Troubleshooting ITMS Agent Communication Failures After Certificate or IIS Changes
Article ID: 430121
Updated On:
Products
Issue/Introduction
After renewing or replacing the IIS certificate, modifying HTTPS bindings, or making changes to the Symantec Management Platform (SMP Server or Notification Server (NS)), managed endpoints stop communicating with IT Management Suite (ITMS).
Common symptoms include:
-
Devices appear Offline in the SMP Console
-
Policies are not updating
-
Inventory is not reported
-
Tasks do not execute
-
Agents show SSL or connection errors in logs
Environment
ITMS 8.7.x, 8.8.x
Cause
When IIS bindings or SSL certificates are modified on the Notification Server without validating:
-
Certificate trust chain
-
Agent Communication Profile configuration
-
HTTPS bindings
-
Client trust of the issuing CA
the Symantec Management Agent (SMA) cannot establish secure communication.
This issue is most commonly caused by:
-
Expired or replaced server certificate
-
Missing intermediate certificate
-
IIS binding misconfiguration
-
Agent Communication Profile mismatch
The agent itself is typically functioning correctly but fails SSL validation.
| Root Cause | Description |
|---|---|
| Expired SSL certificate | Clients reject the server certificate |
| Certificate replaced but trust not updated | Clients do not trust new issuing CA |
| Missing intermediate CA | Trust chain incomplete |
| IIS HTTPS binding misconfigured | Wrong certificate bound to port 443 |
| Agent Communication Profile mismatch | Agent attempts HTTP/incorrect port |
Resolution
Follow these suggested steps:
Step 1 – Validate IIS HTTPS Binding (SMP Server)
-
Open IIS Manager
-
Navigate to:
-
Sites > Default Web Site
-
-
Click Bindings
-
Confirm:
-
HTTPS binding exists
-
Port = 443
-
Correct certificate is selected
-
If changes are required:
Step 2 – Validate Certificate Chain (SMP Server)
-
Open MMC > Add or Remove Snap-ins
-
Add Certificates (Computer Account > Local Computer)
-
Navigate to:
-
Personal > Certificates
-
-
Open the bound certificate
-
Select Certification Path
Confirm:
-
No red X
-
Full certificate chain present
-
Certificate not expired
If intermediate certificates are missing:
-
Import them into:
-
Intermediate Certification Authorities
-
Step 3 – Validate Agent Communication Profile (SMP Console)
-
Open SMP Console
-
Navigate to:
-
Settings > Agents/Plug-ins > Symantec Management Agent > Symantec Management Agent Communication Profiles
-
-
Open active profile
-
Confirm:
-
HTTPS enabled
-
Correct FQDN
-
Port 443 configured
-
-
Click Save Changes
Step 4 – Validate Agent Logs
Agent logs exist in two different locations depending on system type.
4A. If Troubleshooting the SMP Server Agent
Location:
Rollover logs:
agentxx.log
4B. If Troubleshooting a Managed Endpoint
Location:
Rollover logs:
agentxx.log
What to Look For in agent.log
Search for:
SSL Errors
- Could not establish trust relationship
- The underlying connection was closed
- SSL connection could not be established
Connection Errors
- Failed to send request
- Unable to connect to server
- Server is unavailable
Expected vs Problem Indicators
| Scenario | Expected Entry | Problem Indicator |
|---|---|---|
| Normal communication | Configuration updated successfully | Trust relationship failure |
| Successful HTTPS | Connected to server | Certificate validation error |
| Working profile | Server resolved | Unable to resolve host |
Step 5 – Test HTTPS from Client
On an affected endpoint:
-
Open browser
-
Navigate to:
Expected:
-
No certificate warning
-
Valid secure connection
If warning appears:
-
Client does not trust certificate
Step 6 – Force Agent Configuration Update
From the endpoint:
-
Right-click Symantec Management Agent
-
Click Update Configuration
Then immediately review:
You should see:
Step 7 – Restart Agent Service (If Needed)
On endpoint, open a command prompt as Administrator and restart Symantec Management Agent service:
Then recheck agent.log for any relevant log entries.
Step 8 – Validate CRL / Revocation Access
If certificate is valid but communication still fails:
-
Open certificate details
-
Review CRL Distribution Points
-
Ensure endpoints can reach CRL URLs
Blocked CRL access may cause certificate validation failure.
How to Review CRL Distribution Points (CRL DP)
CRL (Certificate Revocation List) Distribution Points define where Windows checks whether a certificate has been revoked.
If endpoints cannot reach the CRL URL listed in the server certificate, SSL validation may fail and agents will not communicate.
Method 1 – Review CRL Distribution Points on the Notification Server
Use this method to inspect the certificate bound in IIS.
Step 1 – Open the Certificate
-
On the SMP Server, press Win + R
-
Type:
-
Click File > Add/Remove Snap-in
-
Add Certificates
-
Select Computer account
-
Select Local computer
-
Click OK
Step 2 – Locate the IIS Certificate
Navigate to:
-
Identify the certificate bound to HTTPS (same thumbprint shown in IIS bindings).
-
Double-click the certificate.
Step 3 – Review CRL Distribution Points
-
Go to the Details tab.
-
Scroll down and select:
-
Click Edit or double-click the field.
You will see one or more URLs similar to:
What to Check
| Check | Expected |
|---|---|
| URLs listed | Reachable from endpoints |
| Protocol | Usually HTTP |
| Internal vs External | Must match client network access |
| No unreachable legacy URLs | Old CA URLs should not exist |
Method 2 – Test CRL Reachability from an Endpoint
This is the most important validation step.
Option A – Browser Test
From an affected endpoint:
-
Copy the CRL URL.
-
Paste it into a browser.
Expected:
-
File downloads
-
Or browser shows raw CRL data
If:
-
Page times out
-
DNS cannot resolve
-
Connection refused
then, CRL is unreachable.
Option B – Use certutil (Recommended)
From affected endpoint:
Steps:
-
Export the server certificate from MMC (Base-64 encoded X.509).
-
Copy to affected endpoint.
-
Run the command above.
Select:
-
CRL Retrieval
Click Retrieve
Expected Result
Failure Example
- Revocation server offline
- The revocation function was unable to check revocation
Why CRL Matters in ITMS
When the Symantec Management Agent connects over HTTPS:
-
Windows validates the certificate chain.
-
Windows checks revocation status via CRL.
-
If CRL is unreachable, validation fails.
-
Agent logs show:
- Could not establish trust relationship
- The underlying connection was closed
How to Fix CRL Issues
Depends on environment:
Option 1 – Restore CRL Publishing
-
Ensure CA is publishing CRL
-
Ensure HTTP location is reachable
Option 2 – Firewall Rule Update
-
Allow outbound HTTP to CRL host
Option 3 – Reissue Certificate
-
Remove unreachable CRL entries
-
Reissue certificate from CA
Validation After Fix
-
Restart agent (run the following from a command prompt as Administrator) on the client machine :
-
Check:
Expected:
-
- Connected to server
- Configuration updated successfully
-
Confirm device shows Online in Console.
Important Clarification
CRL validation behavior depends on:
-
Windows Schannel settings
-
Certificate revocation checking configuration
-
Security baseline / GPO
It is not ITMS-specific behavior — it is Windows certificate validation behavior.
Validation Checklist
| Validation Step | Expected Result |
|---|---|
| HTTPS test in browser | No certificate warning |
| agent.log review | No SSL errors |
| Console view | Device shows Online |
| Last Configuration Request | Updates successfully |
When to Reinstall the Agent
Reinstall only if:
-
Agent installation corrupted
-
Service will not start
-
GUID mismatch persists
-
Certificate thumbprint mismatch remains after profile correction
Reinstallation is not typically required for certificate replacement issues. Running AexNSCHTTPS.exe (AeXNSChttps.exe - package contains NS URL HTTPS address, certificates, and other settings from the Communication profile) should have everything needed for the client machine to communicate back to the SMP Server.
Feedback
