If TLS 1.0/1.1 is disabled on SMP Server, the SMA fails to register after it has been installed using AeXNSC.exe

book

Article ID: 208001

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server)

Issue/Introduction

If TLS 1.0/1.1 is disabled on SMP Server, the Symantec Management Agent (SMA) fails to register after it has been installed using AeXNSC.exe.

Working fine with AeXNSHTTP(s).exe packages.

Steps To Reproduce:

  • Configure communication profile and targetted settings to switch all communication to TLS1.2
  • Disable TLS 1.0/1.1 on SMP server
  • Install agent with AexNSC.exe /web:/server_fqdn/altiris
  • After successful installation agent cannot register
  • Agent can register when TLS 1.0/1.1 is again enabled on SMP

After registration agent can switch to TLS1.2

Cause

When aexnsc.exe does not have a connection profile to use then it uses the default hardcoded profile where TLS 1.1/1.2 are OFF. That has been done on purpose because at a time enabling TLS 1.1/1.2 without proper enablement on the server could cause the connection to fail on some OS-es.
In 8.5 RU4 you can pass aexnsc.xml to aexnsc.exe, aexnsc.xml is now part of the client installation package. That is the same aexnsc.xml that can be found inside aexnschttp.exe

Environment

ITMS 8.1, 8.5

Resolution

This issue has been fixed with our ITMS 8.6 Release. We enabled all TLS versions by default in 8.6.

TLS 1.0, 1.1 and 1.2 are now enabled on OS-es starting with Win7

TLS 1.0 is enabled on XP/2003/Vista/2008. TLS 1.1 and 1.2 are not supported there.