This article walks you through diagnosing connection problems between the Umango Scan Actuator (the small desktop app that talks to your scanner) and the Umango web application running in your browser.

If you're on a personal or home computer, start with the Quick checks section.

If you're on a work computer managed by an IT department, jump to Corporate and managed environments — most issues there require admin or IT involvement.

Contents

• Before you start: gather these details
• Quick checks
• Symptom-based troubleshooting
• Browser-specific issues
• Verifying the certificate is installed correctly
• The Scan Actuator won't stay running
• Corporate and managed environments (for IT administrators)
• Advanced diagnostics
• When to contact Umango support

Before you start: gather these details

Knowing these will save time, especially if you end up contacting support:

• Operating system version — Windows 10, 11, Pro, Home, etc. (Win+R → winver → Enter)
• Browser and version — Chrome, Edge, Firefox, plus the version number from the browser's About page
• Whether the Umango Scan Actuator icon is visible in the system tray (bottom-right corner of the screen, possibly hidden under the ^ arrow)
• The exact error message the web app shows, if any
• Whether the computer is joined to a corporate domain — if you're not sure, see Am I on a corporate computer?

Quick checks

Try these in order. Each takes under a minute and resolves most cases.

1. Is the Scan Actuator running?

Look in the system tray (bottom-right of screen) for the Umango Scan Actuator icon. Click the ^ arrow if hidden icons are collapsed.

• Icon present → continue to step 2.
• Icon missing → start it from the Start menu (search "Umango Scan Actuator"). If it's not in the Start menu, it isn't installed; reinstall using the latest installer.
• Icon flashes briefly then disappears → it's crashing on startup. Skip to The Scan Actuator won't stay running.

2. Restart your browser completely

Browsers cache failed connection attempts and certificate decisions aggressively. Just closing the tab isn't enough.

• Close every browser window, not just the Umango tab.
• On Windows, check Task Manager — sometimes Chrome/Edge keep background processes running. End all of them.
• Reopen the browser and try again.

Tip: This alone fixes a surprising number of cases. Always try it before deeper troubleshooting.

3. Restart the Scan Actuator

Right-click the tray icon → Exit. Then start it again from the Start menu.

4. Try a different browser

If it works in Edge but not Chrome (or vice versa), the issue is specific to one browser's cache or settings, not your scanner or the Scan Actuator. Continue to Browser-specific issues.

5. Restart the computer

A reboot clears port conflicts, stuck network states, and a class of weird Windows issues that don't fit anywhere else on this list. Worth doing before deeper troubleshooting.

Symptom-based troubleshooting

Find the symptom that matches what you're seeing.

Browser shows "Your connection is not private" / certificate warning

The browser doesn't trust the certificate the Scan Actuator is using.

Cause: The certificate's root authority isn't installed in your browser's trust store, or it was installed but the browser hasn't picked it up yet.

Fix:

1. Fully restart the browser (close all windows, including background processes).
2. If that doesn't help, reinstall the Scan Actuator using the latest installer as an administrator (right-click the installer → Run as administrator).
3. Restart the browser again.

If the warning persists, see Verifying the certificate is installed correctly.

Browser console shows "ERR_CONNECTION_REFUSED"

Nothing is listening on the expected port.

Cause: The Scan Actuator isn't running, or it failed to start on the right port.

Fix:

1. Confirm the tray icon is present (see Quick check #1).
2. Right-click the tray icon → check if there's an "Exit" or status option. If clicking the icon does nothing, the app may be hung — kill it via Task Manager (Ctrl+Shift+Esc, find "UmangoScanActuator", End task) and restart it.
3. Check whether another program is using the port:

   netsh interface ipv4 show excludedportrange protocol=tcp

   Run this in a Command Prompt. If the Scan Actuator's port (default 50082) appears in the excluded range, Windows has reserved it. Reboot to clear the reservation.

Browser console shows "ERR_SSL_PROTOCOL_ERROR" or "ERR_CONNECTION_RESET"

The connection is being established but the secure handshake fails.

Cause: Most commonly, the Scan Actuator can't access the certificate's private key because the user account doesn't have permission. This happens when the installer didn't run elevated, or the account was created after the installer was run.

Fix:

1. Reinstall the Scan Actuator as an administrator. The installer needs admin rights to set up shared certificate access for all users on the computer.
2. If you're a standard user and can't run the installer as admin, ask whoever installed it (or your IT department) to do so.

If reinstalling as admin doesn't help, see Verifying the certificate is installed correctly.

Browser console shows "blocked by Private Network Access" or similar

This is a security feature in newer Chrome and Edge versions that requires extra configuration when a public website talks to a service running on your computer.

Cause: Browser policy is blocking the request to localhost.

Fix for personal computers: Update to the latest version of the Scan Actuator — recent versions handle this automatically. If you're already up to date and still see this, contact support.

Fix for managed computers: This typically requires a Group Policy change. See the Corporate and managed environments section.

Browser shows nothing — just hangs or times out

The connection is being silently dropped, usually by security software.

Cause: Antivirus or endpoint protection software is intercepting the connection.

Fix: See Antivirus and endpoint protection.

"It worked yesterday, doesn't work today"

If nothing changed on your end, something else changed: a Windows update, a browser update, a security software update, or a corporate policy push.

Try in this order:

1. Restart the browser (Quick check #2).
2. Restart the computer (Quick check #5).
3. Reinstall the Scan Actuator as admin.
4. Check whether your IT department recently pushed any updates — see Corporate and managed environments.

Browser-specific issues

Chrome and Edge

These two share the same underlying engine, so issues are usually the same. After installing the Scan Actuator:

• Always fully restart the browser before testing. The browser caches the certificate trust state at startup.
• If you see persistent certificate errors, clear cached state: in the address bar go to chrome://net-internals/#hsts (or edge://net-internals/#hsts), find the Delete domain security policies section, enter localhost, and click Delete. Then restart the browser.
• If you previously bypassed the certificate warning by clicking through, that exception may need to be cleared: visit chrome://settings/security and look for any saved exceptions.

Firefox

Firefox uses its own certificate store, not the Windows trust store. The standard installer trusts the certificate at the Windows level, which Firefox ignores.

Workaround: Either use Chrome or Edge, or follow the manual Firefox certificate import steps in the Umango admin guide.

Safari (macOS)

The Scan Actuator is a Windows-only application and doesn't run on macOS.

Verifying the certificate is installed correctly

Note: This section is more technical. If you're not comfortable with it, ask your IT department or contact Umango support.

Check the certificate is in the right place

1. Press Win+R, type certlm.msc, and press Enter. (You'll need admin rights.)
2. Expand Personal → Certificates in the left pane.
3. Look for a certificate issued to localhost, with friendly name "Umango Local WSS".

What to verify:

• The certificate exists in Personal (not under "Current User").
• Double-clicking it shows "You have a private key that corresponds to this certificate" at the bottom of the General tab. If this message is missing, the private key isn't accessible — reinstall as administrator.
• The Valid to date is in the future. If it's expired, reinstall.
• Under the Details tab, find Subject Alternative Name — it should list localhost, 127.0.0.1, and ::1.

Check the root certificate is trusted

1. In certlm.msc, expand Trusted Root Certification Authorities → Certificates.
2. Look for "Umango Local Dev Root".

If it's missing, the browser will show certificate warnings. Reinstall the Scan Actuator as administrator.

Test the certificate in a browser

Open a new browser tab and visit https://localhost:50082 (or whatever port the Scan Actuator uses). You should see one of:

• A blank page or error from the Scan Actuator (not the browser) — this means the certificate is trusted and the connection works. The Scan Actuator simply doesn't serve a webpage at that URL; it serves a WebSocket. This is expected.
• A certificate warning page — the certificate isn't trusted. Reinstall as admin.
• "This site can't be reached" — the Scan Actuator isn't running, or is on a different port.

The Scan Actuator won't stay running

If the icon appears briefly then vanishes, or never appears at all:

1. Open Event Viewer (Win+R, eventvwr.msc) → Windows Logs → Application.
2. Look for recent errors with source related to the Scan Actuator or .NET Runtime.
3. Common causes:
   • Port 50082 already in use — another program (or another copy of the Scan Actuator) is using the port. Reboot, or change the port in the registry under HKLM\SOFTWARE\Umango\TwainServicePort.
   • Certificate inaccessible — the installer didn't complete properly. Reinstall as admin.
   • Missing .NET runtime — install the latest .NET 8 Desktop Runtime from Microsoft.

Corporate and managed environments (for IT administrators)

If your computer is managed by an IT department (it has a corporate login, group policy, or enterprise antivirus), the standard troubleshooting steps may not be enough. The remaining sections need IT involvement.

Am I on a corporate computer?

Run this in Command Prompt:

whoami /upn
echo %USERDOMAIN%
echo %COMPUTERNAME%

If the output shows a domain name (e.g., user@company.com) or %USERDOMAIN% is anything other than your computer name, you're on a managed computer. Continue with this section, and forward this article to your IT team if needed.

What IT needs to verify

The following list is intended for IT administrators.

1. The Scan Actuator must be installed per-machine, not per-user

Check that the installer was deployed to all users, not just the user who installed it:

• Installer should run as LocalSystem (via SCCM, Intune, or msiexec /i ... ALLUSERS=1).
• Files should land under C:\Program Files\ (or Program Files (x86)), not under a user profile.
• Auto-start should be configured per-machine (HKLM Run key or a scheduled task with Run for any user), not per-user.

2. Certificate trust must be deployed by GPO if the local install isn't an option

If your imaging process strips locally installed root certificates, deploy the Umango root certificate via Group Policy:

• Export Umango Local Dev Root from a reference machine using certlm.msc → Trusted Root Certification Authorities → right-click cert → All Tasks → Export (no private key, DER format).
• In Group Policy Management Console: Computer Configuration → Policies → Windows Settings → Security Settings → Public Key Policies → Trusted Root Certification Authorities → right-click → Import.
• Link the GPO to the relevant OU.
• Run gpupdate /force on a target machine to verify.

3. Browser policy: Private Network Access (PNA)

Modern Chrome and Edge require explicit permission for public websites to communicate with services running on localhost. If your fleet is configured with strict PNA enforcement, the Scan Actuator's connection will be blocked.

Add the Umango web app's origin to the PNA allowlist:

Via Group Policy (after importing the Chrome/Edge ADMX templates):

• Computer Configuration → Administrative Templates → Google Chrome (or Microsoft Edge) → Allow access to insecure private network requests from these origins
• Enable the policy.
• Add the Umango web app origin (e.g., https://mytenant.umango.com).
• Run gpupdate /force, then restart browsers.

Verify by visiting chrome://policy (or edge://policy) — the policy InsecurePrivateNetworkRequestsAllowedForUrls should be listed with your origin.

For Intune-managed devices, configure the equivalent setting under Devices → Configuration profiles → Settings catalog.

4. Windows Firewall

Loopback traffic typically bypasses Windows Firewall, but custom firewall configurations or third-party EDR products may intercept it. Add an inbound rule:

• Program: C:\Program Files (x86)\Umango\Scan Actuator\UmangoScanActuator.exe
• Direction: Inbound
• Action: Allow
• Scope: Local IP 127.0.0.1, remote IP 127.0.0.1 only
• Protocol: TCP
• Local port: 50082 (or the configured port)

Deploy via Computer Configuration → Windows Settings → Security Settings → Windows Defender Firewall with Advanced Security.

5. AppLocker, WDAC, and SmartScreen

If your fleet enforces application allowlisting, the Scan Actuator may be blocked from running:

• AppLocker: Add a publisher rule for the Umango code-signing certificate, or a hash/path rule for UmangoScanActuator.exe.
• WDAC: Same — publisher rule preferred.
• SmartScreen: Should not flag a properly signed installer. If it does, the publisher reputation may need to build over time, or you can deploy a SmartScreen exception for the publisher.
• Attack Surface Reduction (ASR): The rule "Block executable files from running unless they meet a prevalence, age, or trusted list criterion" can quarantine the Scan Actuator on first deployment. Add an exclusion for the executable path.

Get the code-signing certificate thumbprint from the Umango installer's properties (right-click the installer → Properties → Digital Signatures).

Antivirus and endpoint protection

Common offenders that intercept loopback TLS traffic or quarantine the Scan Actuator's listener:

• CrowdStrike Falcon
• SentinelOne
• Microsoft Defender for Endpoint
• Sophos Intercept X
• ESET Endpoint Security
• Carbon Black

What to ask your security team to add as exclusions:

• Process exclusion for UmangoScanActuator.exe
• Network exclusion for inbound traffic to 127.0.0.1:50082 (or the configured port)
• Certificate-based publisher allowlist for binaries signed by Umango (preferred over path exclusions, since paths can be bypassed)

Caution: To confirm whether the AV is the cause, temporarily disable the AV's network/web protection module (with security team approval) and retest. If the Scan Actuator works with protection disabled, the AV is the issue and needs an exclusion — do not run with protection permanently disabled.

TLS interception by enterprise proxies

Some corporate networks decrypt and re-encrypt all TLS traffic, including loopback in some configurations. The Scan Actuator's certificate is then replaced by the proxy's certificate, which the browser may or may not trust.

Symptoms:

• The certificate the browser sees is issued by your corporate CA, not "Umango Local Dev Root."
• Connection works on the corporate network but not on guest WiFi (or vice versa).

Fix: Configure the TLS interception product to bypass loopback (127.0.0.1, ::1) — this is the recommended configuration anyway, since loopback traffic doesn't leave the machine and shouldn't need inspection.

Advanced diagnostics

For Umango support staff or experienced IT admins.

Check what's actually listening on the port

In an elevated Command Prompt:

netstat -ano | findstr :50082

Expected output: a LISTENING line for 127.0.0.1:50082 with a process ID. Look up the PID in Task Manager (Details tab) — it should be UmangoScanActuator.exe.

Security note: If the binding is to 0.0.0.0:50082 instead of 127.0.0.1:50082, you're on an older version of the Scan Actuator that exposed the bridge to the local network. Update to the latest version.

Test the WebSocket handshake directly

From the same machine the Scan Actuator runs on:

curl -vk https://localhost:50082/

What to look for in the output:

• SSL connection using TLSv1.3 (or TLSv1.2) — TLS handshake works.
• subject: CN=localhost and issuer: CN=Umango Local Dev Root — correct certificate is being served.
• SSL: no alternative certificate subject name matches — SAN is wrong; reinstall.
• Connection refused — Scan Actuator isn't listening.

Check the Scan Actuator's log

Please set HKLM\SOFTWARE\Umango\logging.actuator = true, restart the bridge, reproduce the issue, then send us C:\ProgramData\Umango\Logs\Actuator-*.log."

Common log messages and what they mean:

Reset to a known-good state

If everything is broken and you want a clean slate:

1. Uninstall the Scan Actuator from Add or remove programs.
2. In certlm.msc:
   • Delete any certificate named "Umango Local WSS" from Personal.
   • Delete "Umango Local Dev Root" from Trusted Root Certification Authorities.
3. Delete the registry key HKLM\SOFTWARE\Umango.
4. Reboot.
5. Reinstall using the latest installer, as administrator.

When to contact Umango support

Contact support if:

• You've worked through the relevant sections of this article without resolution.
• The Scan Actuator log shows an error not covered in this article.
• The issue affects multiple users on the same network and looks like an infrastructure problem.

Information to include in your support request:

1. Operating system version (winver output)
2. Browser name and version
3. Whether the computer is domain-joined (output of whoami /upn)
4. The exact error message from the browser
5. The contents of the most recent file in %ProgramData%\Umango\Logs\
6. Output of netstat -ano | findstr :50082
7. A screenshot of the certificate details from certlm.msc (Personal → Certificates → Umango Local WSS → double-click → Details)
8. The name of the antivirus / endpoint protection product running on the machine

The more of this you can include up front, the faster we can resolve the issue.

Last updated: May 2026