Setting up Cloud-Enabled Management (CEM) with a SAN certificate across split domains and a custom port
Article ID: 440283
Updated On:
Products
Issue/Introduction
You want to configure Cloud-Enabled Management (CEM) in ITMS 8.8.x where:
- The Internet Gateway is in the DMZ and resolves externally as gateway.example.com
- The SMP/Notification Server uses an internal domain: smp.example.net
- A single SAN (Subject Alternative Name) certificate covers both domains
- Agent-to-gateway communication uses TCP port 8443 instead of the default port 443
This configuration is valid but requires careful certificate binding, Gateway Manager setup, and consistent port configuration across three places: the Gateway Manager, the CEM Settings policy, and the perimeter firewall. A mismatch at any of these three points causes agents to fail gateway connection without producing an error in the SMP console.
Environment
Component | Detail |
|---|---|
Product | IT Management Suite (ITMS) 8.8.x |
Internet Gateway external FQDN | gateway.example.com (publicly resolvable) |
SMP/Notification Server internal FQDN | smp.example.net (internal domain) |
Certificate type | SAN certificate covering both FQDNs |
Certificate format | .pfx (PKCS #12) |
IIS binding port (CEM agent site) | 4726 (default; customizable) |
Gateway agent communication port | 8443 (custom; default is 443) |
Cause
The split-domain architecture introduces requirements that a standard wildcard certificate cannot meet:
Requirement | Why it matters |
|---|---|
SAN covers smp.example.net | IIS bindings on the SMP must match the NS FQDN |
SAN covers gateway.example.com | Agents resolve the gateway by its external FQDN; the cert must validate |
Certificate trusted by clients | If issued by an internal CA, the root CA must be distributed to all managed endpoints |
Server Authentication EKU | OID 1.3.6.1.5.5.7.3.1 required; missing EKU causes IIS binding rejection |
RSA algorithm, SHA-256 or higher | SHA-1 is not recommended; MD5 is not accepted |
.pfx format | Required for all ITMS certificate import operations |
Port 8443 open on perimeter firewall (inbound to DMZ) | Agents connect to gateway.example.com:8443 from the internet; if the port is blocked, all CEM traffic fails |
Port 8443 configured in Gateway Manager listener | The gateway service must listen on 8443; leaving the listener on 443 means no agent connection reaches it |
Port 8443 set in the CEM Settings policy | The SMP policy tells agents which port to use; a mismatch sends agents to the wrong port with no console error |
Resolution
CEM allows Symantec Management Agents (SMA) to communicate with the SMP Server over the internet without a VPN. The Internet Gateway sits in the DMZ and acts as a tunneling proxy, it does not store packages. All management traffic routes through it.
When the gateway external name (gateway.example.com) and the SMP internal name (smp.example.net) belong to different domains, a standard wildcard certificate cannot cover both. A SAN certificate that lists both FQDNs as Subject Alternative Names resolves this. The certificate must be bound in IIS on the SMP, imported into the Gateway Manager on the Internet Gateway server, and its thumbprint registered in the CEM policy in the SMP console.
This environment uses TCP port 8443 for agent-to-gateway communication. The Gateway Manager defaults to port 443 for this listener; this guide changes it to 8443. Port 8443 must be configured consistently in three places: the Gateway Manager listener, the CEM Settings policy, and the perimeter firewall. Missing any one of these breaks agent connectivity without generating a console-side error.
Prerequisites before starting:
SSL must already be enabled and agents must communicate successfully over HTTPS. Do not proceed if any agents fail SSL communication. Resolve SSL issues first.
See: Configuring the Symantec Management Platform to Use HTTPS
Configuring the Symantec Management Platform to use HTTPS (SSL) instead of HTTP
Table of Contents
- How it works
- Steps
- Phase 1: Obtain and validate the SAN certificate
- Phase 2: Enable SSL on the SMP server
- Phase 3: Configure the CEM Agent IIS website on the SMP
- Phase 4: Install the Internet Gateway in the DMZ
- Phase 5: Set the listener port and import the SAN certificate
- Phase 6: Add the SMP server to the Gateway Manager
- Phase 7: Configure the CEM Settings policy in the SMP console
- Phase 8 — Generate an offline CEM installation package
- Verification
- Diagnostics
How it works
Understanding the communication flow helps isolate where a failure is occurring.
Components involved:
- Internet Gateway — A Windows server in the DMZ running the Symantec Internet Gateway service. It terminates agent TLS connections on port 8443 and proxies traffic to the SMP over the internal network.
- Gateway Manager — The management UI for the gateway service, installed on the Internet Gateway server. It controls the listener port, certificate binding, and the list of SMP servers the gateway can reach.
- CEM Settings policy — A policy on the SMP console that tells enrolled agents which gateway FQDN, port, and certificate thumbprint to use. Agents embed this configuration and use it for every subsequent CEM connection.
- SAN certificate — A single certificate trusted by the agent's OS cert store, valid for both gateway.example.com (the external name agents resolve) and smp.example.net (the internal SMP name IIS binds to).
Where failures originate:
Failure location | Symptom | Key signal |
|---|---|---|
Certificate not trusted by agent | SSL handshake failure | Agent.log: handshake error |
Port mismatch — CEM policy vs Gateway Manager | Agent connects to wrong port, no response | Agent.log: connection timeout on incorrect port |
Port 8443 blocked by firewall | Agent cannot reach gateway at all | Test-NetConnection returns False |
Gateway Manager not restarted after port change | Gateway still listens on old port | Port test passes on 443, not 8443 |
Wrong credentials in Gateway Manager | Gateway cannot reach SMP | Gateway Manager Servers tab: red/disconnected |
Steps
Work through the phases in order. Each phase depends on the previous one being complete. Do not skip ahead.
Phase 1: Obtain and validate the SAN certificate
Request a SAN certificate from your CA with the following Subject Alternative Names:
- smp.example.net (internal SMP FQDN)
- gateway.example.com (external gateway FQDN)
Verify the certificate meets all ITMS requirements before importing:
Field | Required value |
|---|---|
Subject Alternative Names | smp.example.net, gateway.example.com |
Hashing algorithm | SHA-256, SHA-384, or SHA-512 |
Asymmetric algorithm | RSA (2048-bit minimum) |
Validity | At least 30 days from import date |
Format | .pfx (PKCS #12 with private key) |
Root CA distribution:
- If the certificate is issued by an internal CA, distribute the root CA certificate to the Trusted Root Certification Authorities store on all managed endpoints before proceeding. Agents that do not trust the issuing CA will fail the SSL handshake regardless of correct port and thumbprint configuration.
- If the certificate is from a publicly trusted CA (e.g., DigiCert, Sectigo), no root distribution is needed.
Phase 2: Enable SSL on the SMP server
Skip this phase if SSL is already active and agents communicate over HTTPS.
- Open IIS Manager on the SMP server.
- Navigate to: Server > Sites > Default Web Site > Bindings
- Confirm an HTTPS binding on port 443 exists. If not, add one and bind the SAN certificate.
Verification gate: do not proceed to Phase 3 until all three checks pass:
Check | How to confirm | Pass condition |
|---|---|---|
At least one agent reports Healthy | SMP Console → resource view → agent status | Status shows Healthy under HTTPS |
No SSL errors on a test endpoint | Open Agent.log on a test endpoint | No SSL handshake error entries |
IIS binding present | IIS Manager → Default Web Site → Bindings | HTTPS binding on 443 with the SAN cert assigned |
If any check fails, stop. Do not proceed to CEM configuration until SSL communication is clean. CEM setup on a broken SSL foundation produces failures that are difficult to distinguish from CEM-specific misconfiguration.
Phase 3: Configure the CEM Agent IIS website on the SMP
A dedicated IIS website ("Symantec Agent") is required for CEM agent connections. This site is separate from the main Notification Server website.
- In the SMP console, navigate to: Settings > Notification Server > Cloud-enabled Management > Setup > Cloud-enabled Management Agent IIS Website Settings
- Check Add IIS website for cloud-enabled management agent connections.
- When prompted to select a certificate:
- Do not check "Install certificate" — that option installs a self-signed cert. Agents validate the gateway certificate against their local cert store; a self-signed cert will not be in that store, causing the SSL handshake to fail for all agents.
- Click Import and select the .pfx SAN certificate file.
- Enter the certificate password when prompted.
- Confirm the binding is created on port 4726 (default). Note the port if customized.
- Open IIS Manager on the SMP server and confirm:
- A site named Symantec Agent exists.
- It has an HTTPS binding on port 4726 with the SAN certificate assigned.
- Record the thumbprint of the SAN certificate from the IIS binding: IIS Manager → Server Certificates → select the certificate → Details tab → scroll to Thumbprint. Copy the value and remove all spaces.
Phase 4: Install the Internet Gateway in the DMZ
- In the SMP console, navigate to: Settings > Notification Server > Cloud-enabled Management > Setup > Cloud-enabled Management Setup > Internet Gateway Setup tab
- Download the Internet Gateway installation package (.msi).
- Transfer the .msi to the Internet Gateway server in the DMZ using a secure method.
- On the Internet Gateway server, run the .msi as Administrator. Accept all prompts. .NET is required; install it first if missing.
- After installation, open the Symantec Internet Gateway Manager as Administrator.
Phase 5: Set the listener port and import the SAN certificate
Step 5a must be completed before Step 5b. Setting the port after importing the certificate and adding servers may require reconfiguring the Gateway Manager. Set the port first.
Step 5a: Set the agent listener port to 8443:
- In Gateway Manager, navigate to the General tab.
- Locate the agent listener port field (labeled Agent Port or Listening Port depending on the Gateway Manager version).
- Change the value from 443 to 8443.
- Click Apply or Save.
- Restart the Symantec Internet Gateway service:
- Open services.msc
- Locate Symantec Internet Gateway
- Click Restart
- Confirm the service starts successfully.
If the service fails to start, open Windows Event Viewer → Application log on the Internet Gateway server. The most common cause is a port conflict , another process is already using port 8443. Identify and stop that process before retrying.
This port is what the gateway service binds to and listens on for incoming agent connections. It must match the port in the CEM Settings policy (Phase 7) and the port open on the perimeter firewall.
Step 5b — Import the SAN certificate:
- In Gateway Manager, under Web Certificate, click Change.
- When the SMP Internet Gateway Setup wizard opens:
- Click Next twice.
- Select Import 3rd party certificate.
- Browse to the .pfx SAN certificate file.
- Enter the certificate password.
- Complete the wizard.
- Confirm the certificate now displayed in Gateway Manager shows:
- Subject includes both gateway.example.com and smp.example.net
- Issued by: your CA
- Record the certificate thumbprint as shown in Gateway Manager. This value is entered into the CEM policy in Phase 7.
Phase 6: Add the SMP server to the Gateway Manager
Before adding the SMP, confirm the internal firewall allows the following:
Traffic direction | Source | Destination | Port | Protocol |
|---|---|---|---|---|
DMZ → Internal | Internet Gateway server | smp.example.net | 4726 | TCP |
DMZ → Internal | Internet Gateway server | smp.example.net | 443 | TCP |
These ports must be open before the gateway can connect to the SMP.
- In Gateway Manager, click the Servers tab.
- Click Add and enter the SMP server's internal FQDN: smp.example.net
- When prompted for credentials, enter the NSAppIdentity (AppID or also known as Service Account) service account credentials.
What is NSAppIdentity? It is the Windows service account under which the Altiris (Notification Server) service runs. If the credentials are wrong, Gateway Manager shows a red connection status with no detail message, the only indicator is a failed authentication event in the Windows Security event log on the SMP server.
- Wait for the gateway to connect to the SMP. A green status indicator confirms a successful connection.
- If any Internet Site Servers are assigned to the Default Internet Site, add them here as well using their internal FQDNs.
Perimeter firewall requirements for port 8443:
Traffic direction | Source | Destination | Port | Protocol |
|---|---|---|---|---|
Internet → DMZ (inbound) | Any (internet clients) | gateway.example.com | 8443 | TCP |
Port 8443 inbound is for agent-to-gateway traffic only. If the perimeter firewall performs NAT on port 8443, confirm the internal translated port matches the port the gateway service is listening on.
Phase 7: Configure the CEM Settings policy in the SMP console
- In the SMP console, navigate to: Settings > Notification Server > Cloud-enabled Management > Policy > Cloud-enabled Management Settings
- Click Add to create a new gateway entry (or edit an existing one).
- Fill in the following fields:
Field | Value |
|---|---|
Gateway FQDN | gateway.example.com (the externally resolvable name) |
Port | 8443 (must match the Gateway Manager listener port set in Phase 5a) |
Certificate thumbprint | Thumbprint recorded in Phase 5, Step 9 (no spaces) |
Why this port value matters: The port entered here is what agents embed in their configuration and use for every subsequent CEM connection attempt. If this value does not match the Gateway Manager listener port, agents reach the wrong port, receive no response, and fall back to attempting LAN communication. The console generates no error for this condition.
Diagnosing a port mismatch from the agent side:
Open Agent.log on the affected endpoint: C:\ProgramData\Symantec\Symantec Agent\Logs\Agent.log
A port mismatch produces repeated connection timeout entries targeting the wrong port, with no progression to an SSL handshake. There is no explicit "wrong port" message. If you see SSL handshake error entries, the port is correct but the certificate trust chain has a separate issue.
- Click OK to save.
- Apply the policy to the target agent resource group.
- Enable the policy (toggle to On).
Agents must be reachable on the LAN to receive the CEM policy. Agents that cannot receive the policy over the LAN require an offline CEM installation package (see Phase 8).
Phase 8 — Generate an offline CEM installation package
Use this phase only when:
- The endpoint is currently off the corporate network and cannot reach the SMP over LAN.
- The endpoint is a new machine being provisioned remotely before its first LAN connection.
Do not use this phase for endpoints currently on the LAN. Push the CEM policy directly instead.
- In the SMP console, navigate to: Settings > Notification Server > Cloud-enabled Management > Setup > Cloud-enabled Management Setup
- Generate an offline CEM installation package (under Symantec Management Agent Configuration tab). Enable Automate certificate distribution in the package options.
- Deliver the package to the target endpoints using any available out-of-band method (USB, email, etc.).
- Run the package on the endpoint as a local Administrator.
Verification
After completing all phases, confirm the following:
Check | How to verify | Expected result |
|---|---|---|
Agent connects off LAN | SMP console → resource properties | CEM status: Active, Connected |
System tray | Agent tray icon on test endpoint | Cloud icon visible |
Gateway Manager | Servers tab | SMP shows green/connected |
IIS — Symantec Agent site | IIS Manager → Symantec Agent → Bindings | HTTPS on port 4726 with SAN cert |
CEM policy received | SMP console → Manage → Computers → find the desired resource → Applied Policies tab | CEM Settings policy listed as applied |
Agent logs | <InstallDir>\ProgramData\Symantec\Symantec Agent\Logs\Agent.log | No SSL/cert errors; connection to port 8443 logged |
SMP logs | C:\ProgramData\Symantec\SMP\Logs\ | No gateway connectivity errors |
Reading agent logs:
The following entries are representative of a successful CEM connection. Exact token format and severity labels vary by agent version — use these as search patterns, not literal strings:
[INFO] CEM mode active. Connected to gateway: gateway.example.com:8443
[INFO] Certificate thumbprint validated: <thumbprint>
Diagnostics
Use this table when agents fail to connect after completing all phases. Work through checks in order — each check isolates a different failure point.
Diagnostic step | Command / path | Expected result | If different — triage |
|---|---|---|---|
Verify SAN cert fields | certlm.msc → Personal → Certificates → open cert → Details → Subject Alternative Name | Lists both smp.example.net and gateway.example.com | Missing SAN entry = wrong cert bound; re-import |
Verify IIS binding on port 4726 | IIS Manager → Symantec Agent site → Bindings | HTTPS / port 4726 / SAN cert | Missing binding = CEM site not created; repeat Phase 3 |
Verify Gateway Manager listener port | Gateway Manager → General tab → agent listener port field | Shows 8443 | If showing 443: update the port, restart the gateway service, then retest. If showing 8443 but agents still fail, proceed to the port reachability test. |
Test port 8443 reachability from internet | Test-NetConnection gateway.example.com -Port 8443 (run from an external host) | TcpTestSucceeded : True | False = firewall blocking port 8443 inbound; escalate to network team |
Verify port 8443 in CEM policy | SMP Console → Notification Server → Cloud-enabled Management Settings → gateway entry → Port field | Shows 8443 | If showing 443, agents are configured for the wrong port; update policy and push configuration update to agents |
Verify thumbprint in CEM policy | SMP Console → Notification Server → Cloud-enabled Management Settings → gateway entry | Matches thumbprint shown in Gateway Manager | Mismatch = agents will reject gateway connection; update policy thumbprint |
Verify CEM policy received by agent | SMP Console → Manage → Computers → find the desired resource → Applied Policies tab | CEM Settings policy listed | If not listed: agent not yet reached by policy; confirm agent is on LAN and reachable, or use offline package (Phase 8) |
Check gateway-to-SMP connectivity | Gateway Manager → Servers tab | SMP shows green/connected | Red/disconnected = credential error or firewall blocking DMZ → internal ports; check NSAppIdentity credentials and confirm ports 4726 and 443 are open from DMZ to internal |
Agent CEM status — no cloud icon | Agent.log on the endpoint | Connection entries to port 8443; no SSL errors | Triage order: (1) Check whether CEM policy was received — Applied Policies tab. (2) If policy applied, check Agent.log for SSL or connection errors. (3) If Agent.log shows no connection attempts, the SMA has not yet processed the policy — wait 5 minutes and recheck, or trigger an update from the console. |
Additional Information
CEM High Level Implementation Guide | https://knowledge.broadcom.com/external/article/217904/cloud-enabled-management-cem-high-level.html |
Requirements and usage of third-party commercial certificates with ITMS | https://knowledge.broadcom.com/external/article/241066/requirements-and-usage-of-thirdparty-com.html |
Update or Replace the CEM Internet Gateway certificate | https://knowledge.broadcom.com/external/article/164263/cloud-enabled-management-cem-internet-ga.html |
How to generate a certificate for CEM implementations | https://knowledge.broadcom.com/external/article/201878/how-to-generate-a-certificate-for-cloude.html |
CEM Whitepaper for ITMS (PDF) | |
ITMS TechDocs – Cloud-enabled Management |
Feedback
