Fix Mideye External Service Issues — MAS, Switch & Shield

Mideye Server integrates with multiple external services for authentication, magic links, and security features. This guide addresses connectivity and integration issues with these services.

Overview

Mideye Server communicates with several external services:

Service	Purpose	Default Endpoint	Default Port
MAS (Mideye Activation Server)	Magic link authentication	`mas.mideyecloud.se`	443 (HTTPS)
Mideye Switch	SMS OTP and mobile app authentication	`primary.mideye.com` / `secondary.mideye.com`	20460 (TLS)
Mideye Shield	IP reputation and threat detection	Configurable	443 (HTTPS)

Connection issues with these services can cause authentication failures, degraded functionality, or complete service unavailability.

Common Error Messages

Error Message	Likely Cause	Section
”Failed to connect to primary switch”	Switch unreachable or SSL proxy intercepting	Switch Issues
”Failed to connect to secondary switch”	Both switches unreachable	Switch Issues
”Failed to get magic link frontend URL”	MAS connectivity issue	MAS Issues
”Magic link URL not loaded”	MAS unavailable at startup	MAS Issues
”Failed to query IP”	Shield service unreachable	Shield Issues
”Connection timed out”	Firewall or network issue	Proxy Configuration

MAS (Magic Link) Connection Issues

Overview

MAS (Mideye Activation Server) provides magic link functionality for passwordless authentication. Mideye Server queries MAS to get magic link URLs and frontend configuration.

Default MAS URL: https://mas.mideyecloud.se

Silent Failure at Startup

During startup, Mideye Server attempts to load the magic link frontend URL from MAS. If MAS is unreachable at that point, the load fails silently — the service starts normally but magic link functionality will not work.

The server automatically retries loading the URL every 10 minutes. Until a successful load, magic link authentication fails.

Symptoms

Magic link authentication fails with generic error
Users cannot complete magic link flows
Log shows: “Failed to get magic link frontend URL”
Magic links start working after ~10 minutes if MAS becomes available

Diagnostic Steps

Check MAS configuration in the web interface:
- The MAS host is configured in the application settings

Test connectivity to MAS:

Linux:

curl -v https://mas.mideyecloud.se

Windows (PowerShell):

Invoke-WebRequest -Uri "https://mas.mideyecloud.se" -UseBasicParsing

Check logs for MAS connection attempts:
- Navigate to Log Files in the web interface
- Search for “magic” or “frontEndBaseUrl”
- If frontEndBaseUrl shows null, MAS was not loaded successfully
Test DNS resolution:

Linux:
Terminal window
```
nslookup mas.mideyecloud.se
```
Windows:
Terminal window
```
Resolve-DnsName mas.mideyecloud.se
```
Check if proxy is required:

If your organization uses a web proxy for outbound HTTPS traffic, Mideye Server must be configured to use it.

Solution

Option 1: Fix Network Connectivity

Allow outbound HTTPS (port 443) to mas.mideyecloud.se through your firewall

If using a proxy, configure Mideye Server:

Edit the application configuration file:

application:
  proxyHost: proxy.company.com
  proxyPort: 8080
  useProxy: true

Test connectivity through proxy:

Linux:

curl -v --proxy proxy.company.com:8080 https://mas.mideyecloud.se

Windows:

Invoke-WebRequest -Uri "https://mas.mideyecloud.se" -Proxy "http://proxy.company.com:8080"

Restart service to reload MAS URL:

Linux:
Terminal window
```
sudo systemctl restart mideyeserver6
```
Windows:
Terminal window
```
Restart-Service MideyeServer6
```
Verify frontEndBaseUrl was loaded by checking the log files — it should show a URL, not null

Option 2: Wait for Automatic Retry

The service retries every 10 minutes
If MAS was temporarily unavailable, it will recover automatically
Monitor logs for successful load

Mideye Switch Connection Issues

Overview

Mideye Switch handles SMS OTP delivery and mobile app authentication. Mideye Server connects to the Switch over a TLS-encrypted connection on port 20460. The connection uses Mideye’s own CA-signed certificate for server authentication.

Default hosts:

Primary: primary.mideye.com (port 20460)
Secondary: secondary.mideye.com (port 20460)

Failover Behavior

Mideye Server has built-in failover:

Tries primary Switch first
On failure, automatically tries secondary (if configured)
If both fail, authentication fails

Symptoms

SMS OTP not delivered
Mobile app approval requests not sent
“Failed to connect to primary switch” in logs
“Failed to connect to secondary switch” in logs
Authentication fails with switch-related errors

Basic Diagnostic Steps

Check Switch configuration in the web interface:
- Verify the primary and secondary Switch hosts are configured correctly

Test connectivity to Switch (port 20460):

Linux:

nc -zv primary.mideye.com 20460
nc -zv secondary.mideye.com 20460

Windows (PowerShell):

Test-NetConnection -ComputerName primary.mideye.com -Port 20460
Test-NetConnection -ComputerName secondary.mideye.com -Port 20460

Test DNS resolution:

Linux:

nslookup primary.mideye.com
nslookup secondary.mideye.com

Windows:

Resolve-DnsName primary.mideye.com
Resolve-DnsName secondary.mideye.com

Review logs for connection patterns:
- Navigate to Log Files in the web interface
- Search for “switch” to see connection attempts and failures
Check if proxy is interfering:
- Review the application configuration for proxy settings

Solution for Basic Connectivity

Allow outbound TCP port 20460 to primary.mideye.com and secondary.mideye.com through your firewall

Configure proxy if required:

application:
  useProxy: true
  proxyHost: proxy.company.com
  proxyPort: 8080

Verify secondary Switch is configured for failover
Restart service after changes:

Linux:
Terminal window
```
sudo systemctl restart mideyeserver6
```
Windows:
Terminal window
```
Restart-Service MideyeServer6
```

SSL Proxy / MITM Interception

This is one of the most common and difficult-to-diagnose Switch connectivity problems.

Many corporate networks use SSL-inspecting firewalls or proxies (such as Palo Alto, Zscaler, Fortinet, or Blue Coat) that perform man-in-the-middle (MITM) TLS interception. These devices terminate the TLS connection from Mideye Server, inspect the traffic, and re-encrypt it with their own certificate before forwarding to the destination.

Mideye Server rejects these intercepted connections because it validates the Switch’s TLS certificate against Mideye’s own Certificate Authority (CA). When an SSL proxy replaces the certificate, the connection fails.

How It Works

Normal connection:
  Mideye Server ──TLS──► Mideye Switch (port 20460)
  Certificate: "Mideye Switch Certificate" signed by "Mideye CA" ✓

Intercepted connection (BROKEN):
  Mideye Server ──TLS──► SSL Proxy ──TLS──► Mideye Switch (port 20460)
  Certificate: "primary.mideye.com" signed by "Corporate Proxy CA" ✗
  Mideye Server rejects this — not signed by Mideye CA

Symptoms of SSL Proxy Interception

Switch connection fails on both primary and secondary
Connection test (port check) succeeds but authentication fails
Log shows TLS/SSL handshake failures or certificate validation errors
Problem appeared after a network/firewall change
Same Mideye Server works when connected to a different network without SSL inspection

How to Detect SSL Proxy Interception

Use openssl s_client to inspect what certificate the server is presenting. This is the most reliable way to detect MITM interception.

Linux:

openssl s_client -connect primary.mideye.com:20460 -showcerts </dev/null 2>/dev/null | openssl x509 -noout -subject -issuer

Windows (PowerShell):

# Using OpenSSL (if installed, e.g., via Git for Windows)
& "C:\Program Files\Git\usr\bin\openssl.exe" s_client -connect primary.mideye.com:20460 -showcerts 2>$null | Select-String "subject=|issuer="

# Alternative: PowerShell-native check
$tcpClient = New-Object System.Net.Sockets.TcpClient("primary.mideye.com", 20460)
$sslStream = New-Object System.Net.Security.SslStream($tcpClient.GetStream(), $false, {$true})
$sslStream.AuthenticateAsClient("primary.mideye.com")
$cert = $sslStream.RemoteCertificate
Write-Host "Subject: $($cert.Subject)"
Write-Host "Issuer: $($cert.Issuer)"
$sslStream.Dispose()
$tcpClient.Dispose()

What the Correct Certificate Looks Like

When connecting directly to Mideye Switch (no MITM), you should see:

subject=C = SE, ST = Stockholm, L = Stockholm, O = Mideye, OU = Support, CN = Mideye Switch Certificate
issuer=C = SE, ST = Stockholm, L = Stockholm, O = Mideye, OU = Support, CN = Mideye CA

Key identifiers of the legitimate Mideye Switch certificate:

Subject CN: Mideye Switch Certificate
Issuer CN: Mideye CA
Issuer Organization: Mideye
Key size: 2048-bit RSA (server certificate)
TLS version: TLS 1.3 (TLS_AES_256_GCM_SHA384)

A full openssl s_client output for a healthy connection looks like this:

depth=1 C = SE, ST = Stockholm, L = Stockholm, O = Mideye, OU = Support, CN = Mideye CA
depth=0 C = SE, ST = Stockholm, L = Stockholm, O = Mideye, OU = Support, CN = Mideye Switch Certificate
---
Certificate chain
 0 s:C = SE, ST = Stockholm, L = Stockholm, O = Mideye, OU = Support, CN = Mideye Switch Certificate
   i:C = SE, ST = Stockholm, L = Stockholm, O = Mideye, OU = Support, CN = Mideye CA
 1 s:C = SE, ST = Stockholm, L = Stockholm, O = Mideye, OU = Support, CN = Mideye CA
   i:C = SE, ST = Stockholm, L = Stockholm, O = Mideye, OU = Support, CN = Mideye CA
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit

What an Intercepted Certificate Looks Like

If an SSL proxy is intercepting traffic, you will see a different issuer. For example:

subject=CN = primary.mideye.com
issuer=CN = Corporate Proxy CA, O = Your Company, C = US

Or:

issuer=CN = Zscaler Intermediate Root CA, O = Zscaler Inc.

Or:

issuer=CN = Palo Alto Networks Inc., O = Palo Alto Networks

Any issuer that is NOT Mideye CA means the connection is being intercepted.

Solution: Bypass SSL Inspection for Mideye Switch Traffic

The only solution is to exempt Mideye Switch traffic from SSL inspection in your network security appliance. This is safe because Mideye Server already validates the Switch certificate against its own trusted CA.

Contact your network/security team and request an SSL inspection bypass rule for:

Parameter	Value
Destination hosts	`primary.mideye.com`, `secondary.mideye.com`
Destination port	`20460`
Protocol	TCP/TLS
Source	Mideye Server IP address(es)

Example bypass configurations for common appliances:

Palo Alto Networks:

Create a Decryption Policy rule with Action: No Decrypt
Match on destination address (resolve primary.mideye.com and secondary.mideye.com)
Match on destination port: 20460

Zscaler:

Add primary.mideye.com and secondary.mideye.com to the SSL Bypass list
Or create a custom URL category with these domains and set the SSL Inspection policy to Do Not Inspect

Fortinet / FortiGate:

Create an SSL/SSH Inspection exemption for the destination addresses
Or use a custom deep inspection profile that excludes these destinations

Blue Coat / Symantec ProxySG:

Add a policy layer that skips SSL interception for traffic to primary.mideye.com:20460 and secondary.mideye.com:20460

Verifying the Fix

After the bypass rule is applied:

Test the certificate again:

Linux:

openssl s_client -connect primary.mideye.com:20460 -showcerts </dev/null 2>/dev/null | openssl x509 -noout -subject -issuer

Windows:

& "C:\Program Files\Git\usr\bin\openssl.exe" s_client -connect primary.mideye.com:20460 -showcerts 2>$null | Select-String "subject=|issuer="

Confirm the issuer is Mideye CA:

subject=C = SE, ST = Stockholm, L = Stockholm, O = Mideye, OU = Support, CN = Mideye Switch Certificate
issuer=C = SE, ST = Stockholm, L = Stockholm, O = Mideye, OU = Support, CN = Mideye CA

Restart Mideye Server:

Linux:

sudo systemctl restart mideyeserver6

Windows:

Restart-Service MideyeServer6

Test authentication — Try an SMS OTP or mobile app authentication to verify Switch connectivity
Monitor logs — Check Log Files for successful Switch connections

Switch Connectivity Behind a Web Proxy

If your Mideye Server reaches the internet through a web proxy (HTTP/HTTPS proxy), the Switch connection on port 20460 may need special handling.

Key differences between proxy and SSL inspection:

A web proxy forwards traffic without inspecting TLS content (certificates pass through unchanged)
An SSL-inspecting proxy terminates TLS and re-encrypts with its own certificate (MITM)

If you need proxy for Switch connectivity:

application:
  useProxy: true
  proxyHost: proxy.company.com
  proxyPort: 8080

Test proxy connectivity:

Linux:

# Test if the proxy allows CONNECT to port 20460
curl -v --proxy proxy.company.com:8080 --connect-to primary.mideye.com:20460:primary.mideye.com:20460 https://primary.mideye.com:20460/

Windows:

# Test proxy connectivity
Invoke-WebRequest -Uri "https://primary.mideye.com:20460" -Proxy "http://proxy.company.com:8080" -ErrorAction SilentlyContinue

If the proxy blocks non-standard ports (only allows 80/443), request that port 20460 be allowed for primary.mideye.com and secondary.mideye.com.

Mideye Shield Connection Issues

Overview

Mideye Shield provides IP reputation and threat detection services. Failed Shield queries may log warnings but typically do not block authentication.

Symptoms

“Failed to query IP” in logs
Shield queries timeout
IP reputation data not updated

Diagnostic Steps

Check Shield configuration:
- Navigate to Mideye Shield Configuration in the web interface
- Verify Shield is enabled
- Check endpoint URL configuration

Test Shield endpoint connectivity:

Linux:

curl -v https://your-shield-endpoint.com

Windows:

Invoke-WebRequest -Uri "https://your-shield-endpoint.com" -UseBasicParsing

Review logs:
- Navigate to Log Files
- Search for “shield” to see query attempts and failures

Solution

Verify Shield service is accessible from Mideye Server
Allow firewall access to Shield endpoints (HTTPS, port 443)
Configure proxy if needed (same as MAS proxy configuration)
Verify endpoint URL format (must be HTTPS)

Proxy Configuration

Overview

If Mideye Server is behind a corporate proxy, external service connectivity requires proxy configuration.

Configuration

Edit the application configuration file:

application:
  useProxy: true
  proxyHost: proxy.company.com
  proxyPort: 8080

Testing Proxy Configuration

Linux:

# Test MAS through proxy
curl -v --proxy proxy.company.com:8080 https://mas.mideyecloud.se

# Test Switch through proxy
curl -v --proxy proxy.company.com:8080 https://primary.mideye.com:20460/

Windows:

# Test MAS through proxy
Invoke-WebRequest -Uri "https://mas.mideyecloud.se" -Proxy "http://proxy.company.com:8080"

# Test Switch through proxy
Test-NetConnection -ComputerName primary.mideye.com -Port 20460

System-Level Proxy (Alternative)

If the application-level proxy configuration doesn’t work, you can configure proxy at the system level:

Linux:

# Add to /etc/environment
export http_proxy="http://proxy.company.com:8080"
export https_proxy="http://proxy.company.com:8080"
export no_proxy="localhost,127.0.0.1,*.internal.domain.com"

Windows:

# Set system proxy
[System.Environment]::SetEnvironmentVariable("HTTP_PROXY", "http://proxy.company.com:8080", "Machine")
[System.Environment]::SetEnvironmentVariable("HTTPS_PROXY", "http://proxy.company.com:8080", "Machine")

Restart the service after changing system proxy settings.

Diagnostic Commands Summary

Quick Connectivity Tests

Linux:

# Test MAS
curl -v https://mas.mideyecloud.se

# Test Mideye Switch
nc -zv primary.mideye.com 20460
nc -zv secondary.mideye.com 20460

# Test Switch certificate (detect SSL proxy interception)
openssl s_client -connect primary.mideye.com:20460 -showcerts </dev/null 2>/dev/null | openssl x509 -noout -subject -issuer

# Test with proxy
curl -v --proxy proxy:8080 https://mas.mideyecloud.se

Windows (PowerShell):

# Test MAS
Invoke-WebRequest -Uri "https://mas.mideyecloud.se" -UseBasicParsing

# Test Mideye Switch
Test-NetConnection -ComputerName primary.mideye.com -Port 20460
Test-NetConnection -ComputerName secondary.mideye.com -Port 20460

# Test Switch certificate (requires OpenSSL, e.g., via Git for Windows)
& "C:\Program Files\Git\usr\bin\openssl.exe" s_client -connect primary.mideye.com:20460 -showcerts 2>$null | Select-String "subject=|issuer="

Monitor Connections

Linux:

# Watch logs for connection issues
tail -f /opt/mideyeserver6/log/mideyeserver.log | grep -iE "switch|mas|shield"

Windows:

# Watch logs for connection issues
Get-Content "C:\Program Files\Mideye Server\log\mideyeserver.log" -Wait | Select-String "switch|mas|shield"

Prevention and Monitoring

Pre-Deployment Checklist

Before deploying Mideye Server, verify external service connectivity:

DNS resolves primary.mideye.com, secondary.mideye.com, mas.mideyecloud.se
TCP port 20460 open to primary.mideye.com and secondary.mideye.com
HTTPS (port 443) open to mas.mideyecloud.se
No SSL proxy intercepting traffic to Mideye Switch (verify certificate issuer is Mideye CA)
Proxy configured if required for outbound internet access
Shield endpoint accessible if using Mideye Shield

Regular Health Checks

Periodically test external service connectivity to catch issues before they affect users:

Linux:

#!/bin/bash
echo "=== External Service Health Check ==="

# Test MAS
printf "MAS: "
curl -s -o /dev/null -w "%{http_code}" https://mas.mideyecloud.se && echo " OK" || echo " FAILED"

# Test Switch (primary)
printf "Switch Primary: "
nc -w 3 -zv primary.mideye.com 20460 2>&1 | grep -q succeeded && echo "OK" || echo "FAILED"

# Test Switch (secondary)
printf "Switch Secondary: "
nc -w 3 -zv secondary.mideye.com 20460 2>&1 | grep -q succeeded && echo "OK" || echo "FAILED"

# Check for MITM
printf "Certificate check: "
ISSUER=$(openssl s_client -connect primary.mideye.com:20460 </dev/null 2>/dev/null | openssl x509 -noout -issuer 2>/dev/null)
echo "$ISSUER" | grep -q "Mideye CA" && echo "OK (Mideye CA)" || echo "WARNING: $ISSUER"

Getting Help

If external service issues persist:

Collect diagnostic information:
- Export logs from the Log Files page (filter for “switch”, “mas”, “shield”)
- Run connectivity tests (see commands above)
- Document your network topology (firewalls, proxies, VPNs)
For SSL proxy / MITM issues specifically, provide:
- The openssl s_client output showing the certificate chain
- The firewall/proxy appliance make and model
- Whether a bypass rule was attempted
Contact Mideye Support with:
- External service configuration (sanitized)
- Connection test results
- Network topology description
- Error messages from logs