Client Management Suite

 View Only
  • 1.  Moving Clients from Old NS to New NS

    Posted Oct 14, 2020 05:17 PM
    Edited by Dale Anderson Oct 14, 2020 05:19 PM
    Evening,

    I have worked with the article

    From <https://help.symantec.com/cs/ITMS8.0/SMPLAT/v39770580_v113932717/title?locale=EN_US
    and

    How to move or migrate Management Agents from one Notification Server to another.

    Broadcom remove preview
    How to move or migrate Management Agents from one Notification Server to another.
    There is a need to change which Symantec Management Platform Notification Server (SMP or NS) that Symantec Management Agents (SMA) report to.
    View this on Broadcom >

    >

    I have exported the communication profile with only HTTPS as the communication along with the checkbox for CEM checked.

    FYI... I exported using the FIPS...encryption.  I actually tried both.

    export smp server communication



    Imported to the old server and set the communication profile to target only test computers.

    Move 006 clients to new ns
    I have this turned on now with in the advance tab I selected the communication profile for the new server.

    I put the clients that I want to move into the target group and it runs but gives 403 error.

    Cannot change the server to 'https://NewNS:443/altiris', error: HTTP status 403: The client does not have sufficient access rights (0x8FA10193)

    Configure Server Mode: Failed to receive server version from 'newns'

    Request 'HTTPS://newns:443/altiris/NS/Agent/ConnectionTest.asp' failed, COM error: HTTP status 403: The client does not have sufficient access rights (0x8FA10193)

    Host: newns:443
    Path: /altiris/NS/Agent/ConnectionTest.asp
    Connection Id: 2.328
    Communication profile Id: {DE2C241B-BA08-486B-A0E5-4A7409827070}
    Throttling: 0 0 0
    Error type: HTTP error
    Error code: HTTP status 403: The client does not have sufficient access rights (0x8FA10193)
    Error note: 403 Forbidden
    Server HTTPS connection info:
    Server certificate:
    Serial number: 2d 59 32 e4 5d 2d e6 a8 46 c3 b4 cb 94 e9 9c 73
    Thumbprint: 48 95 9f c4 5d 08 8b 5a aa a6 c1 be 6b f2 c5 86 cc ea c3 2f
    Cryptographic protocol: TLS 1.2
    Cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    Cipher algorithm: AES
    Cipher key length: 256
    Hash algorithm:
    Hash length: 0
    Key exchange algorithm: ECDH
    Key length: 255

    Calling NS server endpoint 'HTTPS://newns.com:443/altiris/NS/Agent/ConnectionTest.asp', ID: {0D9D9CB4-C19A-4E16-A3CC-98940ED043D0}
    Calling NS server endpoint 'HTTPS://newns443/altiris/NS/Agent/ConnectionTest.asp', ID: {0D9D9CB4-C19A-4E16-A3CC-98940ED043D0}

    I have made sure by going into the Diagnostic mode on the client that the permanent Certs for the newNS are on there along with the Old NS in the trusted root .

    I have also made sure that in the IIS the settings are correct for the getcerrificate for both the default site agent and the CEM Site agent

    I created a software package to deliver and import the Communication profile for the new NS.

    I have run both from a command prompt and from the Diagnostic mode the switch server and still get the same errors.

    I have searched through much of the Symantec / Broadcom documentation and most keep pointing back to the same articles that are above.

    I did see that one person in 2019 was having pretty much the same issue and there was no resolution just the same articles referenced.

    If you have any other suggestions other than the ones above or have tricks or perhaps I am missing a setting please let me know.

    I will say that I have one client that has worked twice.  I imported the communication profile and then ran the switch server from the diagnostic mode.  1st time it seemed to work without a problem.  
    After uninstalling the client and reinstalling the old client again  I was running into the same issues listed above.  Then I let it set for a couple of hours and when I came back to it it had changed to the new server.

    With another client that is on the LAN it never did move.  Just the errors  403.. insufficient permissions.

    Thanks for your help in getting this resolved.  I am sure you will be helping others as well.







    ------------------------------
    Growmark| Inc
    ------------------------------


  • 2.  RE: Moving Clients from Old NS to New NS

    Broadcom Employee
    Posted Oct 14, 2020 11:18 PM
    Hi MrAnderson!

    1. What NS version is 'old NS server"? What Windows Server OS it has?
    2. What NS version is a 'new NS Server"? What Windows Server OS it has?
    3. Problem with error 403 occurs on CEM connected & Inranet connected client computers?
    4. Does new NS server have a CEM web site created/running and CEM policy is enabled with connected old/new CEM Gateway?
    Thanks,

    IP.

    ------------------------------
    Software QA Engineer
    Broadcom Inc.
    ------------------------------



  • 3.  RE: Moving Clients from Old NS to New NS

    Posted Oct 30, 2020 11:32 AM
    IP,

    the NS versions were the same  8.5 RU4.. Windows OS was 2016 standard on both
    CEM clients and the installer have worked great.  No problems. with that.

    The problem was in the IIS and its configuration.  

    Also we had to use a public domain.com to get some of the clients to register correctly with the new NS.  CN=NS.companyname.com

    Thanks for your willingness to help.  It is apprecitated.  

    Dale

    ------------------------------
    Growmark| Inc
    ------------------------------