Best practices for setting up new Internet Gateway and then decommissioning the original
search cancel

Best practices for setting up new Internet Gateway and then decommissioning the original

book

Article ID: 399407

calendar_today

Updated On: 06-16-2025

Products

IT Management Suite

Issue/Introduction

You want to setup a new Internet Gateway (IG) then decommission the original one. You want to make sure the new one works properly and your client machines are aware of the new Internet Gateway before turning off the original Internet Gateway

Environment

ITMS 8.7.x

Resolution

Setting up a new Internet Gateway should be a very straight forward process. 

  1. The Internet Gateway installation package can be generated/downloaded from the SMP console in the following location: Settings > Notification Server > Cloud-enabled Management > Setup > Cloud-enabled Management Setup > Internet Gateway Setup tab.

    • Transfer the installation package to your new Internet Gateway (IG) server using any secure method of your choice.
    • Once on the package is on the Internet Gateway, double-click the .msi and walk through the installation (.NET is required for installation)
    • Open the Gateway Manager to begin settings configuration
      • Configure IP information
      • Configure FIPS (optional)
      • Generate self-signed or import 3rd party certificate
      • Specify service account
    • Click on the "Servers" tab and add the Notification Server/SMP and any Internet Site Servers you added to "Default Internet Site". When adding the NS/SMP server, you may be prompted to enter credentials for the SMP server. Use the application identity/service account of the SMP Server. Proper credentials are needed for log forwarding to the NS/SMP server
    • Copy the thumbprint of the gateway certificate (as seen on Gateway Manager)


  2. To verify the external IP address of your internet gateway(s), run the following command from a computer disconnected from the corporate network but connected to the internet:

    Command prompt:

    nslookup gateway.fqdn.com

  3. Configure one or more Cloud-enabled Management Settings policies in the SMP console

    • Navigate to Settings > Notification Server > Cloud-enabled Management > Policy > Cloud-enabled Management Settings

    • Add the new internet gateway. Specify externally resolvable FQDN, port for agent communication to the internet gateway (443 default), and the IG certificate thumbprint captured in step 1.
      Note: add an additional entry for the gateway by external IP address with the new thumbprint just to make sure that your CEM clients can reach the new Internet Gateway by FQDN and/or IP Address. After the CEM connection has been validated, you can remove the IP Address entry from your Cloud-enabled Management Settings policy if you want.

    • Apply the policy to any agents you wish to test CEM on them. An agent must be targeted by at least 1 CEM policy for them to communicate off of the LAN through CEM.

    • For any agents who are not able to receive the policy, an offline CEM installation package can be generated from Settings > Notification Server > Cloud-enabled Management > Setup > Cloud-enabled Management Setup. The offline installation package can then be delivered to the machine through an alternate method of your choice. The offline package has the ability to automate certificate distribution which is recommended.

    • Enable/turn on the policy

For more information on this process, refer to:

About Preparing the Internet Gateway Computer

Setting up Internet Gateway

Configuring the Internet Gateway

Configuring the Cloud-Enabled Management Settings Policy


Then, consider the following:

  1. Make sure the proper ports for the Internet Gateway are opened (See Internet Gateway Ports and Protocols table) and Firewall Policy Rule(s) are setup on your new Internet Gateway (you need to configure the firewall to allow outgoing connections only to specific servers on your internal network)
  2. Verify CEM enabled agents are able to communicate off the LAN

    • After your client machines have received the new CEM policy, stop Internet Gateway service on your original Internet Gateway. With this, you force your client machines to switch to the new Internet Gateway and see if they switch to it. 
      • When an agent is no longer able to reach the NS/SMP server through the LAN, they should attempt to reach the NS/SMP server through the new internet gateway. If a successful connection is made through the new internet gateway, the agent status will show Cloud-Enabled Management active, and connected. You will also see a small cloud icon on the agent in the system tray.
    • Usually we suggest to wait 2-3 days to make sure all or most of your client machines have received the new Internet Gateway reference in their CEM policy. 
    • If CEM agents are not able to make a connection through the new internet gateway, agent logs should provide insight into the issue. Agent logs can be found in the following location on the endpoint: <InstallDirectory>\ProgramData\Symantec\Symantec Agent\Logs
  3. After the new Internet Gateway is accessible and recognized by your CEM client machines, you can delete the old Internet Gateway from your Cloud-enabled Management Settings policy and decommission the original Internet Gateway.

Additional Information