The customer reported that any of his client machines in CEM mode (Cloud-Enabled Management) are able to talk to the SMP.

The agent logs show messages like these ones:

Calling NS server endpoint 'HTTPS://example.com:443/altiris/NS/Agent/ConnectionTest.asp', ID: {0D9D9CB4-C19A-4E16-A3CC-98940ED043D0}
-----------------------------------------------------------------------------------------------------

HTTP request redirected from HTTPS://example.com:443/altiris/NS/Agent/ConnectionTest.asp to HTTPS://www.yourdomain.com/altiris/NS/Agent/ConnectionTest.asp

-----------------------------------------------------------------------------------------------------

Request 'HTTPS://example.com:443/altiris/NS/Agent/ConnectionTest.asp' failed, COM error: The Local Security Authority cannot be contacted (0x80090304)

Calling NS server endpoint 'HTTPS://example.com:443/altiris/NS/Agent/ConnectionTest.asp', ID: {0D9D9CB4-C19A-4E16-A3CC-98940ED043D0}
-----------------------------------------------------------------------------------------------------
Date: 7/3/2019 10:04:40 AM, Tick Count: 73980073 (20:33:00.0730000), Size: 372 B
Process: AeXNSAgent.exe (6556), Thread ID: 5508, Module: AeXNSAgent.exe
Priority: 4, Source: Agent

HTTP request redirected from HTTPS://example.com:443/altiris/NS/Agent/ConnectionTest.asp to HTTPS://www.yourdomain.com/altiris/NS/Agent/ConnectionTest.asp

-----------------------------------------------------------------------------------------------------
Date: 7/3/2019 10:04:41 AM, Tick Count: 73980478 (20:33:00.4780000), Size: 401 B
Process: AeXNSAgent.exe (6556), Thread ID: 5508, Module: AeXNetComms.dll
Priority: 4, Source: HttpTransfer

Request 'HTTPS://example.com:443/altiris/NS/Agent/ConnectionTest.asp' failed, COM error: The Local Security Authority cannot be contacted (0x80090304)

-----------------------------------------------------------------------------------------------------
Date: 7/3/2019 10:04:41 AM, Tick Count: 73980681 (20:33:00.6810000), Size: 397 B
Process: AeXNSAgent.exe (6556), Thread ID: 5508, Module: AeXNSAgent.exe
Priority: 2, Source: ConfigServer

ITMS 8.5 or later

Network configuration by the customer.

What the customer did was create the ‘nsc-altirisns.abcdomain.com’ DNS record and targeted it to a fake IP.  It appears that the Symantec agent will think its internal if any webserver responds, though its not its own and cannot authenticate and not try to bounce to the gateway. With the fake IP there is nothing there to respond and it is redirected. 

Due to the customer's network configuration, our Symanetc Management Agent will not try connecting using other FQDN names from agent communication profile, or via proxy or via gateway because it has already successfully connected to the server based on the "apparent" response from the FQDN response.
All the various connection ways that we have work if agent cannot physically establish TCP connection to the server, if it cannot then it will try different FQDNs from profile, proxy and gateway.

Fix network configuration.

As a workaround, add the IP address and SMP Full Qualified Domain Name to the Hosts file on one of those machines and test that it is able to reach the SMP without been redirected to the fake address.