You have noticed an issue with all the Site servers which resides on remote location were not able to connect to SMP server (Symantec Management Platform) via CEM gateway.

All the ports were checked and network is fine with the communication side, no issue with the CEM certificate.

Clients agents are connecting over CEM fine without any issue, not sure what caused to break the communication of all Site/Package servers.

You can see that last time those affected CEM Site Servers were communicating were a couple of weeks.

Later when you compared affected Site Servers with a "working" one - you found that specifically one Registry value was different which is  "Secure Gateway Mode" in Altiris Agent Communications registry hive (HKLM\Software\Altiris\Communications). It was set to 1, while Working Site Server had it set to 2.

As soon as you set this value to "2" (not touching any other registry and policy) - and restarting Agent service - client starts to communicate with SMP Server.

ITMS 8.7.x

Known issue.

"CEM state restore" functionality needed to be updated.

The old code would try connecting via CEM gateway in case the registry is 1, the new code does not do that. That's the problem on the client side.

Why the registry became 1?

• It could be that they hit some sort of server bug, when only part of the policies can arrive to the client.
• Assuming that is case, then the missing CEM policy could set that registry to 3 (CEM is un-initializing). At this point CEM gateway address and CEM certificates are still on the client because there were no direct connection to NS. Then CEM policy arrives at the next policy request and the registry becomes 1, but the client side bug prevents using CEM info to connect via gateway.

This issue has been fixed with our ITMS 8.8 Release.

The following has been included:

• An algorithm that restores CEM mode in case it got reset to "1" in registry.

How it works:

• Every 10 minutes SMA checks "Secure Gateway Mode" registry value and if it is 1 (CEM is initializing), then it requests agent re-initialization, which should check all the certificates and restore "Secure Gateway Mode" (CEM is enabled)