Configuring the Symantec Management Platform to use HTTPS (SSL) instead of HTTP.
Article ID: 237409
Updated On:
Products
Issue/Introduction
The customer wants to configure his Symantec Management Platform to use SSL (HTTPS) instead of the default HTTP protocol.
Environment
ITMS 8.x
Resolution
The main reference for this article can be found in our online documentation:
Configuring Notification Server to use HTTPS after ITMS installation is completed
The following article is provided as a visual reference of those settings/pages where you need to make the proper changes.
Most customers already have some of the HTTPS/SSL/Port 443 setup in place when it was initially installed. It is likely a few changes will need to be made to use port 443. The SMP Server is automatically configured to use HTTPS during the installation of the IT Management Suite, when you select the "Require HTTPS to access the Management Platform" on the Notification Server Configuration page, in Symantec Installation Manager.
You most likely have a certificate available. We create a self-signed certificate when you install the SMP Server, at least if you started with version 8.0 and later.
SIM should tell you if you already have some of what is needed in place:
When SSL was selected during initial installation:
When SSL was not selected during initial installation:
The process of setting up HTTPS communication in your ITMS environment involves the following steps:
Note:
Before you start, make sure you have a valid certificate that you can use: one that you have created for your environment or the default one (self-signed) that was created during the initial SMP installation. Most likely IIS already has one assigned to the Port 443 binding:
Viewing an SSL certificate
Table: Process of setting up HTTPS communication in your ITMS environment.
|
Step |
Action |
Description |
|
Step 1 |
Configure your Notification Server and Symantec Management Agents to use HTTPS. |
After the ITMS solutions installation is completed, a Notification Server communication profile is used to perform the following:
|
|
Step 2 |
Configure your Targeted Agent Settings to use HTTPS. |
Verify that the HTTPS option for the Server URL under the "Advanced" tab is pointing to the HTTPS one on any active Targeted Agent Settings policy. |
|
Step 3 |
Configure the Symantec Management Console to use HTTPS only. |
To configure the Symantec Management Console so that it is available to HTTPS only, enable the IIS SSL setting Require SSL. |
|
Step 4 |
Configure a package server to publish HTTPS package codebases. |
You can configure HTTPS on your package servers by using the Package Service Settings page. This page specifies the global package service settings that are applied to all package servers that serve your Symantec Management Platform. If you had "Publish HTTP codebase" and you don't have HTTP codebases anymore, you can uncheck the option under the Package Service Settings page, Then go to Control Panel>Scheduled Tasks and run the NS.Package Refresh schedule (by default it runs every day at 3:30am). By running this schedule, the SWD codebases and snapshot URLs should be updated. |
|
Step 5 |
Configure site servers to use HTTPS.
|
Check that you have "Configure HTTPS binding" under the "Global Site Server Settings" page. As well, check that the Site Server Communication Profile is set to HTTPS.
(Only required for setting up Cloud-enabled Management) To serve CEM agents, site servers have to be configured to use HTTPS. This process is automated by Cloud-enabled Management Site Server Settings policy. When a new site server is assigned to an Internet site, an SSL certificate is distributed and HTTPS binding is created on the 4726 (changeable) port. By default, the Global Site Server Settings policy or Custom Certificate rollout settings do not affect the functionality of site servers that already use HTTPS. For example, if you assign a site server with an existing HTTPS binding to an Internet site, the binding is not overwritten Configure sites and site servers to serve Cloud-enabled agents. (Only required for setting up Cloud-enabled Management) The Cloud-enabled agents that are behind the Internet gateway use Internet sites for determining site services. In the Symantec Management Console, you must add your site servers to a predefined Default Internet Site or other Internet sites that you want to use. You must also assign the Cloud-enabled computers to the sites that are based on resource targets. This manual assignment ensures that each computer remains a member of the appropriate site regardless of where it is physically located. See Configuring sites and site servers to serve cloud-enabled agents |
|
Step 6 |
Configure Agent Install to use HTTPS. |
Verify that the available option for pushing the Symantec Management Agent is HTTPS under the "Agent Install" page. |
|
Step 7 |
Configure SIM to use HTTPS. |
Open Registry Editor (regedit.exe). Go to "HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\AIM\Configuration\NsConfiguration" and check that the "NsWebSitePort" is set from decimal "80" to "443". |
Note: Other areas to review for configuring your environment as HTTPS are:
- If you need to have Persistent Connection enabled. Enabling Persistent Connection in your Environment
- If you are using Deployment Solution, make sure you have HTTPS communication Profile selected under SMP Console>Settings>Deployment>Manage Preboot configurations.
Or that the "Deployment Pre-Boot Environment" Targeted Agent Setting has it selected.
Additional Information
Feedback
