ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Issues while using “Prefer CEM connection if connected to VPN” setting

book

Article ID: 226695

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

The customer is trying to use the option "Prefer CEM gateway connection if VPN connection is established".

What he has noticed is that if VPN is connected before the Symantec Management Agent (SMA or Altiris Agent) service starts, it does not flip to CEM mode.  If he shuts down the VPN connection, it allows the SMA to flip over to CEM mode. Then if he logs back onto VPN, then it stays on CEM mode and packages do NOT download over VPN as is the desired outcome.

 

 

 

 

Cause

A little background on these "Prefer CEM gateway connection" and "Prefer CEM gateway connection if VPN connection is established" settings:

"Prefer CEM gateway connection if VPN connection is established" setting would force the client to download packages (such as large Office 365 patch packages) over the internet vs. using the VPN adapter.  

Under:
https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/it-management-suite/ITMS/Administration/setting-up-cloud-enabled-management-v75537313-d846e4412/configuring-the-policy-v38974730-d846e5222.html

mentions:

Prefer CEM connection if connected to VPN (Available starting from 8.6) 
Lets you continue managing your devices using Cloud-enabled Management if there is a VPN connection established on these devices. 
You define VPN adapters on the Global Agent Settings page.

 

This feature should switch Agent to CEM state, thus SMA will not use VPN traffic and should work through another adapter (through CEM).

We have tested on the latest code (ITMS 8.6 RU1): Without "Persistent connection" (WebSockets) the feature is working correctly. Switches between modes depending on check-boxes upon policy receive. But when "Persistent connection to NS" is enabled, then it does not reset upon policy change and work as the customer described: only after SMA restart does it jump to CEM. Looks like persistent connection is not reset when this part of the policy is changed, and thus new settings do not come into force for this connection.

In the case of "Prefer CEM connection" setting, it does exactly what it has in its name: if selected, then the CEM connection will be preferred by SMA over other connections. When this setting is received - Altiris Agent will switch to CEM mode, of course, if CEM settings exist on the agent and are valid, then the agent can connect through CEM mode. When this setting is checked, SMA will not bother with VPN at all, so this setting actually "includes" its "VPN" version of "Prefer CEM gateway connection if VPN connection is established" setting.

Here are some points which maybe help you understand how to set up this feature correctly:

1. The Altiris Agent icon is a reflection of the connection mode which is used to connect to the SMP. The one which is used for policy renewal and Basic Inventory and other Post events to the SMP.
The package download is a separate process and it does not affect the agent icon. Especially if the download is done from some Package Server. 

2. The Altiris Agent itself does not decide which network adapter to use or which network connection to use. It is done by Windows. The Altiris Agent just decides whether it is calling to the SMP/PS or it is calling to the Gateway. And here it is important how routing is done on the machine. Normally the Gateway and the SMPs/PS-es are available through different network connections, thus when VPN is ON, CEM traffic is not covered by VPN services. In case when both (SMP/PS and Gateway) are routed through the very same network connection (which is covered by VPN), then the "Prefer" check-boxes will not help to avoid VPN traffic.

3. Pay attention that the adapter list in Targeted Settings is called "VPN Adapters Detection". This means that adapters added to this list will be treated by the agent as VPN, and if the agent sees it has any of those adapters "active" on the system, the agent will decide that "VPN is active" and will mark own connections with a flag to prefer to call the Gateway (if the checkbox is selected), instead of calling SMP/PS directly. 

4. If the Altiris Agent is in CEM mode and connected to SMP via gateway - and the traffic goes through VPN because the gateway is available in VPN subnet, then the Altiris Agent connects via VPN because Windows routing is configured this way.

5. If the Altiris Agent is in direct mode because it sees NS via VPN adapter - then the traffic goes through VPN.

 

The issue of not respecting "Prefer CEM gateway connection if VPN connection is established" was because the first persistent connection to SMP was established directly while the second to Task Server (TS) via CEM gateway. Ideally, both connections should go via the CEM gateway.

Two persistent connections are being established - to SMP and TS. The first one goes through VPN, the second through CEM gateway.

The two lines below from the throttling engine help find out which adapters and which IP addresses are active at the Altiris Agent start:

'Check Point Virtual Network Adapter For Endpoint VPN Client bandwidth controller is referenced by 'Global\AeX {D55B3D95-9785-4A1B-A61F-2A4EB49A787B} 10.1.178.170'

'Intel[R] Dual Band Wireless-AC 826*5' bandwidth controller is referenced by 'Global\AeX {D55B3D95-9785-4A1B-A61F-2A4EB49A787B} 192.168.1.81'

SMP persistent connection uses  profile {ff291251-7dd6-482c-ac39-c21bf4bec633}', this ID can be found from the line below:

[10:IN: 620 -> 0, RECV: 8007EC19] TLS 1.0, 1.1, 1.2 are enabled in profile '{ff291251-7dd6-482c-ac39-c21bf4bec633}'

Then logs show that persistent connection to SMP is being established via CheckPoint VPN adapter, that means SMP IP address 10.9.2.212 is routable via VPN adapter

[10:IN: 620 -> 0, RECV: 8007EC19] Connecting to target server 'smpapp1.domain.com' at 10.9.2.212:443, attempt 1
Allocated bandwidth channel 255 for adapter 'Global\AeX{D55B3D95-9785-4A1B-A61F-2A4EB49A787B} Check Point Virtual Network Adapter For Endpoint VPN Client' by reference 'Global\AeX{D55B3D95-9785-4A1B-A61F-2A4EB49A787B}10.1.178.170'

[10:OUT_SRV: 620 -> 684, CONN: 8007EC16] Target server 'smpapp1.domain.com:443' connected

 Then TS persistent connection is being established and logs say that CEM connection is preferred here and connection goes through CEM gateway

[11:IN: 66C -> 0, RECV: 8007EC19] CEM gateway connection is preferred while connecting to 'smpapp1.domain.com:443;smpapp1:443;smpapp1.domain.com:4726;smpapp1:4726', error: The operation completed successfully (0x00000000)

[12:IN: CD4 -> 0, RECV: 8007EC1E] Connecting to CEM gateway 'smpapp1.domain.com' at 162.74.99.95:443, attempt 1

 

Two fixes were made:

1. fixed race condition between VPN adapter detection after SMA start and persistent connection establishment

2. download codebase selection prefers HTTPS over UNC and HTTP in case CEM is preferred connection method

Environment

ITMS 8.6 RU1

Resolution

This issue has been fixed in our next release: ITMS 8.6 RU2

A pointfix is available for those with ITMS 8.6 RU1. See KB 221269 "CUMULATIVE POST ITMS 8.6 RU1 POINT FIXES"

Attachments