Differences

This shows you the differences between two versions of the page.

--- support:it_troubleshooting [2021/11/17 20:43] – [IT/Network Troubleshooting] dpatenaude
+++ support:it_troubleshooting [2023/02/16 18:30] (current) – [Common Issues and Resolutions] dpatenaude
@@ Line 1: / Line 1: @@
 ====== IT/Network Troubleshooting ======
-Each customer and hospital IT department can implement their own unique security and firewall policies that can impact .decimal's software. This guide provides some general troubleshooting steps to help IT departments ensure they are not blocking or interfering with .decimal software and the HTTPS requests to .decimal's servers that are required to install, authenticate, and place device orders.
+<WRAP center round info 55%>
+**.decimal System Status**\\
+Prior to beginning the network troubleshooting steps refer to our [[https://status.dotdecimal.com|status page]] to determine if there is a service outage with any of the .decimal backend services.
+</WRAP>
+As the software provided by .decimal requires access to the internet to place orders, the proper functioning of our software can be affected by the local network within which the software is installed. Since each customer facility implements their own unique security, firewall, and networking policies we cannot guarantee support for all configurations. Therefore, this guide was created to provide general troubleshooting steps to help our customers and their IT departments ensure they are not blocking or interfering with .decimal software and the HTTPS requests to .decimal's servers that are required to install, authenticate, and place device orders.
+----
 ===== Traffic Architecture =====
-.decimal's applications communicate via HTTPS to our server resources. The diagram below demonstrates this:
+.decimal's applications communicate via HTTPS to our server resources. The diagram below demonstrates how our HTTPS traffic flows through each piece of infrastructure and identifies common failure points:
-{{:support:decimal_-_it_network_troubleshooting.drawio.png?400|}}
+{{:support:decimal_-_it_network_troubleshooting.drawio.png|}}
+----
 ===== Common Issues and Resolutions =====
-  - **Blocking the required .decimal url/port**:
+  - **Blocking or filtering the required .decimal urls or ports**:
-    - .decimal applications require specific urls(or IPs) and ports to be unblocked in order to authenticate and place orders to .decimal's servers. Refer to the System and Network Requirements document provided by .decimal staff.
+    * .decimal applications require specific urls(or IPs) and ports to be unblocked and unimpeded in order to authenticate and place orders to .decimal's servers. Refer to the System and Network Requirements document provided by .decimal staff. At a minimum the url direct.dotdecimal.com (64.128.252.104) port 443 is always used. You may also refer to the [[support:it_troubleshooting#app_specific_network_requirements|.decimal client app network requirements]] for each application's latest network requirements (please ensure you have the correct application and app version).
-  - **Proxies / Web Security Appliance (WSA)**:
+      * **Note:** If using p.d 5.3 you'll also need to ensure update.dotdecimal.com (65.128.252.105) port 443 is also fully accessible.
-    - Some WSAs will attempt to decrypt and inspect our HTTPS traffic. Some customers have needed to include an exception in this security device as this can impact and cause our encrypted and authenticated HTTPS traffic to encounter errors while in transit between the client software installed at the clinical facility and .decimal's servers.
+  - **Proxies**:
+    * .decimal internet traffic imposes strict client/server verification to ensure secure connections between the software installed at the clinic and our servers. As such, traffic from .decimal applications may encounter issues if a proxy is re-routing .decimal's traffic. Traffic from .decimal's software must be whitelisted to skip any network proxies if errors occur. See the Web Security Appliance (WSA) bullet below for more in depth explanation details and potential error messages due to using a proxy.
+  - **Web Security Appliance (WSA)**:
+    * Some network security hardware (notably Proxies or WSAs) will attempt to decrypt and inspect our HTTPS traffic. Some customers have needed to include an exception in this network security device as this can impact and cause our encrypted and authenticated HTTPS traffic to encounter errors while in transit between the client software installed at the clinical facility and .decimal's servers. Network security hardware can lead to errors such as:
+      * Errors can Include (but are not limited to): ''"Request failed..."'' or ''"SSL handshake failed"'' or ''"SSL connect error"'' or ''"Could not connect to login server"'' or ''401'' errors or ''Error Getting the public key for JWT token''.
+      * Common Required SSL Exemptions include (refer to the [[support:it_troubleshooting#app_specific_network_requirements|App Specific Network Requirements]] for detailed list):
+        * ''dotdecimal.com''
+        * ''auth0.com'' (for users using the [[decimalauncher:decimallauncher|decimal Launcher]])
+    * .decimal software requires verbose SSL client to server verification of the encrypted HTTPS traffic. As such, any WSAs may cause .decimal client software to fail the SSL verification if the HTTPS traffic is intercepted by a WSA. This can lead the client or server software to assume a 'Man in the Middle' attack.
+  - **Users not receiving decimal Direct email invites**:
+    * Refer to the decimal Direct [[direct:userguide#site_management_issues|Site Management Troubleshooting]] guide.
+----
 ===== Troubleshooting Steps =====
+The following steps may help when troubleshooting network security and IT issues for your facility.
+==== 1. Compatibility Checker ====
+Running the compatibility checker will ensure that all required .decimal IP addresses and ports are not being blocked.
+Download the Compatibility Checker by logging in to [[https://direct.dotdecimal.com|decimal Direct]] with your .decimal account credentials.
+<WRAP center round info 80%>
+**Note:**\\ The Compatibility Checker only ensures that the primary .decimal IPs and ports are not being completely blocked or blacklisted. Additional network security devices may impede or be filtering the HTTPS traffic. If .decimal software continues to encounter problems, please ensure other network security appliances and devices are not filtering or impeding .decimal's HTTPS traffic.
+Please refer to [[support:it_troubleshooting#common_issues_and_resolutions|Proxies / Web Security Appliance (WSA)]] for further details.
+</WRAP>
+{{ :support:compatibility_checker.png |}}
+If any of the above tests fail, then a required URL/Port is being blocked. Refer to the System and Network Requirements document provided by .decimal staff. You may also refer to the [[support:it_troubleshooting#app_specific_network_requirements|.decimal client app network requirements]] for each application's latest network requirements (please ensure you have the correct application and app version).
+==== 2. Guest/Unrestricted Network ====
+This option is advised if your network IT has whitelisted and unblocked .decimal's urls and ports (as evidenced by a successful Compatibility Checker run), but you still encounter issues using .decimal's software and communicating to .decimal's servers.
+  - Attempt to download and install the .decimal client software on a device (e.g.: a laptop) not connected to your main cooperate network (e.g.: a guest WiFi network or smart phone hotspot) that has absolutely zero security or firewall blocking, filtering, or packet inspection.
+  - Attempt to login to the .decimal client software
+  - Confirm you are able to download, install, login, and use the .decimal software on an unrestricted device on an unrestricted internet connection. This ensures no security, firewall, or packet inspection security policies are interfering with your HTTPS connection and traffic to .decimal servers.
+    - **Conclusion:** If Step #3 passes, then there is still security policies in place on your main facility network impeding .decimal HTTPS traffic. We recommend disabling each network security device one by one until the .decimal client software operates normally. Then consider allowing an exception only on the offending network security devices impeding .decimal's HTTPS traffic.
-==== Compatibility Checker ====
+----
-Running the compatibility checker will ensure that all required .decimal IP addresses and ports are not being blocked
+===== App Specific Network Requirements =====
+The below table provides the location for the network requirements for each of the .decimal client side applications. Please ensure you have the correct application and app version when looking up the network requirements below.
+^ Application      ^ Version   ^ Network Requirements Document ^
+| decimal Launcher | All       | [[decimalauncher:decimallauncher#network_requirements|decimal Launcher Network Requirements]] |
+| p.d              | 5.2 & 5.3 | Contact .decimal Customer Support (customersupport@dotdecimal.com or 1-800-255-1613) |
+| p.d              | 5.4       | [[pdotd:rn-29#network_requirements|p.d 5.4 Network Requirements]] |
+| decimal3D        | All       | [[decimal3d:userguide:userguide#network_requirements|decimal3D Network Requirements]] |
+| decimal eRT      | All       | [[electronrt:userguide:systemrequirements#network_requirements|decimal eRT Network Requirements]] |