If you don’t have any 3rd party or internal MS CA certificates available for “Default Web Site”, then you can choose “Create a self-signed certificate” Altiris provides a tool to create your own self signed certs.
Within the product, launch AexGenSiteServer. Your path maybe different than what is shown below.
When prompted to place in the Cert Store, don’t let the system choose. Place the cert in the Trusted Root Cert Store!
Note:
Make sure that this self-signed certificate is installed in “Trusted Root Certification Authorities” on your SMP machine after completed configuration of SMP 7.5.x
What certificates can be used for SMP Web Site and for “Symantec Agent” CEM Web Site http://www.symantec.com/docs/DOC7438
Before you migrate a managed computer to Cloud-enabled Management, you must ensure that the agent can communicate with Notification Server and site servers using HTTPS. To use HTTPS for communication, the agent must trust Notification Server and the site servers. If necessary, you can add the appropriate root certificate authority (CA) certificates to the Trusted Root Certificate Authorities store of the Local Computer account on the managed computer. You can export the appropriate self-signed certificate from Notification Server. If Notification Server does not use a self-signed certificate, you need to export the root CA for the certificate chain that Notification Server uses. To apply the exported CA certificate to a managed computer, you can use a command line or Microsoft Management Console. Alternatively, you can use the Active Directory group policy to roll out the certificate or reinstall the Symantec Management Agent with automatic certificate delivery enabled.
This certificate authority issues Agent certificates. Symantec Management Agents use these certificates when they communicate with Notification Server and site servers through
an Internet gateway. The Internet gateway must have this CA installed to trust the connecting clients.
SMP <NS Name>Agent CA. This certificate authority issues Server certificates. Site servers use these certificates to authenticate themselves. When Symantec Management Agents contact the site server, they verify the server certificate.
SMP <NS_Name>
Server CA
Click All Tasks > Export.
In the Certificate Export Wizard, specify the following settings:
Install “Symantec Management Agent” 7.5.x on client machine(s) and on remote server(s), which will be as remote Site Service(s)
SMP Console, open “Agent Install” page > specify there all required client computers and servers, where “Symantec Management Agent” will be installed. Enable “Install Server certificate to the clientmachine” > then it will install SMP’s server self-signed certificate in “Trusted Root Certification Authorities” of each client/server machines to have a successful SSL connection handshake.
Ensure that “SMA Download” link and “Targeted Agent Settings” have SMP HTTPs URL.
Note I am using All Desktops however in a mixed mode I would suggest a new target agent perhaps just laptops.
If you will have Cert on the CEM Site Servers, in this case we are using our own self-signed certificate, then make sure that:
Otherwise, if certificates remain un-trusted between Servers (CEM, IGW, and the SMP) clients won’t be able to establish successful connection via the cloud. Firewall (Windows or any other third-party) needs to have provision for inbound/outbound connection allowed on Port 50120, 50121, 50123, 50124. Please note this ports are specifically used for Task server, Symantec Management Platform uses other ports as well for various purposes.
Note:
Make sure that you have enabled “HTTPs” codebases publishing for your Package Server(s), because clients, which are in CEM mode will download packages via HTTPs.
Open SMP Console> “Settings”> “Notification Server”> “Cloud-Enabled Management”> create “Symantec Agent” web site with “Create self-signed” certificate option.
Now there is “Symantec Agent” web site with self-signed certificate and :4726 port binding.
Import Cert “this is the one you created with the Altiris cert generator.”
About “CEM” gateway hardware requirements:
http://www.symantec.com/docs/DOC5670
• Choose location where Gateway will be installed.
• Proceed with next step.
• Start configuration wizard.
• Specify SSL listening port and IP Address for CEM Gateway.
• Specify common name of CEM Gateway server and other fields for self-signed certificate generation.
• Now you have installed CEM Gateway and there will be these tabs available in IGM UI.
In “Servers” tab you will add there “SMP Server’s Symantec Agent” web site :4726 and other existing remote Site Servers, like Package Server or Task Server :443.
1. Specify FQDN/Hostname of your SMP Server, where “Symantec Agent” web site is running on :4726 port and click “OK.”
2. After that CEM Gateway will throws “Certificate Warning” message (It offers to install self-signed certificate of “Symantec Agent”:4726 web site in “Trusted Root Certification Authorities” on your CEM Gateway machine.
• Click “Show Certificate”> click “Install Certificate”> choose “Trusted Root Certification Authorities” for Local Computer> click “OK”> After that click on “Ignore” button on “Certificate Warning” message.
4. After specifying “Application Identity” account, you will have enabled reporting functionality for added SMP Server in CEM Gateway.
When you have added all required Site Servers in CEM Gateway, then you can assign “Default Internet S Site” for this Site Server(s) on Site Server Management Page = otherwise these Site Server(s) now will serve all managed endpoints, which are currently in Internet.
You can read more about Site Assignments per Site Server in SMP Console “Symantec Help Center”
• Open SMP Console -> click “Help” -> “Context”
• Then type “Manual Assignment” in search field
Open SMP Console> “Settings”> “Notification Server”> “Cloud-enabled Management”> open “Cloud-enabled Management Settings” policy> click “Add Gateway” button> from drop-down menu choose your common name of CEM Gateway and save changes.
Enable this policy and set appropriate “Resource Target” to deliver this CEM Policy settings to all required managed endpoints, which will be switching from Intranet to Internet.
Note: Pay attention to do not include unnecessary managed server(s), because if they will have CEM Settings policy applied, then it will be impossible to set them as Task Server.