFilter Agent folder is blank. If so, please make sure to change All WordPad documents to All documents to reveal the correct file
    mceclip0.png

  3. Look for the following block of code in the file: <file value=""/>

Add your preferred logfile location and name between the double quotes: <file value="C:\DNSLog.txt"/>

  1. Locate the following block of code: <level value="INFO"/>

Change the log level value to DEBUG: <level value="DEBUG"/>

  1. Save the file.

  2. Open the Services application and locate DNSFilter Agent (MSPs: DNS Agent) and stop/start the service:

Once the problematic experience has been experienced, such as:

  • No DNS Resolution
  • Failure to resolve local resources
  • No Internet Connectivity
  • Failure to start the System Service

Please send the logs to DNSFilter Support

Was this article helpful?

0 out of 1 found this helpful

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.