There is a need to push out a new certificate thumbprint for CEM agents. After following directions in KB article 164263, agents are losing the replaced thumbprint before it expires and before it is replaced on the actual Gateway/s.
This can be verified on client machines by checking the following registry entry:
HKLM\Software\Altiris\Communications\Secure Gateways\{GUID of gateway} DWORD "Cert Thumbprint"
ITMS 8.7.2
The cause of this issue is currently being investigated by Broadcom developers. A permanent fix is planned for the next release, ITMS 8.7.3.
As a workaround until the next release, instead of replacing the original expiring thumbprint in the CEM policy, add an additional entry for the gateway by external IP address with the new replacement thumbprint as shown here:
To verify the external IP address of your internet gateway(s), run the following command from a computer disconnected from the corporate network but connected to the internet:
Command prompt:
nslookup gateway.fqdn.com
NOTE: The entries in the screenshot above are examples only and should not be used in production.