Note: Troubleshooting IIS and SSL issues should be done using information from Microsoft and its best practices.
The following are common issues that can exist when implementing SSL with SMP Server and links to articles that address each issue.
- The name on the certificate needs to match the name of the SMP Server. Certificates can be set up to use a wildcard such as *Example.com, in this case any server that is part of Example.com would work correctly.
To check this, open a console using the HTTPS address and then double-click on the lock icon.The value after "Issued to" is the common name of the certificate.This is what needs to be the exact same as the name of the SMP Server and the Web site that the agents are setup to communicate with. See the screenshot below.
It is possible to use a DNS alias but it is not recommended.
Note: Having the certificate setup to use the FQDN of the server and the clients set to use the server as the FQDN often helps.
- The Certificate needs to be trusted. If it is a private certificate (one created on a local Certificate Authority), it needs to be installed to the Trusted Root Certificates. If it is a public certificate it should already be trusted and should not need to be installed to the Trusted Root Certificates. Public certificates have many benefits over private and should be looked at if possible.
Note: Opening a browser and installing the certificate does not install it to the Trusted Root Certificates it installs it as a user Certificate for Internet Explorer, this does not work for the Altiris Agent Communication.
- The dates on the Certificates need to be in the time frame specified in the certificate. This can be seen by looking at the General tab of the certificate. See screenshot below.
- Having communication going through port 80 for some clients and 443 for others does not work. The following is one example of problems caused by this.
If SSL is enabled the code bases are created as HTTPS code bases. If SSL is not enabled the code bases are created as HTTP code bases.Meaning the clients would need to have both ports open, the certificate installed on all machines, and be communicating with the same server name.If these three requirements exist and are met then SSL communication could be used.