Troubleshooting

A license expiration error message appears when you log on with a valid Customer Licensing Portal (CLP) account.

The possible reason is as follows:

You have created a CLP account with a Cloud App Security trial license. This message appears when you try to log on to the management console but the trial license expires.

Perform either of the following:

• Provide your Cloud App Security trial license for Trend Micro to create a full license and attach your CLP account to the full license.

• Submit a support ticket to Trend Micro to

  • Unbind the CLP account and the provisioned Office 365 tenant account in Cloud App Security.

  • Create a new CLP account with a valid license to do provisioning again.

An error message indicating the invalid logon account appears when you log on to the Cloud App Security management console.

The possible reason is as follows:

You have created multiple CLP accounts under one CLP company ID, and you try to log on to the Cloud App Security management console not using the primary CLP account.

Perform the following:

Use the primary CLP account to log on to the management console.

An error message saying "This CLP or LMP account is already registered by another Office 365 account" appears when you provision Office 365 services.

The possible reason is as follows:

You have created a CLP account with a Cloud App Security trial license and successfully completed provisioning Office 365 services. After that, you created another CLP account with a Cloud App Security full license and want to provision Office 365 services again with this account.

Perform either of the following:

• Deprovision Office 365 services with the old CLP account that you used for provisioning.

• Submit a support ticket to Trend Micro.

Automatic/manual provisioning of SharePoint Online/OneDrive failed when multi-factor authentication (MFA) is enabled on the required account.

If multi-factor authentication (MFA) is enabled on the Office 365 Global Administrator account used for automatic provisioning or on the SharePoint Online Delegate Account created for manual provisioning, the provisioning will fail because Cloud App Security cannot pass the access control on the Office 365 service side.

To complete provisioning, perform either of the following:

• Automatic provisioning: disable MFA on the GA account and enable MFA after the provisioning as necessary.

  This does not apply to manual provisioning because Cloud App Security needs to use the Delegate Account for subsequent proceeding after provisioning.

• Automatic and manual provisioning: use an app password.

  1. Create an app password for the account used for provisioning. This gives Cloud App Security permission to access the Office 365 account. For details, search for how to create a new app password on the Microsoft Support website.

  2. Wherever you're prompted for your password during provisioning, paste the app password in the box.

An error message indicating the failure to synchronize internal domains in scheduled user data synchronization for Gmail.

The possible reason is as follows:

This occurs if your organization started to use the Gmail protection functionality in public preview. During that stage, Cloud App Security was not granted the domain read-only permission during service account provisioning, and thus not able to synchronize the internal domains of your organization.

Perform either of the following:

• De-provision the Gmail service account that you used in public preview, and re-provision a service account for Gmail.

• Go to Advanced Threat Protection > Internal Domains or Administration > Global Settings > Internal Domains to manually add the internal domains of your organization. Repeat this every time there is a new domain created for your organization.

Internal email messages in Exchange Online are improperly handled as spam by the Advanced Spam Protection security filter, ignoring the administrator-configured settings

In an Advanced Threat Protection policy for Exchange Online, the administrator can configure how to handle their internal email messages by the Trend Micro Antispam Engine as follows:

• To have Cloud App Security not scan internal messages, set the security filter to apply only to Incoming messages.

• To have Cloud App Security scan internal messages but not take configured actions if they fall into other spam, set the security filter to apply to All messages and select Pass all the messages sent from internal domains if detected as other spam in the Action section.

However, Cloud App Security does more in the back end, for example, Sender Policy Framework (SPF) setting and email header checks, to identify fake internal emails. Therefore, upon the above settings, if some internal messages of your organization are still handled as other spam, you can check the affected messages for further actions. For more information about how to proceed with this issue, see https://success.trendmicro.com/solution/000253191.

An error message indicating server not found or connection closed appears when you log on to the Cloud App Security management console.

The possible reason is as follows:

To improve customer security, Cloud App Security decides to disable support for Transport Layer Security (TLS) versions 1.0 and 1.1 and enable using TLS 1.2 only. What's more, Cloud App Security removes all weak SSL cipher suites. Therefore, Cloud App Security will not allow customers using TLS 1.0/1.1 or weak SSL cipher suites to access the management console.

Perform either of the following:

• For customers who use Microsoft Internet Explorer 10 or earlier, update your browser to meet the Cloud App Security system requirements.

• For customers who use Microsoft Internet Explorer 11 on the Windows 7 and Windows 8 platforms, use other browsers such as Google Chrome, Mozilla Firefox, and Microsoft Edge to meet the Cloud App Security system requirements.