Configuring a computer when connected to both the Internet and the VPN, it uses the Internet Gateway instead of the SMP Server
search cancel

Configuring a computer when connected to both the Internet and the VPN, it uses the Internet Gateway instead of the SMP Server

book

Article ID: 394686

calendar_today

Updated On: 04-28-2025

Products

IT Management Suite

Issue/Introduction

You have some agents (managed computers using Symantec Management Agent) operating via the internet (in CEM Mode (Cloud-enabled Management)). When those client machines are externally connected, those go just fine to your Internet Gateway in order to connect back to the internal network.

When those client machines connect to the VPN, the agent interprets it as being within the corporate network and connects directly to the SMP Server (Symantec Management Platform), instead of through the Gateway.

You would like to know if it is possible to configure the agent so that, in scenarios where the computer is connected to both the Internet and the VPN, it uses the Internet Gateway (altiriscloud.mainExampleDomain.com) instead of the SMP Server (SMPServer.mainExampleDomain.com).

Is this possible?

How about if you can't connect to the Internet Gateway when in VPN mode?

Environment

ITMS 8.7.x

Resolution

Usually this can be accomplished by using this setting:

"Prefer CEM gateway connection if VPN connection is established"
 
You can find more details in how it works under:
 


Example when you can't reach the Internet Gateway when "Prefer CEM gateway connection if VPN connection is established" setting is in selected

Now, if you are already:

  1. Using this "Prefer CEM gateway connection if VPN connection is established" setting,
  2. the desired VPN Subnets are already part of the Internet Site,
  3. and the client agent shows under the agent UI as connected via VPN

but it is still connecting directly to your SMP Server without going to your Internet Gateway, you should take a look at your agent logs (under C:\programdata\symantec\symantec Agent\logs) from one of those client machines in VPN mode and see if it is actually following the right route to your Internet Gateway.

Here is an example of how you could find such information and follow what the agent is trying to do:

  1. Usually you should see entries like this one:

    Operation 'CEM: Post' completed successfully.
    Url: HTTPS://SMPServer.mainExampleDomain.com:443/altiris/TaskManagement/CTAgent/PersistentSettings.aspx?operation=set&resourceGuid=74d9a0a3-8416-4e79-ad81-757a3e883c72&crc=0008000700000924
    Connection path: 7 - Via gateway 2: [192.168.1.15 Wi-Fi] -> altiriscloud.mainExampleDomain.com [18.243.0.241:443] -> SMPServer.mainExampleDomain.com:443
    Connection id: 229.13604
    Communication profile id: {e165fe2f-9c2d-4caf-a184-31c885a3c4e4}
    Throttling: 0 0 0  
    Data sent: 784 bytes at 3285 kB/sec  
    Data received: 520 bytes at 2 kB/sec
    Gateway SSL connection info:
       Server certificate:
          Serial number: xxxxxxx 1b 1f 10 3b
          Thumbprint: xxxxxxx 7b 35 ef a7
       Client certificate:
          Serial number: xxxxxxxxx 52 a7 b2 5b
          Thumbprint: xxxxxxxxx a2 df a5 20
       Cryptographic protocol: TLS 1.3
       Cipher suite: TLS_AES_256_GCM_SHA384
       Cipher algorithm: AES
       Cipher key length: 256
       Hash algorithm:  
       Hash length: 0
       Key exchange algorithm:  
       Key length: 0
    Client SSL attributes for gateway connection:
       Client certificate:
          Serial number: xxxxxxxx 52 a7 b2 5b
          Thumbprint: xxxxxxxxxx a2 df a5 20
       Cryptographic protocol: TLS 1.0, 1.1, 1.2, 1.3
    Server SSL connection info:
       Server certificate:
          Serial number: xxxxxxxx 61 0f 0c 13
          Thumbprint: xxxxxxxxxx c0 ae ec ac
       Client certificate:
          Serial number: xxxxxxx 53 6c 51 7c
          Thumbprint: xxxxxxxxx 4a 47 d5 9f
       Cryptographic protocol: TLS 1.3
       Cipher suite: TLS_AES_256_GCM_SHA384
       Cipher algorithm: AES
       Cipher key length: 256
       Hash algorithm:  
       Hash length: 0
       Key exchange algorithm:  
       Key length: 0
    Client SSL attributes for server connection:
       Client certificate:
          Serial number: xxxxxxxx 53 6c 51 7c
          Thumbprint: xxxxxxxxxx 4a 47 d5 9f
       Cryptographic protocol: TLS 1.0, 1.1, 1.2, 1.3
    -----------------------------------------------------------------------------------------------------
    Date: 4/8/2025 1:03:09 PM, Tick Count: 243511250 (2.19:38:31.2500000), Host Name: exampleClientMachine, Size: 2.57 KB
    Process: AeXNSAgent.exe (13604), Thread ID: 19288, Module: AeXNetComms.dll
    Priority: 8, Source: NetworkOperation

    where this indicates the IP addresses being used is:

    Connection path: 7 - Via gateway 2: [192.168.1.15 Wi-Fi] -> altiriscloud.mainExampleDomain.com [18.243.0.241:443] -> SMPServer.mainExampleDomain.com:443

  2. Also, you should see log entries with the IP Addresses used when the agent detects a change from external connection to a VPN connection such as:

    IPv4 address change detected
    -----------------------------------------------------------------------------------------------------
    Date: 4/8/2025 1:04:05 PM, Tick Count: 243567500 (2.19:39:27.5000000), Host Name: exampleClientMachine, Size: 264 B
    Process: AeXNSAgent.exe (13604), Thread ID: 13712, Module: AeXNetMon.dll
    Priority: 4, Source: NetworkMonitor

    Local IP 0 address updated: fe80::fb69:f91:100d:3f6e%10
    -----------------------------------------------------------------------------------------------------
    Date: 4/8/2025 1:04:05 PM, Tick Count: 243567515 (2.19:39:27.5150000), Host Name: exampleClientMachine, Size: 291 B
    Process: AeXNSAgent.exe (13604), Thread ID: 13712, Module: AeXNetMon.dll
    Priority: 8, Source: NetworkMonitor

    Local IP 1 address updated: 192.168.1.15
    -----------------------------------------------------------------------------------------------------
    Date: 4/8/2025 1:04:05 PM, Tick Count: 243567546 (2.19:39:27.5460000), Host Name: exampleClientMachine, Size: 276 B
    Process: AeXNSAgent.exe (13604), Thread ID: 13712, Module: AeXNetMon.dll
    Priority: 8, Source: NetworkMonitor

    Local IP 2 address updated: 192.168.107.192
    -----------------------------------------------------------------------------------------------------
    Date: 4/8/2025 1:04:05 PM, Tick Count: 243567562 (2.19:39:27.5620000), Host Name: exampleClientMachine, Size: 291 B
    Process: AeXNSAgent.exe (13604), Thread ID: 13712, Module: AeXNetMon.dll
    Priority: 8, Source: NetworkMonitor

    VPN connection detected
    -----------------------------------------------------------------------------------------------------
    Date: 4/8/2025 1:04:05 PM, Tick Count: 243567687 (2.19:39:27.6870000), Host Name: exampleClientMachine, Size: 274 B
    Process: AeXNSAgent.exe (13604), Thread ID: 1604, Module: AeXNetComms.dll
    Priority: 4, Source: SMAIO.SSLProxy.SystemMonitor

    IP addresses information changed.
    -----------------------------------------------------------------------------------------------------
    Date: 4/8/2025 1:04:06 PM, Tick Count: 243567734 (2.19:39:27.7340000), Host Name: exampleClientMachine, Size: 269 B
    Process: AeXNSAgent.exe (13604), Thread ID: 13712, Module: AeXNetMon.dll
    Priority: 4, Source: NetworkMonitor

  3.  Then, the SMP Server provides an updated policy to be used when in VPN mode and what Subnets are part of the Internet Site based in the current agent Subnet:

    Activating site settings policies set 096b6f323114f13a1ae1f6e5c219ef56e2d0a9cda2a22a5ae95c761ee3e80027 [192.168.1.0/24, 192.168.107.192/26]:

    1 site[s]:
    Site 'EXAMPLE - SITE INTERNET', ID '{4FF9D7BE-428C-4B01-BF4F-A9F6C8CDA657}', order 0, max transfers -1, max speed -1, deny 0x00000000:
    10.1.0.0/16.
    10.2.0.0/16.
    10.82.0.0/16.
    10.99.0.0/16.
    10.150.0.0/16.
    10.182.0.0/16.
    10.199.1.0/24.
    10.199.6.0/24.
    10.199.110.0/24.
    10.252.0.0/22.
    10.252.31.0/24.
    192.168.78.0/24.
    192.168.107.0/24.
    192.168.108.0/24.
    192.168.109.0/24.
    192.168.110.0/24.
    192.168.190.0/24.
    192.168.191.0/24.
    192.168.223.0/24.
    192.168.224.0/24.
    192.168.228.0/24.

    -----------------------------------------------------------------------------------------------------
    Date: 4/8/2025 1:04:06 PM, Tick Count: 243567812 (2.19:39:27.8120000), Host Name: exampleClientMachine, Size: 973 B
    Process: AeXNSAgent.exe (13604), Thread ID: 13712, Module: AeXNSAgent.exe
    Priority: 4, Source: ConfigServer

  4.  Since this client machine is part of the expected Subnets for this Internet Site:

    Agent IP Address from log entry in step 3 above:
    Local IP 1 address updated: 192.168.1.15
    Local IP 2 address updated: 192.168.107.192

    it falls under the configured Subnet: 192.168.107.0/24 from the Site 'EXAMPLE - SITE INTERNET' above in step 3 .

  5. Since the IP address is one expected for the "Prefer CEM gateway connection if VPN connection is established" you should see:

    CEM settings change detected, supported: Yes, prefer: Yes
    -----------------------------------------------------------------------------------------------------
    Date: 4/8/2025 1:04:06 PM, Tick Count: 243567875 (2.19:39:27.8750000), Host Name: exampleClientMachine, Size: 293 B
    Process: AeXNSAgent.exe (13604), Thread ID: 13712, Module: AeXNetMon.dll
    Priority: 4, Source: NetworkMonitor

    the agent tries to make the connection to the SMP Server and then should try to go to the Internet Gateway instead:

    [11E8F820020, WS: E98] Connecting to 'SMPServer.mainExampleDomain.com:443;SMPServer:443' asynchronously, timeout: 60000 ms
    -----------------------------------------------------------------------------------------------------
    Date: 4/8/2025 1:04:21 PM, Tick Count: 243583671 (2.19:39:43.6710000), Host Name: exampleClientMachine, Size: 401 B
    Process: AeXNSAgent.exe (13604), Thread ID: 34192, Module: AeXNetComms.dll
    Priority: 4, Source: SMAIO.WSTransport.ReconnectCallback

    [7B:IN: 135C -> 0, RECV: 7A3DA01C] CEM gateway connection is preferred while connecting to 'SMPServer.mainExampleDomain.com:443;SMPServer:443', error: The operation completed successfully (0x00000000)
    -----------------------------------------------------------------------------------------------------
    Date: 4/8/2025 1:04:21 PM, Tick Count: 243583687 (2.19:39:43.6870000), Host Name: exampleClientMachine, Size: 465 B
    Process: AeXNSAgent.exe (13604), Thread ID: 38268, Module: AeXNetComms.dll
    Priority: 8, Source: SMAIO.SSLProxy.Socket

  6. But in this example, the client machine can't resolve the Internet Gateway when in VPN mode:

    [7D:IN: 1030 -> 0, RECV: 7A3DA023] Failed to resolve CEM gateway address 'altiriscloud.mainExampleDomain.com', error: No such host is known (11001)
    -----------------------------------------------------------------------------------------------------
    Date: 4/8/2025 1:04:24 PM, Tick Count: 243586484 (2.19:39:46.4840000), Host Name: exampleClientMachine, Size: 386 B
    Process: AeXNSAgent.exe (13604), Thread ID: 34852, Module: AeXNetComms.dll
    Priority: 1, Source: SMAIO.SSLProxy.Socket

    [7E:IN: 171C -> 0, RECV: 7A3DA025][11E8F820890, WS: 16C0] Failed to build CEM gateway address, CEM gateway list is empty, error: No such host is known (11001)
    -----------------------------------------------------------------------------------------------------
    Date: 4/8/2025 1:04:24 PM, Tick Count: 243586500 (2.19:39:46.5000000), Host Name: exampleClientMachine, Size: 403 B
    Process: AeXNSAgent.exe (13604), Thread ID: 34852, Module: AeXNetComms.dll
    Priority: 1, Source: SMAIO.SSLProxy.Socket

    [7D:IN: 1030 -> 0, RECV: 7A3DA023] Failed to build CEM gateway address, CEM gateway list is empty, error: No such host is known (11001)
    -----------------------------------------------------------------------------------------------------
    Date: 4/8/2025 1:04:24 PM, Tick Count: 243586500 (2.19:39:46.5000000), Host Name: exampleClientMachine, Size: 380 B
    Process: AeXNSAgent.exe (13604), Thread ID: 41588, Module: AeXNetComms.dll
    Priority: 1, Source: SMAIO.SSLProxy.Socket

    [7D:IN: 1030 -> 0, RECV: 7A3DA023] Failed to connect to CEM gateway, error: No such host is known (11001)
    -----------------------------------------------------------------------------------------------------
    Date: 4/8/2025 1:04:24 PM, Tick Count: 243586515 (2.19:39:46.5150000), Host Name: exampleClientMachine, Size: 350 B
    Process: AeXNSAgent.exe (13604), Thread ID: 41588, Module: AeXNetComms.dll
    Priority: 1, Source: SMAIO.SSLProxy.Socket
    File: C:\Users\ng731047\Downloads\Agent6\Agent3.log

  7.  and the agent will try a couple of times to connect to the Internet Gateway:

    [11E8F820890, WS: 16C0] Reconnecting, connection attempts remaining: 2, maximum attempts: 3, reconnect timeout: 1 minutes
    -----------------------------------------------------------------------------------------------------
    Date: 4/8/2025 1:05:24 PM, Tick Count: 243646593 (2.19:40:46.5930000), Host Name: exampleClientMachine, Size: 380 B
    Process: AeXNSAgent.exe (13604), Thread ID: 38268, Module: AeXNetComms.dll
    Priority: 4, Source: SMAIO.WSTransport.ReconnectCallback

What we can infer from tracing what the agent is doing, the issue is around internal host resolution for the Internet Gateway, either by name or IP Address.

In this particular scenario, you detected that the "altiriscloud.mainExampleDomain.com" was not reachable from the VPN connection (Note: that is something that you need to handle by your network team. We don't provide guidelines for that type of setup besides that your internet gateway needs to be reachable internally when connected via VPN). After enabling it, the service began working correctly (meaning connecting to both the Internet and the VPN, it uses the Internet Gateway instead of the SMP Server).

Additional Information

Powered by Wolken Software