You need to move your Cloud Detection Server and need to know what steps to take in order to do it.

If an old enrollment bundle is used at a different Enforce server than the original one to which the Detector is bound, it will fail with errors similar to those listed in DLP Cloud Service enrollment: error requesting client certificate from Symantec Managed PKI Service (broadcom.com):

This technote applies to all of the following types of Cloud Detectors:

• CDS for REST/App Detection (integrated with CASB)
• CDS for REST/proxy traffic (integrated with WSS)
• CDS for ICAP/proxy traffic (integrated with WSS)
• Cloud Service for Email (integrated with O365 or Gmail)

Cloud Detection Servers are somewhat different from on-premise servers in that they "bind" to a specific Enforce server. Every Enforce server has a unique ID (visible in the Enforce Management Console when viewing the settings for Enforce).

Therefore, in order to move a Cloud Detector to a new Enforce server additional assistance is needed from Technical Support.

Open a new support case, identifying the Cloud Service as your product, and provide the details of what is happening (or if the Enforce server experienced a hard fail, or what has already happened).

Support will collect details, and involve other Symantec engineers as needed to unbind the Detector and allow a new enrollment bundle to be generated.