Symantec Management Platform (Notification Server)

Hi

I am trying to set up CEM and am having difficulty getting clients to connect to the SMP using HTTPS. I have a targeted client config policy which configures the client to use https://server.abc.local/Altiris to connect to the SMP and the targetted machines have been removed from the general client configuraiton policy. The default web site on the SMP has it SSL set to require SSL and ignore client certificates (The Altiris web site doesn't have this set though). I can access the console using https.

But the clients continue to connect to the SMP via HTTP regardless of what I seem to do.... What have I missed?

Thanks in advance

Steve

 

Hi smassie,

probably your client unable to establish HTTPs connection with SMP Server, because of SSL handshake failure. Check client SMA logs in C:\ProgramData\Symantec\Symantec Agent\Logs on client PC.

Also you can open your SMP Console HTTPs URL https://server.abc.local/Altiris in I.E on client PC and see whether it has SSL errors or not. (Probably you're using self-signed certificate on SMP Server and client PC doesn't have this certificate installed in own "Trusted Root CA".

Thanks,

IP.

We had to wrestle with this a lot too. Like Igor mentioned, make sure that the trust relationship is there. Also, I know you're speaking about CEM clients, but what about your normal workstations? The reason I ask is because regardless of CEM, once we flipped the Notification server to HTTPS, there was no failover. It was either 443 or else. We did have to make sure that, regardless of self signed or 3rd party, our workstations trust whoever signed the NS's SSL certificate. Once that was all in line, it just clicked like magic. Best advise I can give, setup Altiris to use SSL first, just like in the old days. Once that is working, THEN worry about CEM. It helped us a lot to step back and realize that Altiris has had the ability to operate over 443 from day one. That needs to be treated separately. Good luck! Feel free to PM with questions Paul

Thanks for the input...

I worked out I hadn't copied the SSL certificate to the clients. I am not 100% sure which certificate was required - there are a number of SMP cerficiates intalled on the NS, including two agent certificates, and the documentation doesn't tell you which one you should use. Even now I don't know which certificate is being used, but it works.

As for the log files, where are these? I have no agent log files and the logs directory suggested doesn't exist.... I would love to study the log files if they and the diurectory they are supposed to be in existed...

Steve

Ah correction.... I have found the log files... I misread the location.... DOH!

What version of SMP you are using?

It's 7.5 SP 1 HF 5... And I got it working (I think) :-) I'm not very knowledgeable on certificates and how these work, while there are a couple of places in the documentation where things aren't quite as clear as they might be...

I'll probably draw up a quick article/thread to help others in the same boat and help fill in the missing gaps...!

Steve

Assume that you are using a self-signed certificate for SMP "Default Web Site", therefore best way to deploy this certificate is to set "Install Server Certificate" in "SMA Push Install" settings page -> then clients will have installed SMP's self-signed certificate in their Trusted Root CA and will have successful HTTPs communication between SMA and SMP server.

As noted Clients need the SMP certificates installed to connect via HTTPS, which can be done in a number of ways (manually export import, As part of the agent install or CEM client policy)

Thanks for the help!