Cloud-enabled Agents Access Troubleshooting page: usage and CEM connection reporting (ITMS 8.8.1)

Products

IT Management Suite

Issue/Introduction

Starting in ITMS 8.8.1 (See Using ITMS with Ephemeral Certificates), the Internet Gateway can block agents whose ephemeral certificates cannot be validated against Notification Server (Symantec Management Platform or SMP Server) registration data. When this occurs, affected agents cannot connect to the Notification Server until an administrator explicitly approves or blocks them.

This article covers two related tasks:

Approving or blocking agents that appear on the Cloud-enabled Agents Access Troubleshooting page after the Internet Gateway denies their connections.
Identifying which computers in your environment are currently connecting via CEM (Internet Gateway) vs. a standard LAN connection, using built-in reports, filters, and SQL queries.

For reports, filters, and additional SQL queries covering CEM connection state, see KB 187342 — Reports, filters, and SQL queries to identify computers using Cloud-enabled Management.

Environment

Scope	Version
Ephemeral certificate troubleshooting (Part 1)	ITMS 8.8.1 and later — Notification Server and Internet Gateway must both be at 8.8.1
CEM connection reporting, filters, and SQL (Part 2)	ITMS 8.7.x, 8.8.x

Cause

When gateway troubleshooting settings are enabled, any unrecognized agent presenting an ephemeral certificate is restricted from full environment access. The gateway caches the agent's metadata and synchronizes it with the Notification Server. Communication remains paused until an administrator manually grants an explicit trust status.

The Internet Gateway denies ephemeral certificate connections from agents whose registration cannot be found in Notification Server data. This most commonly occurs after a CMDB rollback during disaster recovery, which removes agent registration records that the Gateway cannot find. It can also occur when the Notification Server and Internet Gateway are not both upgraded to 8.8.1, or when a significant time skew exists between components.

Resolution

How it works

Ephemeral certificates and the Internet Gateway

Prior to ITMS 8.8.1, CEM used permanent certificates — long-lived certificates distributed from the Notification Server to agents, renewed manually or automatically on a multi-year cycle. ITMS 8.8.1 introduces ephemeral certificates: short-lived certificates (valid for approximately six hours by default) that agents generate and renew automatically without administrator intervention.

When an agent connects to the Internet Gateway using an ephemeral certificate, the Gateway performs extended validation. It checks the certificate's consistency and validity window, then confirms the agent is registered with the Notification Server. If validation succeeds, the Gateway establishes an SSL tunnel to the Notification Server. If the agent's registration cannot be found, the connection is denied.

The normal end-to-end flow is:

Agent generates an ephemeral certificate and connects to the Internet Gateway.
Internet Gateway validates the certificate format and validity window.
Internet Gateway checks with the Notification Server that the agent is registered.
If registration is confirmed, the SSL tunnel is established and communication proceeds.
The agent renews its ephemeral certificate 63 minutes before expiration. No administrator action is required.

When agents are blocked

The most common scenario where agents are blocked is after a disaster recovery operation that rolls back the CMDB to a prior state, causing some agents' registration records to be lost. The Internet Gateway cannot confirm registration for those agents and denies their connections.

To surface blocked agents in the console, Troubleshooting mode must be enabled on the Internet Gateway. When enabled, the Gateway reports details about denied agents to the Notification Server. Those agents then appear on the Cloud-enabled Agents Access Troubleshooting page, where an administrator can approve or block them.

Troubleshooting mode is off by default. If it is not enabled, the Access Troubleshooting page will be empty regardless of how many agents are blocked.

Time synchronization

Ephemeral certificates depend on time synchronization between the agent, Internet Gateway, and Notification Server. A significant time skew between any of these components can cause certificate validation failures that appear identical to registration failures. The agent synchronizes time with the Notification Server via health reports every 30 minutes by default. If agents are being blocked unexpectedly, verify that all three components are synchronized to the same time source before proceeding with the steps below.

Part 1 — Approving or blocking agents on the Access Troubleshooting page

Step 1: Enable Troubleshooting mode on the Internet Gateway

This step is required before blocked agents appear on the Access Troubleshooting page.

Open Internet Gateway Manager.
Select the Settings tab.
Enable Troubleshooting mode.

Note: Troubleshooting mode is disabled by default. Without it, the Internet Gateway does not report blocked agents to the Notification Server. The Cloud-enabled Agents Access Troubleshooting page will show no results even if agents are actively being denied.

Also confirm on this page that Allow ephemeral certificates authentication is checked. This setting is enabled by default after upgrading to 8.8.1, but verify it is present.

Step 2: Verify Internet Gateway registration with the Notification Server

In Internet Gateway Manager, select the Servers tab.
Confirm the Internet Gateway is registered with the Notification Server.

Note: If the Internet Gateway is not registered with the Notification Server, it rejects all ephemeral certificates from connecting agents. Agents can still connect using permanent certificates in this state.

Step 3: Navigate to the Cloud-enabled Agents Access Troubleshooting page

In the Symantec Management Console, go to Settings > Cloud-enabled Management > Troubleshooting > Cloud-enabled Agents Access Troubleshooting.
In the right-side pane, locate the Troubleshooting Settings section.
Click the View drop-down menu and select Agents blocked on gateway.

The grid displays the Agent Name, Reported by, and Creation Date for each blocked agent.

Note: If the list is empty and you expect blocked agents to be present, confirm that Troubleshooting mode is enabled in Internet Gateway Manager (Step 1).

Step 4: Approve or block the agent

Select the target agent from the grid.
Click Approve to allow the agent to connect to the Notification Server. The Internet Gateway will permit the agent's next connection attempt.
Click Block if the agent is unrecognized or should not have access.

Step 5: Verify the agent is communicating

After approving an agent, wait for the next policy update interval. Then verify on the client device:

Open the Symantec Management Agent UI.
Check the Network Status panel to confirm the agent is showing a connected state and that the certificate type displayed matches the expected type (Ephemeral or Permanent).
Check the Persistent Connection or Non-persistent Connection panel to confirm the connection to the server is active.

Agent-side troubleshooting options

If an agent is not connecting after being approved, the following agent-side tools are available:

Agent logs — contain detailed ephemeral certificate information, including validation attempts and renewal events.
Agent registry settings — ephemeral certificate validity periods can be adjusted via registry if the defaults do not suit your environment.
"Network Status" panel in the Symantec Management Agent UI — shows supported certificate types (Ephemeral / Permanent) and current connection state.

Part 2 — Identifying computers by CEM connection state

Use the options below to identify which computers are currently connecting via an Internet Gateway (CEM mode) vs. a standard LAN connection.

Built-in reports (start here)

Navigate to these reports in the Symantec Management Console:

Report	Path	Purpose
Computers by gateway	Reports > All Reports > Notification Server Management > Cloud-enabled Management > Gateway > Computers by gateway	Most common starting point. Shows computers associated with each gateway.
Agents Distribution by Connection Type	Reports > Notification Server Management > Cloud-enabled Management > Agent	Shows a breakdown of connection types across managed computers.
Agents Distribution by Authentication Type	Reports > Notification Server Management > Cloud-enabled Management > Agent	Shows counts of devices connecting via permanent certificates, ephemeral certificates, or both. Added in ITMS 8.8.1.
Cloud-enabled Computers by Authentication	Reports > Notification Server Management > Cloud-enabled Management > Agent	Provides details on computers that have established CEM connections by certificate type. Added in ITMS 8.8.1.

Built-in filters

Filter	Path	Purpose
All Computers Currently on the Internet	Manage > Filters > Computer Filters	Shows computers currently reporting as Internet-connected (IsOnInternet = 1).
All Computers operating over HTTP	Manage > Filters > Computer Filters	Helps distinguish HTTP-based communication from HTTPS/CEM scenarios.

Key inventory fields

The primary data source for CEM connection state is Inv_AeX_AC_Network_Zone. The following fields are most useful for reporting and filtering:

Field	Meaning
IsOnInternet	The computer is currently communicating over the Internet via a CEM gateway.
InternetModeSupported	The computer is configured to support CEM.
AppliedPolicyCount	Number of CEM policies applied to the client. A value greater than 0 confirms CEM has been provisioned.
HTTPSMode	The client is communicating over HTTPS.
TLS	TLS state as reported by the data class.

Custom SQL query — current connection state with gateway details

Use this query to list all managed computers with their current connection state and, where available, their assigned Internet Gateway details. Run it in the Database Query utility or add it to a custom report.

SELECT 
    vc.[Guid] AS [ResourceGuid],
    vc.[Name] AS [Computer Name],
    CASE 
        WHEN nz.[IsOnInternet] = 1 THEN 'CEM Mode Active (Internet Gateway)'
        ELSE 'LAN Mode Active (Internal Network)'
    END AS [Connectivity State],
    gw.[Gateway] AS [Assigned Internet Gateway],
    gw.[Port] AS [Gateway Port],
    gw.[Current] AS [Is Current Gateway],
    gw.[Last Success] AS [Last Successful Connection]
FROM vComputer vc
JOIN Inv_AeX_AC_Network_Zone nz ON vc.[Guid] = nz.[_ResourceGuid]
LEFT JOIN Inv_AeX_AC_InternetGatewayDetails gw ON vc.[Guid] = gw.[_ResourceGuid]
WHERE vc.[IsManaged] = 1;

Note: This query returns all managed computers. To isolate CEM-connected devices only, filter results where Connectivity State = CEM Mode Active (Internet Gateway).

Schema verification: Before deploying this query in a custom report, confirm that Inv_AeX_AC_InternetGatewayDetails exists in your environment and that the column names match. Run SELECT TOP 1 * FROM Inv_AeX_AC_InternetGatewayDetails to verify. Table and column naming may vary by schema version.

For additional SQL queries — including queries for computers configured for CEM vs. actively connected, and a stricter managed-client view that excludes unmanaged and deleted resources — see Reports, filters, and SQL queries to identify computers using Cloud-enabled Management (KB 187342).

Validation checklist after running a report or query

The computer appears as managed (IsManaged = 1).
The IsOnInternet value matches the client's expected connection state.
The InternetModeSupported value is enabled for CEM-capable systems.
The AppliedPolicyCount is greater than 0 for systems provisioned for CEM.
If required, confirm the computer appears in the Computers by gateway report.

Additional Information

Using ITMS with Ephemeral Certificates — Broadcom TechDocs (PDF)

Reports, filters, and SQL queries to identify computers using Cloud-enabled Management (KB 187342)

Cloud-Enabled Management Troubleshooting and Maintenance Tasks — TechDocs

Cloud-Enabled Management High Level Implementation Guide (KB 217904)