You are looking guidance on how to properly install and configure Cloud-Enabled Management (CEM) in IT Management Suite (ITMS) 8.7 and 8.8 to allow managed endpoints to communicate securely over the Internet.

Common reported symptoms include:

• Internet-based agents not reporting to the Notification Server

• Internet Gateway not appearing as “Online”

• Agents failing to switch from intranet to cloud communication

• Certificate or IIS binding errors

ITMS 8.7.x and 8.8.x

Cloud-Enabled Management (CEM) enables managed endpoints to securely communicate with the Notification Server (NS) over the Internet using the Internet Gateway (IG).

In ITMS 8.7 and 8.8, proper CEM configuration requires:

• Valid public SSL certificates

• Proper IIS configuration

• Internet Gateway installation and registration

• Correct agent policy assignment

• Open firewall ports

Misconfiguration of any of these components commonly prevents cloud-based agent communication.

Most CEM deployment failures are caused by one or more of the following:

1. Incorrect or missing SSL certificate bindings in IIS

2. Internet Gateway not properly registered with the Notification Server

3. Firewall blocking required HTTPS traffic (default 443)

4. Cloud-Enabled Management policy not applied to agents

5. Expired or revoked CEM certificates

Setting up and configuring your environment for Cloud-enabled Management requires some pre-work and preparation on the network side of things. The main documents that you should start with are:

Cloud-enabled Management for ITMS

About Cloud-Enabled Management

Cloud Enabled Management (CEM) High Level Implementation Guide

The general guidance for configuration sequence is as below:

Important: Always configure components based on your network needs.

Step 1 – Prepare the Environment

Ensure:

• Public DNS name resolves externally

• Port 443 is open externally

• Valid public SSL certificate installed

• Server meets ITMS 8.7 / 8.8 requirements

Step 2 – Install Internet Gateway

1. In the SMP Console, go to:
   
   Settings > Notification Server > Cloud-enabled Management

2. Download the Internet Gateway installation package.

3. Install on a dedicated server in the DMZ.

4. During installation, provide:

   • Notification Server FQDN

   • Certificate information

Validate Installation

On the Internet Gateway server:

• Check services:
   

  services.msc

   
• Verify:

Symantec Internet Gateway Service = Running

• Check logs:
  
  C:\ProgramData\Symantec\SMP\Logs\

   
• Look for:
  
  a.log
  
  
• Expected log entry:
  
   

  Internet Gateway successfully registered with Notification Server

   

Step 3 – Configure IIS Bindings

1. On Internet Gateway: Open IIS Manager

2. Select Default Web Site

3. Click Bindings

4. Ensure HTTPS binding:

   • Port 443

   • Correct public certificate assigned
     
     

Step 4 – Enable Internet Gateway Status Reporting

• In SMP Console, go to:
  
  Settings > Notification Server > Internet Gateway
  
  
• Enable:

Status reporting

• Confirm Internet Gateway appears as:
  
  Online

Step 5 – Configure Cloud-Enabled Management Policy

1. Go to:
   
   Manage > Policies > Agents/Plug-ins > Cloud-enabled Management Settings

2. Edit the Default Cloud-Enabled Management Settings Policy.

3. Enable:

   • Allow cloud communication

4. Assign policy to appropriate target.
   
   

Force Agent to Switch to Internet Mode (Optional Diagnostic)

1. On client machine:
   
    

   "C:\Program Files\Altiris\Altiris Agent\AeXAgentUtil.exe" /Server

    
2. Verify Internet Gateway is listed.
   
   
3. Check client log:
   
    

   C:\ProgramData\Symantec\SMA\Logs\Agent.log

    
4. Expected:
   
    

   Switching to Internet Gateway mode

    

Step 6 – Generate Offline CEM Package (If Needed)

1. If client cannot reach internal network:

2. Navigate to:
   
   Settings > Notification Server > Cloud-enabled Management

3. Generate Offline Package

4. Install on endpoint manually

Troubleshooting Reference Table

Maintenance Tasks

• Revoke CEM certificate if compromised

• Back up Internet Gateway configuration

• View site server certificates

• Configure F5 BIG-IP LTM if load balancing traffic

• Review CEM reports

Log Locations (ITMS 8.7 / 8.8)

Validation

1. After configuration:

2. Agent appears in console as Internet-connected

3. IG shows Online

4. Policies update successfully

5. Inventory uploads complete

Other follow-up topics that can assist you to configure your CEM implementation:

Preparing Your Environment for Cloud-enabled Management

Setting up Cloud-Enabled Management

Configuring the Cloud-Enabled Management Agent IIS Website Settings

Setting up Internet Gateway

About Preparing the Internet Gateway Computer

Downloading and Running the Internet Gateway Installation Package

Configuring the Internet Gateway

Enabling the Internet Gateway Status Reporting

Configuring Sites and Site Servers to Serve Cloud-enabled Agents

Configuring the Cloud-Enabled Management Settings Policy

Generating and Installing the Cloud-Enabled Management Offline Package

Cloud-Enabled Management Troubleshooting and Maintenance Tasks

Revoking a Cloud-enabled Management certificate

Viewing the site server certificates

Forcing the Symantec Management Agent to use a specified Internet gateway

Backing up and restoring an Internet gateway

How to configure F5 BIG-IP Local Traffic Manager to work with the ITMS Cloud-enabled Management traffic

Viewing Cloud-enabled Management reports