Symantec Management Platform (SMP) Community

Hi all,

Reading up on constrained package servers and found this article from last year: https://knowledge.broadcom.com/external/article?legacyId=tech252734

It says that constrained package servers without an explicitly designated unconstrained package server source will wait four hours before contacting the NS directly to acquire a package it could not otherwise receive.

Previously, package replication happened via CEM using a SWD policy which would toggle the Force CEM Gateway registry entry for a few hours each night, but that key has not worked since upgrading to 8.5 RU3, and I've not been able to find an alternative measure.

Is there a way to extend this timeout, or better still, a way to prevent it entirely? (Short of disabling the Altiris Agent!)
We have some quite isolated satellite sites in need of careful bandwidth management and standard constraint functionality - which was already problematic, since uPS assigned to constrained sites would sometimes serve requests from clients at the constrained site and create exactly the bandwidth problems we sought to avoid - is no longer fit for purpose.

Any advice would be appreciated.


------------------------------
--None--
------------------------------

Do you mean "Prefer Secure Gateway Connect" entry? This entry should be working as before in the latest RU3 hot fix or RU4. 
You could also use throttling periods to limit the traffic.
You could also use blockout functionality to prevent communications to servers instead of disabling Altiris agent.
Have you tried those? What were the problems?

Original Message:
Sent: 09-10-2020 02:44 AM
From: David McGahan
Subject: Constrained Package Servers

Hi all,

Reading up on constrained package servers and found this article from last year: https://knowledge.broadcom.com/external/article?legacyId=tech252734

It says that constrained package servers without an explicitly designated unconstrained package server source will wait four hours before contacting the NS directly to acquire a package it could not otherwise receive.

Previously, package replication happened via CEM using a SWD policy which would toggle the Force CEM Gateway registry entry for a few hours each night, but that key has not worked since upgrading to 8.5 RU3, and I've not been able to find an alternative measure.

Is there a way to extend this timeout, or better still, a way to prevent it entirely? (Short of disabling the Altiris Agent!)
We have some quite isolated satellite sites in need of careful bandwidth management and standard constraint functionality - which was already problematic, since uPS assigned to constrained sites would sometimes serve requests from clients at the constrained site and create exactly the bandwidth problems we sought to avoid - is no longer fit for purpose.

Any advice would be appreciated.


------------------------------
--None--
------------------------------

Hi Sergei,

Apologies for letting this lapse, busy few weeks.

Our original method was the Prefer Secure Gateway Connect registry entry (a REG_DWORD value in HKLM\SOFTWARE\Altiris\Communications), that's correct.

Somewhere along the line that stopped working - we'd toggle the registry entry between 0 and 1 for a few hours each night and packages would replicate over our public internet connection to each site instead of over the (much) slower WAN. Orders of magnitude faster.

CEM itself still works for mobile clients and such - extremely handy when dealing with a distributed fleet during COVID - but we'renow  no longer able to force the Altiris Agent at our sites to use CEM if it also detects an existing "internal" connection back to our central office, and no amount of fiddling with the other registry entries has led me to a solution. It used to work, and now it doesn't, and that's immensely frustrating, so my next option is to severely throttle all sites until the off-hours.

I will look into blockout periods - I believe my predecessor had little luck with those, but I will consult with her to confirm. Thank you for the suggestion.

------------------------------
--None--
------------------------------

Original Message:
Sent: 09-11-2020 02:41 AM
From: Sergei Zjaikin
Subject: Constrained Package Servers

Do you mean "Prefer Secure Gateway Connect" entry? This entry should be working as before in the latest RU3 hot fix or RU4.
You could also use throttling periods to limit the traffic.
You could also use blockout functionality to prevent communications to servers instead of disabling Altiris agent.
Have you tried those? What were the problems?

Original Message:
Sent: 09-10-2020 02:44 AM
From: David McGahan
Subject: Constrained Package Servers

Hi all,

Reading up on constrained package servers and found this article from last year: https://knowledge.broadcom.com/external/article?legacyId=tech252734

It says that constrained package servers without an explicitly designated unconstrained package server source will wait four hours before contacting the NS directly to acquire a package it could not otherwise receive.

Previously, package replication happened via CEM using a SWD policy which would toggle the Force CEM Gateway registry entry for a few hours each night, but that key has not worked since upgrading to 8.5 RU3, and I've not been able to find an alternative measure.

Is there a way to extend this timeout, or better still, a way to prevent it entirely? (Short of disabling the Altiris Agent!)
We have some quite isolated satellite sites in need of careful bandwidth management and standard constraint functionality - which was already problematic, since uPS assigned to constrained sites would sometimes serve requests from clients at the constrained site and create exactly the bandwidth problems we sought to avoid - is no longer fit for purpose.

Any advice would be appreciated.


------------------------------
--None--
------------------------------

HI all,

Quick update to this thread: we ended up revisiting the Agent blockout period options for the affected machines, disabling only package downloads for clients until after hours. The site servers themselves have had their traffic throttled to 128KB/s during business hours, and we're hoping Altiris 8.6's CEM improvements will address the concerns we have around CEM no longer behaving as it did in previous versions of the platform (i.e. dynamically switching between WAN and public internet as the conduit for package traffic).

It's all a bit messy, but it seems to work, and we're content to leave it in place and monitor for now.

------------------------------
Tech Monkey/IT Primate
------------------------------

Original Message:
Sent: 11-11-2020 02:59 AM
From: David McGahan
Subject: Constrained Package Servers

Hi Sergei,

Apologies for letting this lapse, busy few weeks.

Our original method was the Prefer Secure Gateway Connect registry entry (a REG_DWORD value in HKLM\SOFTWARE\Altiris\Communications), that's correct.

Somewhere along the line that stopped working - we'd toggle the registry entry between 0 and 1 for a few hours each night and packages would replicate over our public internet connection to each site instead of over the (much) slower WAN. Orders of magnitude faster.

CEM itself still works for mobile clients and such - extremely handy when dealing with a distributed fleet during COVID - but we'renow  no longer able to force the Altiris Agent at our sites to use CEM if it also detects an existing "internal" connection back to our central office, and no amount of fiddling with the other registry entries has led me to a solution. It used to work, and now it doesn't, and that's immensely frustrating, so my next option is to severely throttle all sites until the off-hours.

I will look into blockout periods - I believe my predecessor had little luck with those, but I will consult with her to confirm. Thank you for the suggestion.

------------------------------
--None--

Original Message:
Sent: 09-11-2020 02:41 AM
From: Sergei Zjaikin
Subject: Constrained Package Servers

Do you mean "Prefer Secure Gateway Connect" entry? This entry should be working as before in the latest RU3 hot fix or RU4.
You could also use throttling periods to limit the traffic.
You could also use blockout functionality to prevent communications to servers instead of disabling Altiris agent.
Have you tried those? What were the problems?

Original Message:
Sent: 09-10-2020 02:44 AM
From: David McGahan
Subject: Constrained Package Servers

Hi all,

Reading up on constrained package servers and found this article from last year: https://knowledge.broadcom.com/external/article?legacyId=tech252734

It says that constrained package servers without an explicitly designated unconstrained package server source will wait four hours before contacting the NS directly to acquire a package it could not otherwise receive.

Previously, package replication happened via CEM using a SWD policy which would toggle the Force CEM Gateway registry entry for a few hours each night, but that key has not worked since upgrading to 8.5 RU3, and I've not been able to find an alternative measure.

Is there a way to extend this timeout, or better still, a way to prevent it entirely? (Short of disabling the Altiris Agent!)
We have some quite isolated satellite sites in need of careful bandwidth management and standard constraint functionality - which was already problematic, since uPS assigned to constrained sites would sometimes serve requests from clients at the constrained site and create exactly the bandwidth problems we sought to avoid - is no longer fit for purpose.

Any advice would be appreciated.


------------------------------
--None--
------------------------------