Client Management Suite

All clients are external CEM on HTTPS Persistant connection or were.  some are upgraded to 8.5 RU2 some are still at 8.5

We have 3 Internet gateways setup.  They all have the first FQDN:443 in them with the certs.  The clients had been communicating fine. 

I have tried using RAAD but since they are not on the network and not pingable by network I cannot reach them without some type of RDP.

Problem:

in the communication profile I appended to the first fqdn:443;another.domain.com

I hit the save button and many of the CEM clients started using the another.domain.com FQDN as their NS.  This was very unexpected.

But the switch happened almost immediately.

I took out the appended FQDN and saved.  Of course the clients did not revert back.

I did take a look at one of the clients and it has both server names listed but using the wrong one.

Q: Will the client revert back to the original FQDN for the NS? if so, how long to wait.

Q if Clients will not revert back on there own what if anything can be done remotely to get them to revert back.

Hi MrAnderson!

All CEM Gateways have both first fqdn:4726 & another.domain.com:4726 added in "Servers" tab of CEM Gateway Manager UI?

Thanks,

IP.

The "another.domain.com:4726" is not in the cem gateway.

Try to add "another.domain.com:4726" in all CEM Gateway, so CEM Agent should establish connection to NS and receive updated NS Communication profile with you current NS URL there.

I have put in the another.domain.com:4726 in the CEM gateways and it shows as established but the agents that are trying to communicate through are still not able to.

and what says CEM Gateway logs and Symantec Management Agent logs? without info from logs, we can't understand right now, what went wrong, maybe there is network issues between another.domain.com:4726 - CEM gateway, or between CEM agent - CEM Gateway while trying to connect using another.domain.com:4726 (firewall rules, 3rd party soft which blocks final communication, etc...

• CEM logs you can open CEM Manager UI, and start there log viewer
• SMA logs are in "C:\ProgramData\Symantec\Symantec Agent\Logs"

I thank you for your answers and suggestions.  It seems once again the only fix is to reinstall the agents.  Really need to find a way to make this CEM have a way to call back home to an older server if the agent cannot communicate with the new one without reinstalling and jumping through rings of fire to get it to work again.

For such cases when there is added dns alias of NS in communication profile and you have CEM environment, need to add this additional dns alias in CEM Gateway as well and make sure that required certificates are also added in NS communication profile.

Also check how CEM gateway itself resolves additional NS dns alias name (ensure that any 3rd party firewall has allowed rules for additional NS dns alias name)

Test only 1 intranet or cem managed computer and test new added settings such as additional dns alias before sending it to all managed computer.

In your case of course if detailed logging on CEM Gateway, CEM Agent and NS side is enabled, then this will be more informative to understand what is wrong there