Symantec Agent CEM Web Site doesn't pass requests and nse data from CEM Gateway to the SMP due error 403: Access Denied on NS 7.5 SP1 machine.
This issue leads to have no data about CEM Gateway in reports on NS 7.5 SP1 server.
Also due this issue, clients in CEM mode are unable to communicate with NS 7.5 SP1 server, because CEM WebSite is also rejecting these requests and clients *.nse data.
Note! There is no problems if the same SMP 7.5 SP1 is installed on Windows 2008 R2 SP1 x64 Server.
event date='11/26/2014 13:49:53.2680000 +02:00' severity='1' hostName='client' source='NetworkOperation' module='AeXNetComms.dll' process='AeXNSAgent.exe' pid='10084' thread='6328' tickCount='59270083' > <![CDATA[Operation 'Head' failed. Protocol: http Host: server.local Port: 443 Path: /Altiris/NS/Agent/GetClientPolicies.aspx Http status: 403 Secure: Yes Id: {F6BE15B5-23BC-43AB-A64C-5674359EEF10} Error type: HTTP error Error result: 0x80042D21 Error code: 0 Error note: HTTP status: 403 Forbidden. Empty response content received, probably web server is not running or URL is invalid. In some cases Windows can return response header with Content-Length field but with empty response payload Error message: Error 0x80042D21 (No description available)]]> </event> <event date='11/26/2014 13:49:53.2680000 +02:00' severity='1' hostName='client' source='ConfigServer' module='AeXNSAgent.exe' process='AeXNSAgent.exe' pid='10084' thread='6328' tickCount='59270083' > <![CDATA[Policy request failed: HTTP status: 403 Forbidden. Empty response content received, probably web server is not running or URL is invalid. In some cases Windows can return response header with Content-Length field but with empty response payload (0x80042D21)]]> </event> <event date='11/26/2014 13:49:57.4640000 +02:00' severity='1' hostName='client' source='NetworkOperation' module='AeXNetComms.dll' process='AeXNSAgent.exe' pid='10084' thread='6328' tickCount='59274280' > <![CDATA[Operation 'Head' failed. Protocol: http Host: server.local Port: 443 Path: /Altiris/NS/Agent/PostEvent.asp Http status: 0 Secure: Yes Id: {74D24924-79A0-4D4B-997B-B4599FC7AC52} Error type: HTTP error Error result: 0x80042D24 Error code: 0 Error note: HttpRequest::ReadHeaders error. Bad SMP server version Error message: Error 0x80042D24 (No description available)]]> </event> <event date='11/26/2014 13:49:57.4800000 +02:00' severity='1' hostName='client' source='ConfigServer' module='AeXNSAgent.exe' process='AeXNSAgent.exe' pid='10084' thread='6328' tickCount='59274295' > <![CDATA[Failed to send basic inventory: HttpRequest::ReadHeaders error. Bad SMP server version (0x80042D24)]]> </event> <event date='11/26/2014 13:50:02.7840000 +02:00' severity='1' hostName='client' source='NetworkOperation' module='AeXNetComms.dll' process='AeXNSAgent.exe' pid='10084' thread='8464' tickCount='59279599' > <![CDATA[Operation 'Head' failed. Protocol: http Host: server.local Port: 443 Path: /Altiris/TaskManagement/CTAgent/GetClientTaskServers.aspx Http status: 403 Secure: Yes Id: {E3B3B87F-70A9-4E59-8880-CDDFA728C1BC} Error type: HTTP error Error result: 0x80042D21 Error code: 0 Error note: HTTP status: 403 Forbidden. Empty response content received, probably web server is not running or URL is invalid. In some cases Windows can return response header with Content-Length field but with empty response payload Error message: Error 0x80042D21 (No description available)]]> </event> <event date='11/26/2014 13:50:02.7840000 +02:00' severity='2' hostName='client' source='Client Task Agent' module='client task agent.dll' process='AeXNSAgent.exe' pid='10084' thread='8464' tickCount='59279599' > <![CDATA[Failed to call web interface by url [https://server.local/Altiris/TaskManagement/CTAgent/GetClientTaskServers.aspx?resourceGuid=6dc4e14b-fd41-45a2-870f-744378e892ee&shares=1], error [0x80042D21, IDispatch error #11041].]]> </event>
SMP 7.5 SP1
SMP installed on Windows Server 2012
On this environment a not self-signed certificate was placed in trusted root. So it works exactly according to MS documentation for 2012:
"If the Trusted Root Certification Authorities store that was used contains a mix of Root (self-signed) and certification authority (CA) Issuer certificates, only the CA Issuer certificates will be sent to the server by default."
As specified in Microsoft KB article: http://support.microsoft.com/kb/2802568
set [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL] "ClientAuthTrustMode"=dword:00000002
Futher details are available here: