The customer is setting up new client machines. He is using a CEM installation package to do that since those machines are not currently at the office. However, after the agent gets updated with the CEM references, it is not able to connect in CEM mode.

The agent logs show the following error message:

Operation 'CEM: Connect' failed. 
Protocol: HTTPS 
Original host: <mySMPserver>.<domain>.com:443
Real host: 172.16.245.22:443
Path: / 
Connection id: 0.9956 
Communication profile id: {xxxxxxxx-18D2-4A27-89F8-29700A895926} 
Throttling: 0 0 0 
Error type: Connection error 
Error code: No connection could be made because the target machine actively refused it (10061) 
Error note: SocketIOStrategySyncSelect::Connect error 

ITMS 8.5, 8.6

The firewall was blocking connections that came from outside their country. 

The following is provided as an example of what was identified from the agent logs. We compared the agent logs from a client machine that can connect with the one that is not.

1. Both client machines (I will call CompX the no-working one in CEM mode and CompY is the working one) have all TLS versions enabled:

The client supports TLS 1.0, TLS 1.1, TLS 1.2 connections

2. Both computers are using the same Agent Communication Profile:

connect to 'HTTPS://<mySMPserver>.<domain>.com:443/Altiris/WebSockets' using '{xxxxxxxx-18d2-4a27-89f8-29700a895926}' connection profile

3. Since CompX hasn't been able to connect via CEM mode, there is not a resource GUID yet:

Configure Server Mode: Initial machine resource GUID is '{00000000-0000-0000-0000-000000000000}'

while CompY has already one:

Configure Server Mode: Initial machine resource GUID is '{7A2CF7EF-F96C-4A6F-9F80-7DA84DD72778}'

4. Both machines fail to connect to the SMP server directly when are outside of the network. This is expected since they shouldn't be able to do that without going to the gateway server first:

Unable to resolve a hostname <mySMPserver>.<domain>.com to IP address, error: No such host is known (11001)

5. CompY is able to establish a connection to the gateway, then it sent the local client certificate info back and makes a successful connection to the gateway and then connects with the SMP Server:

Entry 1:
ClientHandshakeLoop. Local certificate:
  Serial number: xx xx xx xx 40 e9 17 b5 2b 21 d0 70 6b dc 7b b3 7c 12 3c 69,
  Thumbprint: xx xx xx xx 59 a1 29 0d 7f 3c 15 97 2a e2 ef 2c 17 de 7b b3

Entry 2:
NegotiateConnect: SUCCESS (gateway: <altirisGW>.<domain>.com)

Entry 3:
ClientHandshakeLoop. Local certificate:
  Serial number: xx xx xx xx 5f fe 8d 70 e0 0d f2 93 65 4c a0 67 27 cd 1b f4,
  Thumbprint: xx xx xx xx e0 91 4a d3 25 a3 bf 63 45 66 01 34 36 0f 82 c4

Entry 4:
NegotiateConnect: SUCCESS (host: mySMPserver.domain.com)

However, CompX is not reaching out to the gateway. CompX is never able to make the initial connection to send the requested certificate information.

6. After CompY can make the initial connection, the proper tunnel is opened with the gateway:

Entry 1:
Tunnel connection using IP: 172.16.245.22, Port: 443

Entry 2:
Operation 'CEM: Connect' was completed successfully. 
Protocol: HTTPS 
Original host: <mySMPserver>.<domain>.com:443
Real host: <altirisGW>.<domain>.com:443 
Path: / 
Connection id: 0.25320 
Communication profile id: {xxxxxxxx-18D2-4A27-89F8-29700A895926} 
Throttling: 0 0 0 
Server HTTPS connection info: 
   Server certificate: 
      Serial number: xx xx xx xx 26 b7 7e 81 4d 1c 56 04 e7 4e 3f 36 
      Thumbprint: xx xx xx xx d0 29 1d df cf 20 8c e9 e6 c1 84 b3 5a 9e 85 a5 
   Cryptographic protocol: TLS 1.2 
   Cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 
   Cipher algorithm: AES 
   Cipher key length: 256 
   Hash algorithm: SHA384 
   Hash length: 384 
   Key exchange algorithm: ECDH 
   Key length: 256 
Gateway HTTPS connection info: 
   Server certificate: 
      Serial number: xx xx xx xx 58 91 4c 66 1a d1 ed c3 4c 23 0c 3c a6 16 b3 dd 
      Thumbprint: xx xx xx xx 36 9c d0 fc 99 3d 1c ca 30 ce 1e d1 77 61 fe c9 
   Cryptographic protocol: TLS 1.2 
   Cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 
   Cipher algorithm: AES 
   Cipher key length: 256 
   Hash algorithm: SHA384 
   Hash length: 384 
   Key exchange algorithm: ECDH 
   Key length: 256

While CompX is not:

Operation 'CEM: Connect' failed. 
Protocol: HTTPS 
Original host: <mySMPserver>.<domain>.com:443
Real host: 172.16.245.22:443
Path: / 
Connection id: 0.9956 
Communication profile id: {xxxxxxxx-18D2-4A27-89F8-29700A895926} 
Throttling: 0 0 0 
Error type: Connection error 
Error code: No connection could be made because the target machine actively refused it (10061) 
Error note: SocketIOStrategySyncSelect::Connect error 

When this type of behavior occurs on two different client machines using the same Agent Communication Profile and Certificates, usually is an indication of some device (switch, firewall, proxy, SSL offloader, load balancer, etc)  in the middle causing to redirect the request to somewhere else or blocking access to the Internet Gateway. 

CompY can reach out to the gateway and SMP server:

Operation 'CEM: Connect' completed successfully. 
Protocol: HTTPS 
Original host: <mySMPserver>.<domain>.com:443
Real host: <altirisGW>.<domain>.com:443 

while CompX is having a hard time even getting a response with the actual gateway external name: 

Operation 'CEM: Connect' failed. 
Protocol: HTTPS 
Original host: <mySMPserver>.<domain>.com:443
Real host: 172.16.245.22:443

The recommendation is to capture a Wireshark trace from the affected client machine and see if something is re-directing the expected response to some other device or if there is some routing issue when trying to reach the gateway server externally.