Hello Ain,
Yes, you should be able to go into SIM on the new server and apply the previous NS server configuration (NS certificates, KMS keys, etc.) onto the new NS. But that is step 10. Step 9 would still need to happen as well if you have CEM Agents as this step lets you reuse the CEM web site certificate that you had previously.
Are you using Cloud Enabled Management (CEM)?
If so, do CEM Agents have connectivity back to the SMP through VPN, or is connectivity only through CEM? If only through CEM we need to be extremely careful with any certificate changes, or it may be necessary to reinstall the CEM Agent package again on all CEM systems.
You could check IIS Bindings for port 4726 on the new server. Do you have this port bound? Is the correct certificate being used? Does it match the CEM Web site certificate listed in Certificate Management? Port 443 binding should be the NS web site certificate. Customer's sometimes make these the same 3rd party certificate, but we don't recommend that as it's less secure. By default, Port 4726 and 443 on the SMP have a different certificate, which is seen in IIS Bindings and also the Certificate Management page. (The SMP makes changes to IIS Bindings as certificates change in Certificate Management. It's not necessary or recommended to change IIS Bindings directly in IIS.)
If you'd rather have someone walk though this with you on a WebEx, please create a support case and we'd be happy to make sure everything is working and correct.
Best Regards, Roy
Original Message:
Sent: Feb 11, 2024 10:07 PM
From: Ain Abdullah
Subject: Unable to import certificate for https agent connection
Performed a migration from an old to a new server with the following scenario.
- from Windows Server 2012 R2 to Windows Server 2019
- same hostname and IP
- from 8.5 RU2 to 8.7.1
- agents are migrated through DNS change
- Data on an existing server was not migrated
- Agent with https communication has not been restored
Have been trying to import the old server certificate into the new server/console but the old certificate does not seem to be imported. The old server certificate did not appear in the certificate list.
If the new console is now up and running, can I still go back to SIM and apply step 9 of this document to restore the previous certificate?
https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/it-management-suite/ITMS/Getting-Started/migration-scenarios-and-troubleshooting/migrating-to-a-new-smp-server-while-keeping-the-same-hostname-and-ip-address.html#concept.dita_120a6264-5b13-4823-8fbd-f34eccf03677_Step_9
If not, is there a way to restore the communication https agent communication to the new server, with the same hostname and IP?
Regards,
Ain Abdullah