An issue exists with SSL certificates where if a Certificate is a Subject Alternative Name (SAN) type SSL certificate, the Site Server Communication Profile is populated with all systems in the SAN, by FQDN, instead of a single Site Server's FQDN. Having multiple systems in the list causes the agent to not connect to the correct Site Server, affecting DS imaging as agents pick different Site Server, and also external Cloud Enabled Management (CEM) connected agents not being able to connect to Internal Site Servers.
Periodically when the Site Server communicates with the NS the Site Server Profile is automatically updated, so any changes that are made by the Admin are removed.
This has been resolved in the attached Point Fix which is applicable to 8.0 HF4. 8.0 HF5 has the new Core Setting: DisableSiteServerProfileCertificateHostsPopulation which can be set to Enabled so that the Site Server Profiles can be manually edited. In order to create the Setting, please edit the option in NSConfigurator under Site Server.
The Pointfix attached to this KB is applicable to 8.0 HF4, which creates the DisableSiteServerProfileCertificateHostsPopulation option in CoreSettings.config.
8.0 HF5 has the setting DisableSiteServerProfileCertificateHostsPopulation which can be set to ENABLED in NSConfigurator if needed.
When the Site Server communicates with the NS, the Profile is updated, so any changes that are made by the Admin are removed.
Use NSconfigurator "C:\Program Files\Altiris\Notification Server\Bin\Tools\NSConfigurator.exe" on the NS and Enable the "DisableSiteServerProfileCertificateHostsPopulation" option. This creates the entry in the CoreSettings.Config file:
<customSetting key="DisableSiteServerProfileCertificateHostsPopulation" type="local" value="1" />
8.0 HF4: Install HF attached to this KB and then change the DisableSiteServerProfileCertificateHostsPopulation to ENABLED / 1
8.0 HF5 onward, change DisableSiteServerProfileCertificateHostsPopulation to ENABLED / 1
After saving the change, run the "NS.Site Server Profiles Syncronization" in Windows Task Scheduler to process the change.
If the Site Server Communication Profiles are not generating properly, set DisableSiteServerProfileCertificateHostsPopulation to ENABLED and then edit Site Server Communication Profile as needed. These changes will then be saved.