While upgrading from 8.6 RU3 to 8.7.1, the upgrade failed at 53%, Configure Altiris Notification Server. A reconfigure of the Symantec Management Platform 8.7.1 also failed at the same point (except it was at 52%, but same errors)

The Notification Server (NS) logs showed this error:

"Failed to add Firewall exception for CEM Port."

Object reference not set to an instance of an object.
   [NullReferenceException @ Altiris.NS.dll]
   at Altiris.NS.Utilities.AgentSite.AgentSiteConfigurationSettings.get_SitePortIIS()
   at Altiris.NS.StandardItems.Product.CoreSolutionHelper.AddFirewallPortException()

Exception logged from:
   at Altiris.Diagnostics.Logging.EventLog.ReportException(int, string, string, Exception, string)
   at Altiris.NS.StandardItems.Product.CoreSolutionHelper.AddFirewallPortException()
   at Altiris.NS.StandardItems.Product.CoreSolutionInstallation.OnInstallProductAgentSite(XmlNode)
   at Altiris.NS.StandardItems.Product.ProductInstallation.OnInstallProduct(XmlNode)
   at Altiris.NS.StandardItems.Product.CoreSolutionInstallation.OnInstallProduct(XmlNode)
   at Altiris.NS.StandardItems.Product.ProductInstallation.InstallProduct()
   at Altiris.NS.StandardItems.Product.CoreSolutionInstallation.InstallProduct()
   at Altiris.NS.AeXConfig.ConfigureInstallation(string, bool)
   at Altiris.NS.AeXConfig.ConfigureInstallation()
   at Altiris.NS.AeXConfig.Perform(IList<string>)
   at Altiris.NS.AeXConfig.Main(string[])

Process: AeXConfig (14544), Thread ID: 1, Module: Altiris.NS.dll
Priority: 1, Source: AgentSiteConfigurationSettings.get_SitePortIIS

You may also see this error depending on the situation:

Cannot get NS Agent Site setting 'Agent Site Name' from registry or it is empty.
   [Altiris.NS.Exceptions.AeXException @ Altiris.NS]
   at Altiris.NS.Utilities.AgentSite.AgentSiteConfigurationSettings.GetRegistryValue[T](String registryParameter)
   at Altiris.NS.Utilities.AgentSite.AgentSiteConfigurationSettings.get_AgentSiteName()
   at Altiris.NS.StandardItems.Product.CoreSolutionHelper.FixNsCapBinHandlers()
   at Altiris.NS.StandardItems.Product.CoreSolutionHelper.ConfigureNSCapFolder()
   at Altiris.NS.StandardItems.Product.CoreSolutionInstallation.OnInstallProduct(XmlNode installationNode)
   at Altiris.NS.StandardItems.Product.ProductInstallation.InstallProduct()
   at Altiris.NS.StandardItems.Product.CoreSolutionInstallation.InstallProduct()
   at Altiris.NS.Installation.ProductConfigurationWorker.ConfigureProductInternal(String configFile, Boolean ownsProgressContext, SerializationMode serializationMode)
   at Altiris.NS.Installation.ProductConfigurationWorker.ConfigureProduct()

Unknown, possibly due to either a manual uninstallation of some Cloud-Enabled Management (CEM) component or due to security restrictions on IIS. 

We were able to work around this by:

1. Exporting and then deleting the NS Agent Site hive (HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\NS Agent Site)
2. Exporting HKEY_LOCAL_MACHINE\SOFTWARE\Altiris
3. Deleting the TsSecondaryWebSite and AgentWebSite Values in HKEY_LOCAL_MACHINE\SOFTWARE\Altiris
4. Deleting the Symantec Agent site in ISS Manager followed by an IISReset
5. Ran the reconfigure of Symantec Management Platform 8.7.1 in the Symantec Installation Manager (SIM)
6. We were then able to access all areas of the console. We enabled the setting, "Add IIS Website for cloud-enabled management agent connections" checkbox in the Cloud-enabled Management Agent IIS Website Settings policy, choosing the appropriate certificate. 
7. We verified this recreated the Symantec Agent site in IIS with the correct bindings.