Client Management Suite

 View Only

 Additional IIS bindings for SMP

Rufus Swart's profile image
Rufus Swart posted Jan 15, 2021 08:00 AM
Hi,

We want to add additional iis bindings for a 3rd party integration, when we add the additional binding the agents then start to connect on the new binding and the persistent  connections are terminated and falls back to the normal https and tickle connections.

is there a way to add the binding so the agents will not use that to communicate?

Thanks in advance,
Rufus
Sergei Zjaikin's profile image
Broadcom Employee Sergei Zjaikin posted Jan 18, 2021 02:49 AM
What exactly is this new binding?
Agent knows only about the server URL specified during the agent installation, like https://server.company.com:443/Altiris, and also agent knows about the alternative server host names and ports from the server connection profile. Using that URL and alternative host names and ports agent is trying to build server URLs and accessing them until it find one that works.
So addition of the new IIS binding on some not known to the agent port should not break anything.
So what exactly is this new binding?

thanks,
sergei
Rufus Swart's profile image
Rufus Swart posted Jan 18, 2021 03:04 AM
Hi Sergei,

The new binding is 2801 on the same uri, but with a different cert.

I removed the additional binding and cert and the agents went back to communicating as normal, I then added the binding 2801 with the same cert and the agents did not change as before.

This leads me to believe that the multi cert on the same uri is causing it. Do you know what the process would be to change the SMP web cert to a 3rd party signed cert?

Kind Regards,
Rufus
EduardSch's profile image
Broadcom Employee EduardSch posted Jan 18, 2021 04:21 AM
Hi,

generally, additional biding (another port) with some other certificate must not cause any problems with agent connectivity. Agents will just not know about it. I know that setting another certificate for same port will break connectivity. This is kind of unsupported configuration that can't be set from IIS UI for example.

If you want to replace existing web certificate with other one, use Certificate Management page in NS console. Settings - Notification Server - Certificate Management. Select "NS web site certificate" and initiate replacement operation. It will take care of updating connection profiles etc. As soon as agents will get info about new NS web certificate, you will be able to finalize replacement operation from same UI - old certificate will be removed from profiles and new certificate will be set for binding.

Thanks,
Ed.