KB Article | Forcepoint Support

Problem Description

When running the install and getting to the portion of configuring Policy Server, the follow error shows:
“Could not connect to Policy server code: 1460"

Resolution

Many of installation errors seen are due to communication issues between components:
  1. Check for any anti-virus components such as McAfee, TrendMicro, and/or Microsoft Data Execution Prevention (DEP) that would prevent registry updates or edits that occur during install or upgrade.
    • For DEP:
  1. In Control Panel, click System.
Note Alternatively, press Start+Pause.
  1. Click Advanced system settings, click Performance Settings, and then click Data Execution Prevention.
  2. Select Turn on DEP for essential Windows programs and services only.
  3. Click OK twice.
  4. Restart the server.
2.  Verify you have network connectivity with the Policy Broker and Policy Server port using telnet. Also, check ports 40000 (Wiffle Port) and 55825 (Used for Policy Server Communication Installation), and 55806 (Policy Server Port). If unsure how to verify port connectivity, please contact your Network Administrator for assistance.
Additional ports:
  • Policy Broker port: 55880
  • Policy Database Ports: 6432, 7432
3.  If NAT is being used in the environment, check for correct  IPs and ports being used and which are open on the firewall.

If you receive "Could not start Policy Server: code 1460" and have determined that there are no communication issues with Policy Broker, check the following with your Network Administrator:

1.  The IP of the Broker was changed after it was installed.
2.  The Broker has multiple NICs, and the IP you are entering for the Broker when installing Policy Server is for the wrong NIC.
3.  There is a NAT translation between the Broker and Policy Server

Note The config.xml Token contains password and IP info.  You can search for the token in the config.xml which is located in the \websense\web security\bin directory

Example:
 
<container name="BrokerService">
     <container name="Config">
          <data name="Country">US</data>
          <data name="Host">x.x.x.x</data>
          <data name="Language">en</data>
          <data name="Port">55880</data>
          <data name="RetryTime">10</data>
          <data name="Service">F1D8B0F7D4893A8974A2BC896ECA939097611D5B530EF639</data>
          <data name="Token">939A84C........1AD452DE2B7798A71CF17E</data>
          <data name="WaitTime">180</data>
     </container>
</container>

The best solution is reinstall the Policy Broker service after any IP change. This is due to the dependencies of Policy Servers and Filtering Service only equipment in the network which rely on the IP of the Policy Broker. Once reinstalled, the Policy Broker IP can be updated on any additional policy servers and/or filtering service servers in the environment.

Important In the case of an IP change on an appliance, a reimage is required. For instructions, review How to restore a V-Series appliance to a factory image.
Important In some cases for Windows, all of the Forcepoint Web services on a Windows server may need to be reinstalled. This will be necessary if reinstalling Policy Broker alone and re-associating does not resolve the issue. 

If Policy Broker is on a Windows server or Appliance, make a backup of your policies before making changes. Follow the steps on Backup and restore the Policy Database

Reinstalling Policy Broker on a Windows server:
  1. Open the Forcepoint Setup for your version. If one is not on the server, download a new copy from our Support Downloads.
  2. Click Remove next to Web Security.
  3. Select Policy Broker.
  4. Click Next through the prompts, then Finished when complete.
  5. Restart the Windows server.
  6. Open the Forcepoint Setup file
  7. Click Modify next to Web Security.
  8. Select Policy Broker.
  9. Click Next through the prompts, then Finished when complete.
Re-Associate Policy Servers to new Policy Broker

Windows server:
  1. On the machine where the new Policy Broker is installed, go Websense\web security\bin and open config.xml with Notepad or any text editor.
  2. Search for the container named BrokerService and take note of the Token value for the Token data container.
  3. On the Policy Server machines, stop all Websense services. (see Stopping and starting Websense services)
  4. On the Policy Server machines, go to Websense\web security\bin and open config.xml with Notepad or any text editor. 
  5. Search for the container WsBrokerServiceConfig and change the IP address within that container to point to the new Policy Broker.
  6. Search for the container BrokerService and change the values for Host to the IP address of the new Policy Broker and Token to the Token value you noted in step 1.
  7. Restart all Websense services on the affected Policy Servers (see Stopping and starting Websense services).
  8. In Websense Manager, go to Settings > Policy Servers and add the other Policy Servers.
If you have kept a backup of your policies from  Backup and restore the Policy Database, use the Restore instructions on the article to bring your policies back.
Otherwise, you will have to manually recreate your policies in Forcepoint Security Manager.

Version 8.3 to 8.5 Appliance using CLI
This takes approximately 20-30 minutes to complete.
  1. SSH into the appliance C interface IP
  2. Log in with admin credentials
  3. Type: config
  4. Enter the admin password again.
  • Change the IP associated for the Policy Broker. If using Filtering Only mode, type: set mode filter --policy-source <IP-Address-of-Policy-Broker>
  • If using User Service & Directory mode, type: set mode user --policy-source <IP-Address-of-Policy-Broker>
Version 7.0 to 8.2 using Appliance Manager
This takes approximately 20-30 minutes to complete.
  1. Appliance Manager > Configuration > Web Components
  2. Change the IP showing to the new Policy Broker IP
  3. Press OK

Article Feedback



Thank you for the feedback and comments.