The customer can't add the SMP into the Internet Gateway Server list.

When he tries, he gets this message:

"The underlying connection was closed: An unexpected error occurred on a send.."

He has 2 Internet Gateways. In the other Internet Gateway, the SMP is listed but when he tries to refresh it, he gets the same message. 

Now, no CEM clients can't connect to the SMP.

The Internet Gateway logs show these entries (with Trace verbosity turned on):

Entry 1:
Adding SMP server 'https://SMPServer.domain.com:4726'...
-----------------------------------------------------------------------------------------------------
Date: 7/16/2020 12:46:04 PM, Tick Count: 0 (00:00:00), Size: 300 B
Process: InternetGatewayManager (4992), Thread ID: 14, Module: InternetGatewayManager.exe

Entry 2:
Trying to get Web certificate. Request: https://SMPserver.domain.com:4726/Altiris
-----------------------------------------------------------------------------------------------------
Date: 7/16/2020 12:46:04 PM, Tick Count: 0 (00:00:00), Size: 325 B
Process: InternetGatewayManager (4992), Thread ID: 14, Module: InternetGatewayManager.exe

Entry 3:
Failed to validate server certificate.
-----------------------------------------------------------------------------------------------------
Date: 7/16/2020 12:46:04 PM, Tick Count: 0 (00:00:00), Size: 279 B
Process: InternetGatewayManager (4992), Thread ID: 14, Module: InternetGatewayManager.exe

Entry 4:
Trying to get Server certificate. Request: https://SMPserver.domain.com:4726/Altiris/NS/Agent/GetServerCertificate.aspx?CRL=False&Version=8.5.5032.0&Guid=702f6bc6-4eee-4ab2-8074-834443d7866a
-----------------------------------------------------------------------------------------------------
Date: 7/16/2020 12:46:04 PM, Tick Count: 0 (00:00:00), Size: 434 B
Process: InternetGatewayManager (4992), Thread ID: 14, Module: InternetGatewayManager.exe

Entry 5:
Web exception occurred during Server certificate request - The underlying connection was closed: An unexpected error occurred on a send.. 
-----------------------------------------------------------------------------------------------------
Date: 7/16/2020 12:46:04 PM, Tick Count: 0 (00:00:00), Size: 379 B
Process: InternetGatewayManager (4992), Thread ID: 14, Module: InternetGatewayManager.exe

His Internet Gateway was up-to-date and TLS 1.0, 1.1, 1.2 were enabled. The SMP had TLS 1.1 and 1.2 enabled. 

When we try the referenced URL from the gateway logs, we get the expected response:

https://SMPServer.domain.com:4726/Altiris/NS/Agent/GetServerCertificate.aspx

----BEGIN CERTIFICATE---- LIID6TCCAtGgAwIBAgIUcGnOFkWcCWRpDuOOsspgMPG2C9swDQYJKoZIhvcNAQELBQAwLzEtMCsG A1UEAxMkU01QIHZ3b2FhaHNwMTM4LnZ3b2EubmEudndnIEFnZW50IENBMB4XDTIwMDYyMDEzMjU1 MVoXDTQwMDYyMDEzMjU1MVowLzEtMCsGA1UEAxMkU01QIHZ3b2FhaHNwMTM4LnZ3b2EubmEudndn IEFnZW50IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlgH4SfgYJ3UhR4AYpdhj q7Wl0Mcu1rk/hn7IR38G1hEvnmDJrp19wyYsrBXU96hYeu3r6cd3tNMQqkNGNBmRaBo/RlRxynNc O26A2F6JoYJ6kJ+WozmMWMlxD4Q1pSzoJWVmAnQ6qrbGdOjQKuWz0pQp7zxnkjGWFdoBPoKW9WIb wmqgmM+YXhNQ6jFWFUAE0ZfcEG1TNvaFjgLw3deF6y6D2j8i8u2OrYGqmqVt62RV3NVelTrdDlRB XZzSdq57Lc9mm847bSQFU2nub3iHkazuulPddRsoHa5zaVle7KRMqcoqHIZKlJWGv+n7IcCeBi0b HZmJWMQKmHp+qnOf+QIDAQABo4H8MIH5MB0GA1UdDgQWBBQs/ID1zRBhpj74pVfTxpvaZQLFSTBq BgNVHSMEYzBhgBQs/ID1zRBhpj74pVfTxpvaZQLFSaEzpDEwLzEtMCsGA1UEAxMkU01QIHZ3b2Fh aHNwMTM4LnZ3b2EubmEudndnIEFnZW50IENBghRwac4WRZwJZGkO446yymAw8bYL2zAdBgNVHSUE FjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwLwYDVR0RBCgwJoIXdndvYWFoc3AxMzgudndvYS5uYS52 d2eCC3Z3b2FhaHNwMTM4MAsGA1UdDwQEAwIBBjAPBgNVHRMECDAGAQH/AgEAMA0GCSqGSIb3DQEB CwUAA4IBAQAhzq9lPmMk5IivzF3ay9JPUUYPxiyfy0Y4ty29rTt3eMwOvMdV8IMOmsh2uBSTyV4R kZBGsj5rcZgtTHxITZ5uY/YM9kL/XjvQ0Rm8ckojnKpBeYol69NCTjZkV8HSUO7/SeEooaGtqTsi LbbC5e43hKgVM2iVhKC2sNA+s2Aa/LApG5mz/M6tdsmoZNvYahd7Of6j3RI/5mlccvwsvhlzdZet orytoYcQurWgsuWe5B+TEjE2qYmBuxSVi5TbvkFwn/+fZBu4TyDFrfAWDsgzUgBvVaV6HqAwrgGU 3UK8SZG7z/GgV30d2utSFZmMYssFXrO2xESzQ138+0MKm3BW ----END CERTIFICATE----  

ITMS 8.5, 8.6

TLS version mismatch between both servers. Since the SMP didn't have enabled TLS 1.0 and the Internet Gateway had it turned on, the Internet Gateway was trying to communicate using TLS 1.0 first.

There was a problem with Gateway web API on Internet Gateway that uses TLS 1.0 always. .Net Core API uses the first available TLS version, and can't be configured to use a particular one.

Make sure TLS versions matches on both servers.

Either you enable TLS 1.0 on the SMP (so it can match with the Internet Gateway since it was enabled) or disable TLS 1.0 on the Internet Gateway so TLS 1.0 and 1.2 are the only one active.

Note:

In another instance of this issue, the customer worked with his network team. The issue was a missed configuration on their firewall. They had to make the following change:

"Create a firewall rule to allow tcp/4726 explicitly, it was originally missing this rule."

176372 "Can't add SMP server to the gateway"