IT Management Suite

Can someone please answer a few basic questions on this?

1. We are currently running Altiris 7.1 SP2.  I see the upgrade path to 7.5x would require us to upgrade to 7.1 SP2 MP1.1 first, then 7.5x.  Each of these versions require agent upgrades, but I see 7.5 has some backward compatibility for agents.  So would we really need all agents on both clients and site servers to be at MP1.1 level prior to upgrading to 7.5x?

2. We did not choose to use HTTPS for our current installation.  Can that be configured after upgrading in order to use CEM?

3. Does CEM allow me to have laptop users belong to one site when on the internal network, but then a different site when on the Internet?  This statement in the docs is confusing:  "The computers that you want to manage over the Internet should be organized into one or more sites. These sites should be dedicated to Cloud-enabled agents and must not contain any directly managed agents."

4. Can the gateway server also be a task and package server for patch and software?

Thanks for the reply Igor.

On the first question I guess my point was that I don't think I can upgrade client agents to 7.1 SP2 MP1.1 in a timely manner (laptops that don't connect often), so will the 7.5 legacy agent communication mode allow clients with just the 7.1 SP2 agents to communicate properly with 7.5?

On question 4, if using the gateway as a site server is not good, can one datacenter site server handle both internal clients and CEM clients?  Or do I need a separate site server for CEM clients?

Hi K.Kennedy,

1. About "Legacy Agent Communication":

• If you will have enabled "Legacy Agent Communication" on upgraded SMP 7.5.x server, then it will allows to communicate all managed endpoints where SMA is 7.1 SP2 MP1.1.x version.
• If "Legacy Agent Communication" will be disabled, then SMA 7.1 SP2 MP1.1.x will unable to communicate with upgraded SMP 7.5.x server (will doesn't receive policies, etc)

I've attached screenshot from SMP Console documentation.

2. About DataCenter as CEM Gateway OS:

"CEM Gateway" is supported only on Windows 2008 R2 SP1 x64 Server OS

• Please check this page: https://www-secure.symantec.com/connect/forums/has-anyone-tried-installing-cem-internet-gateway-windows-web-server-2008-r2-sp1

You will need to determine which your remote Site Server will also communicate with clients, which are in Cloud and working through CEM Gateway. In CEM Gateway you will be able to add "SMP Server" and also there is an option to add there "Site Servers" as well.

Thanks,

IP.

The question was, will 7.5 support "7.1 SP2" agents (not 7.1 SP2 *MP1.1*).  What happens if I don't get all my agents upgraded to MP1.1 prior to going to 7.5?

The other questions was, do I need a separate site server (package server) for CEM clients only?  Yes or No? Trying to determine resources needed to make this move.

About agent version prior to SMP 7.5:

I don't know how will behave 7.1 SP2 agent without MP1.1 with upgraded SMP 7.5, but better is to have at least 1 supported agent version upgrade path prior to SMP 7.5 SP1.

Supported upgrade paths for ITMS 7.5 SP1

• http://www.symantec.com/docs/DOC7345

SMP is Upgraded from 7.1 SP2 MP1.1 to 7.5 SP1 + HF(x) -> and then perform an upgrade of agents to 7.5 SP1 HF(x), which currently are 7.1 SP2 MP1.1 and their version is matched to supported upgrade path version. ("LAC" should be enabled on upgraded SMP 7.5 Server, to allows 7.1 SP2 MP1.1 clients to communicate with NS).

About Site Servers for CEM/Intranet:

• You can use your current remote Site Server(s) for CEM clients as well as for Intranet clients.
• If there are overloads, etc, you can always add/install additional Site Server(s).

Recommended maximum computer count for IT Management Suite 7.5:

• Page 63: http://www.symantec.com/docs/DOC5670

NB!

Please ignore this step and do not perform it aexconfig.exe /configure /coresettings.config to generate "SMP Server CA" and "SMP Agent CA"!

If you don't have them now in 7.1 version, then check whether they will appear after upgrade to SMP 7.5 version or not. Please let me know then, if they still will not be available in "Trusted Root" certificate store even after upgrade.

Thanks,

IP.

Hi K. Kennedy

1. You can just perform SMP Server side upgrades and after that perform upgrade of SMA on Site Server(s) - then Site Servers plugins upgrade - and then client(s) SMA and other plug-ins upgrade

You can check similar thread about such case:

•     https://www-secure.symantec.com/connect/forums/upgrade-path-75-hf5-75sp1hf3

2. Need to make sure that there are "SMP Server CA" and "SMP Agent CA" certificates in "Trusted Root" on SMP Server machine. (Also rememver that after switching to HTTPs, all current managed endpoint may loose connection with SMP Server, due SSL Handshake error, etc).

If they aren't there, then ask support to get these certs on SMP server.

About HTTP/HTTPs on SMP Server:

• https://www-secure.symantec.com/connect/forums/error-generating-cloud-based-agent-failed-generate-package-https-ns-base-url-must-be-used-int

About generation of "SMP Server CA" and "SMP Agent CA" certificates:

• https://www-secure.symantec.com/connect/forums/cem-your-experience

3. There is a "Default Internet Site" on Site Server Management page on SMP Console, where you can assign it to appropriate Site/Site Servers (There should be a mention about this in documentation). And if you have some remote Site Server(s), then add them to CEM gateway as Site Server as well.

4. Theorically you can install there SMA and then all required Site Server plug-ins, but I'm not sure that this will be a good way, when you have there CEM gateway and also Site Server components = Will be a overload to system?

Thanks,

IP.