Problem

When updating the NAT (Fully Qualified Domain Name) in Endpoint Central and importing a new certificate, agents may fail to communicate with the server, leading to a break in trusted communication.

Note: This case is only applicable when an Enterprise or third-party certificate is imported in the Endpoint Central server.

Cause

Endpoint Central enforces trusted communication between the server and agents, requiring certificate validation.

If a new certificate is imported containing only the new NAT FQDN, agents that still attempt to connect using the old NAT FQDN will face a Subject Alternative Name (SAN) mismatch. This mismatch causes certificate validation to fail, resulting in broken communication between the agents and the server.

Resolution

To ensure a smooth and secure NAT FQDN update, follow these steps:

1. Generate a certificate containing the New NAT address along with the Old NAT address in the subject alternative name.
2. Import the certificate into the Endpoint Central server.
3. Update the NAT address with the new FQDN.
4. After the agents have communicated with the Endpoint Central server, the NAT settings will be updated for the agents. The agents will then establish communications with the Endpoint Central using the new FQDN.
5. Once all agents have successfully connected to the Endpoint Central server, you can import a new certificate containing only the new FQDN in the subject alternative name.

This process ensures that the agents can continue communication without validation errors during the transition period.