<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=314913&amp;fmt=gif">

What is Basically Required to Have SMP 7.5 x CEM Functionality Working Via HTTPs Using Self-Signed Certificates?

Chad Dupin
December 16, 2015

SMP 7.5. X INSTALLATION, USING SELF-SIGNED CERTIFICATES

If you don’t have any 3rd party or internal MS CA certificates available for “Default Web Site”, then you can choose “Create a self-signed certificate” Altiris provides a tool to create your own self signed certs.
Within the product, launch AexGenSiteServer. Your path maybe different than what is shown below.

image1-copy-copy

image2-copy-copy image3-copy-copy

  • Now we need to import that tool into the Notification Server. Just launch the pfx file you just created. It will prompted you to install the product. Remember we need this cert on ALL the servers we need the clients to talk to. We will start by applying it directly to the Notification Server.
    Note:
    Make sure you use the FQDN of the server or it won’t work.  You will get an error on the import.

image4-copy-copy image5-copy-copy

When prompted to place in the Cert Store, don’t let the system choose. Place the cert in the Trusted Root Cert Store!

image6-copy-copy

Note:
Make sure that this self-signed certificate is installed in “Trusted Root Certification Authorities” on your SMP machine after completed configuration of SMP 7.5.x

image7-copy-copy

What certificates can be used for SMP Web Site and for “Symantec Agent” CEM Web Site http://www.symantec.com/docs/DOC7438

Before you migrate a managed computer to Cloud-enabled Management, you must ensure that the agent can communicate with Notification Server and site servers using HTTPS. To use HTTPS for communication, the agent must trust Notification Server and the site servers. If necessary, you can add the appropriate root certificate authority (CA) certificates to the Trusted Root Certificate Authorities store of the Local Computer account on the managed computer. You can export the appropriate self-signed certificate from Notification Server. If Notification Server does not use a self-signed certificate, you need to export the root CA for the certificate chain that Notification Server uses. To apply the exported CA certificate to a managed computer, you can use a command line or Microsoft Management Console. Alternatively, you can use the Active Directory group policy to roll out the certificate or reinstall the Symantec Management Agent with automatic certificate delivery enabled.

image8-copy-copy

This task is a step in the process for preparing your environment for Cloud-enabled.
To export a root CA certificate from Notification Server
1   On the Notification Server computer, start Microsoft Management Console.
2   Add the Certificates snap-in for the Computer account > Local Computer,
And then navigate to Console Root > Certificates (Local Computer) >Certificates
3  Right-click the certificate authority that you want to export:

This certificate authority issues Agent certificates. Symantec Management Agents use these certificates when they communicate with Notification Server and site servers through
an Internet gateway. The Internet gateway must have this CA installed to trust the connecting clients.
SMP <NS Name>Agent CA. This certificate authority issues Server certificates. Site servers use these certificates to authenticate themselves. When Symantec Management Agents contact the site server, they verify the server certificate.
SMP <NS_Name>
Server CA
Click All Tasks > Export.
In the Certificate Export Wizard, specify the following settings:

        • Select Yes, export the private key.
        • Select Personal Information Exchange - PKCS #12 .PFX.
        • Specify the certificate password.
        • Specify the path and name of the exported certificate file.
        • Click Finish, and then close the export confirmation pop-up window.

Install “Symantec Management Agent” 7.5.x on client machine(s) and on remote server(s), which will be as remote Site Service(s)

SMP Console, open “Agent Install” page > specify there all required client computers and servers, where “Symantec Management Agent” will be installed. Enable “Install Server certificate to the clientmachine” > then it will install SMP’s server self-signed certificate in “Trusted Root Certification Authorities” of each client/server machines to have a successful SSL connection handshake.

image9-copy-copy

Ensure that “SMA Download” link and “Targeted Agent Settings” have SMP HTTPs URL.
Note I am using All Desktops however in a mixed mode I would suggest a new target agent perhaps just laptops.

image10-copy-copy image11-copy-copy

SELF-SIGNED CERTIFICATES FOR CEM SITE SERVERS AND THE INTERNET GATEWAY

If you will have Cert on the CEM Site Servers, in this case we are using our own self-signed certificate, then make sure that:

    • All clients and SMP server have these self-signed certificates installed in “Trusted Root Certification Authorities”
    • All Site Servers  (CEM) have installed each other self-signed certificates in in “Trusted Root Certification Authorities”

Otherwise, if certificates remain un-trusted between Servers  (CEM, IGW, and the SMP) clients won’t be able to establish successful connection via the cloud. Firewall (Windows or any other third-party) needs to have provision for inbound/outbound connection allowed on Port 50120, 50121, 50123, 50124. Please note this ports are specifically used for Task server, Symantec Management Platform uses other ports as well for various purposes.

image12-copy-copy

Note:
Make sure that you have enabled “HTTPs” codebases publishing for your Package Server(s), because clients, which are in CEM mode will download packages via HTTPs.

image13-copy-copy

"CEM SYMANTEC AGENT WEB SITE" CREATION WITH SELF-SIGNED CERTIFICATE

Open SMP Console> “Settings”> “Notification Server”> “Cloud-Enabled Management”> create “Symantec Agent” web site with “Create self-signed” certificate option.

image14-copy-copy

Now there is “Symantec Agent” web site with self-signed certificate and :4726 port binding.
Import Cert “this is the one you created with the Altiris cert generator.”

"CEM SYMANTEC AGENT WEB SITE" CREATION WITH SELF-SIGNED CERTIFICATE

  • Click "Add IIS Website for cloud-enabled management agent connection"
  • Take .pfx file of your self-signed certificate and import it> click "OK" and "Save Changes"

image15-copy-copy

  • After “Symantec Agent” web site creation and .pfx import, you can check your certificate in IIS.

image16-copy-copy

"CEM" SMP INTERNET GATEWAY INSTALLATION

About “CEM” gateway hardware requirements:
http://www.symantec.com/docs/DOC5670

  • Operating System: Windows 2008 R2 Sp1 with .NET Framework 3.5.1.feature
  • Processor: Dual Core CPU
  • Disk Capacity: At least 40GB
  • RAM: 8 GB
    How to install “CEM” Gateway:
  • Download “SMP_Internet_Gateway.msi” from SMP Server’s folder” \\%SMPServer%\NSCap\bin\Win64\X64\ to remote Windows 2008 R2 SP1 x64 Server
  • Begin “SMP_Internet_Gateway.msi” installation

image17-copy-copy

• Choose location where Gateway will be installed.

image18-copy-copy

• Proceed with next step.

image19-copy-copy

• Start configuration wizard.

image20-copy-copy

• Specify SSL listening port and IP Address for CEM Gateway.

image21

• Specify common name of CEM Gateway server and other fields for self-signed certificate       generation.

image22-copy-copy

  • Complete wizard configuration.

image23-copy-copy

image24-copy

• Now you have installed CEM Gateway and there will be these tabs available in IGM UI.

image25-copy

In “Servers” tab you will add there “SMP Server’s Symantec Agent” web site :4726 and other existing remote Site Servers, like Package Server or Task Server :443.

image26

  • In “Settings” tab you can change available settings.

image27

  • In “About” tab you can see version of Apace/OpenSSL.

image28

ADDING A "SMP SERVER"-"SYMANTEC AGENT: 4726" WEB SITE

1. Specify FQDN/Hostname of your SMP Server, where “Symantec Agent” web site is running on :4726 port and click “OK.”

image29

2. After that CEM Gateway will throws “Certificate Warning” message (It offers to install self-signed certificate of “Symantec Agent”:4726 web site in “Trusted Root Certification Authorities” on your CEM Gateway machine.
• Click “Show Certificate”> click “Install Certificate”> choose “Trusted Root Certification Authorities” for Local Computer> click “OK”> After that click on “Ignore” button on “Certificate Warning”   message.

image30-copy

3. Then CEM Gateway will offer to specify SMP Server Symantec Administrators account to enable reporting functionality for this SMP.
Note! You should use Symantec Administrator account, which is “Application Identity” account!
 
image31-copy-copy
 
 

4. After specifying “Application Identity” account, you will have enabled reporting functionality for added SMP Server in CEM Gateway.

image32

 ADDING REMOTE SITE SERVER(S) IN CEM GATEWAY

When you have determined list of remote Site Servers (Task Server and Package Server) which will serve all your CEM clients, you need to add these Site Servers in CEM Gateway.
Note: If you don’t have any remote Site Server(s), then CEM clients will communicate only with SMP Site Server.
1. Choose Server type as “Site Server” and specify FQDN/Hostname of your remote Site Server (Package Server or Task Server) in CEM Gateway, using appropriate SSL port, which is bind (by default 443)
 
image33
 
  • Click “OK” and then added Site Server will be shown in CEM Gateway.

image34

When you have added all required Site Servers in CEM Gateway, then you can assign “Default Internet S Site” for this Site Server(s) on Site Server Management Page = otherwise these Site Server(s) now will serve all managed endpoints, which are currently in Internet.

image35

You can read more about Site Assignments per Site Server in SMP Console “Symantec Help Center”
• Open SMP Console -> click “Help” -> “Context”

image36

• Then type “Manual Assignment” in search field

image37

ADDING CEM GATEWAY IN "CLOUD-ENABLED MANAGEMENT SETTINGS" POLICY ON SMP CONSOLE

Open SMP Console> “Settings”> “Notification Server”> “Cloud-enabled Management”> open “Cloud-enabled Management Settings” policy> click “Add Gateway” button> from drop-down menu choose your common name of CEM Gateway and save changes.

image38

Enable this policy and set appropriate “Resource Target” to deliver this CEM Policy settings to all required managed endpoints, which will be switching from Intranet to Internet.
Note: Pay attention to do not include unnecessary managed server(s), because if they will have CEM Settings policy applied, then it will be impossible to set them as Task Server.

image39

  • Client Side when CEM Settings policy arrives
  • When managed endpoint will receive “Cloud-enabled Management Settings” policy, then it should show that “CEM” is enabled but inactive, in case if managed endpoint is in Intranet and not in Internet:

image40

  • When managed endpoint with “CEM Settings” policy will goes from Intranet to Internet mode, then it should show:

image41

  • SMA log output, when it successfully connects via CEM Gateway

image42

 

 

Subscribe by Email