Cloud Enabled Management (CEM) High Level Implementation Guide
search cancel

Cloud Enabled Management (CEM) High Level Implementation Guide


Article ID: 217904


Updated On:


Client Management Suite IT Management Suite Server Management Suite


Customers would like a high-level overview of the steps required to implement Cloud-Enabled Management (CEM) in an existing ITMS installation


ITMS 8.x


What is Cloud Enabled Management?

Cloud-enabled Management lets you manage client computers over the Internet even if they are outside of the corporate environment and cannot access the management servers directly. The managed computers do not need to use a VPN connection to your organization's network.

Visualization of basic CEM-enabled network:

When you implement Cloud-enabled Management, the Notification Server computer and site servers are not directly exposed to the Internet. Therefore, Symantec Management Agent communicates with the Notification Server computer and the site servers through an Internet gateway. The configured Internet Gateway doesn't hold packages and its only function is to broker communication between agents and the SMP environment.

CEM is not a VPN replacement and no VPN is required.

You can apply Cloud-enabled Management in the following scenarios:

  • An organization with many employees traveling or working outside the office (outside the corporate intranet).
  • A managed service provider (MSP) managing external companies.
  • Highly distributed companies with many small offices or employees working from home.

Configuring your environment to use SSL is a prerequisite for setting up Cloud-enabled Management (CEM). After you configure your environment to use SSL and agents are successfully communicating over SSL, you can then set up Cloud-enabled Management.

CEM supports the use of self-signed/SMP-generated certificates as well as 3rd party certificates.

Supported Gateway Implementations
(Highly scalable)

Implementing Cloud-Enabled Management in an existing ITMS installation:

Step 1: Enable SSL in your environment. Do not proceed if agents are unable to communicate over SSL.

Step 2: Configure the Cloud-enabled Management Agent IIS Website Settings.

A separate agent site on Notification Server is required for Cloud-enabled agents. This site contains only agent interfaces and does not provide access to any of the Symantec Management Console pages. It also performs additional certificate and resource access checks to enforce security measures for the agents connecting from the Internet.

Configuration of the site is performed from the SMP console and can be found in the following location: Settings > Notification Server > Cloud-enabled Management > Setup > Cloud-enabled Management Agent IIS Website Settings

Step 2: Install Internet Gateway on a supported server in your DMZ.

The Internet Gateway installation package can be generated/downloaded from the SMP console in the following location: Settings > Notification Server > Cloud-enabled Management > Setup > Cloud-enabled Management Setup > Internet Gateway Setup tab.

  • Transfer the installation package to your Internet Gateway server in the DMZ using any secure method of your choice.
  • Once on the package is on the IG, double-click the .msi and walk through the installation (.NET is required for installation)
  • Open the Gateway Manager to begin settings configuration
    • Configure IP information
    • Configure FIPS (optional)
    • Generate self-signed or import 3rd party certificate
    • Specify service account
  • Copy the thumbprint of the gateway certificate (as seen on Gateway Manager)

Step 3 (Optional): Assign site servers to the internet site. Internet site servers serve CEM-enabled agents and help to offload SMP processing.

  • Create IIS Site Server binding for incoming traffic from Internet Gateway and CEM-enabled agents
    • Settings > Notification Server > Site Server Settings > Global Site Server Settings. The default binding is 4726 but is customizable. Checking the box "Install certificate" will install the self-signed certificate. If using 3rd party certificate, leave the box unchecked

  • (Optional) Assign site server/s to Default Internet Site to serve CEM agents (Do not add the notification server to Internet Sites). Site Management > Site Servers:

Once IIS is updated with the correct binding and certificate, proceed to step 4

Step 4: Open Gateway Manager on Internet Gateway Server

  • Click on the "Servers" tab and add the Notification Server/SMP and any Internet Site Servers you added to "Default Internet Site". When adding the NS/SMP, you may be prompted to enter credentials for the NS. Use the application identity/service account of the NS. Proper credentials are needed for log forwarding to the NS/SMP

Step 5: Configure one or more Cloud-enabled Management Settings policies in the SMP console

  • Navigate to Settings > Notification Server > Cloud-enabled Management > Policy > Cloud-enabled Management Settings
  • Add the internet gateway. Specify externally resolvable FQDN, port for agent communication to the internet gateway (443 default), and the IG certificate thumbprint captured in step 2.
  • Apply the policy to any agents you wish to enable CEM on. An agent must be targeted by at least 1 CEM policy for them to communicate off of the LAN through CEM.
  • For any agents who are not able to receive the policy, an offline CEM installation package can be generated from Settings > Notification Server > Cloud-enabled Management > Setup > Cloud-enabled Management Setup. The offline installation package can then be delivered to the machine through an alternate method of your choice. The offline package has the ability to automate certificate distribution which is recommended.
  • Enable/turn on the policy

Step 6: Verify CEM enabled agents are able to communicate off the LAN

  • When an agent is no longer able to reach the NS/SMP through the LAN, they should attempt to reach the NS/SMP through the internet gateway. If a successful connection is made through the internet gateway, the agent status will show Cloud-Enabled Management active, and connected. You will also see a small cloud icon on the agent in the system tray.
  • If CEM agents are not able to make a connection through the internet gateway, agent logs should provide insight into the issue. Agent logs can be found in the following location on the endpoint: <InstallDirectory>\ProgramData\Symantec\Symantec Agent\Logs

Note: Starting with 8.6 RU1, CEM connections in WinPE environments are supported for running tasks and jobs (Deployment Solution). 

Additional Information

White Paper - Cloud-enabled Management for ITMS