United Kingdom Endpoint Management User Group

We've just upgraded our CMS 7.5 systems to 7.6 HF7.  All has gone (mostly) smoothly, but we did wonder about the change in 7.6 with the availability of 2 Symantec Management Agent clients - one for http and one for https connections.

My questions are this:

1. Are there any differences between the 2 agents, apart from the security of the connection?  I assume no other additional functionality?
2. Are there any issues with using https agents - do they introduce any issues around SSL certificates, or anything else that needs to be changed or monitored on either client or NS server?
3. Which use cases would https agent be preferred over http?  I assume CEM clients would be one, but are there any benefits or drawbacks in using the https agent on the internal network also?
4. How do we target existing client agents to use the https agent rather than the http agent?  I don't see any separate installation policies for the https agent...
5. Is it possible to identify which clients are using the https agent in the extended views (Manage Computers)?  I noticed that the https agent has a small "green lock" within the systray icon on the client, but can't seen anything similar in the console to indicate which are http and which are https.

If anyone has any other advise or feedback around using the https agent, please also let me know. 

Thanks.

Hi Chris,

I might be wrong but AIUI, the new functionality is that you can enable http and/or https rather than one or the other as it was in 7.5?

We went with https from day 1 in 7.5 as I knew CEM was a priority for us and that only works over https. Since we needed https for that we went https for everything. You need a certificate but if all your machines are in an Active Directory you can use one from there if you're too mean to get a "proper one". I guess there's a bit of an overhead with https but, like I said, we didn't have a choice.

Under Settings -> SMA there's a Symantec Agent Communication profiles section which you might want to look at - might shed light on how to switch over? Not sure if there's a way of forcing it.

Regards

Martin

Hi Chris,

1. The AeXNSChttp.exe and AeXNSChttps.exe packages are refinements to the legacy AeXNSC.exe package. They embed the SMP URL making them tuned from the outset to install the agent connecting to your SMP. The HTTPS package also embeds certificates to enable the agent to talk to the server through SSL. 
    
2. I've not seen issues myself, but we opted to buy ours rather than self-sign.Technically there is overhead on the SMP with the encryption/decryption.
    
3. The only drawback of HTTPS that I can think of is that if you like wiresharking you've got a decryption complication.
    
4. We shifted out agents using a "Targeted Agent Settings". In the advanced tab, just shift your clients over to the HTTPS address. We cloned our existing policy and then targeted just one client to begin with to test all was well (having a filter which was excluded from the HTTP targeted agent settings delivery)
    
5. There is no icon change in the console to reflect whether the agent is connecting as HTTP or HTTPS. 

Kind Regards,
Ian./

Hi chrismcevoy72,

I agree with Ian.

5. Is it possible to identify which clients are using the https agent in the extended views (Manage Computers)?  I noticed that the https agent has a small "green lock" within the systray icon on the client, but can't seen anything similar in the console to indicate which are http and which are https.

As far as i know there is no default report that you can use to see which computers are communicating over HTTP or HTTPS, but there are filters which you can use (and create reports based on them) take a look under Manage -> Filters -> Computer Filters -> All Computers operating over HTTP or All HTTPS Computers meeting Cloud-enabled Management criteria

Network23

Thanks all.

That's given a few things to think about and to investigate in the console.