There is a need to push out a new certificate thumbprint for CEM agents. After following directions in the KB Update or Replace the Cloud-Enabled Management (CEM) Internet Gateway certificate, agents are losing the replaced thumbprint before it expires and before it is replaced on the actual Gateway/s.

This can be verified on client machines by checking the following registry entry:

HKLM\Software\Altiris\Communications\Secure Gateways\{GUID of gateway} DWORD "Cert Thumbprint"

ITMS 8.7.2

Defect

This issue has been fixed in ITMS 8.7.3

Workaround:
instead of replacing the original expiring thumbprint in the CEM policy, add an additional entry for the gateway by external IP address with the new replacement thumbprint as shown here:

To verify the external IP address of your internet gateway(s), run the following command from a computer disconnected from the corporate network but connected to the internet:

Command prompt:

nslookup gateway.fqdn.com

NOTE: The entries in the screenshot above are examples only and should not be used in production.