Enabling SSL communications between a Symantec Endpoint Protection Manager and its clients

Article:TECH162326  |  Created: 2011-06-14  |  Updated: 2013-11-12  |  Article URL http://www.symantec.com/docs/TECH162326
Article Type
Technical Solution



How do you enable Symantec Endpoint Protection (SEP) clients to communicate with their managers over a Secure Sockets Layer (SSL) encrypted HTTPS connection?


Managers host client to server communications through the Symantec Endpoint Protection Manager (SEPM) Apache server. By default, the Apache server listens on port 8014 for unencrypted HTTP connections. Clients communicate with the SEPM Apache server by sending action codes, uploading logs and Operational State (OpState) data and downloading policy and content files. All policies and content updates downloaded by clients from the manager are digitally signed and/or encrypted. If you require a higher level of security, the SEPM Apache server can be configured to accept SSL encrypted HTTPS connections. This ensures that both the content of SEP communications is encrypted as well as the tunnel the communications are sent through.

For more information on how Symantec Endpoint Protection uses encryption and certificates, see How Symantec Endpoint Protection uses encryption and certificates.


Configuring the Manager

Determining which port to use for SSL traffic

The assigned port for HTTPS traffic is 443. If your manager hosts other HTTPS Web sites, port 443 may already be assigned to one of these. Use the the following steps to confirm port 443 is available on the manager computer, and if necessary, change the HTTPS port used by the SEPM Apache server.

  1. Open a command prompt and enter the following:

    netstat -an | find ":443" | find "LISTENING"

  2. If this command returns a result, you will need to modify the existing application to use a non-standard HTTPS port, or configure the Apache server to use a non-standard HTTPS port.

Changing the default SSL port (If needed)

  1. Open the following text file for editing: <Symantec Endpoint Protection Manager Installation folder>\apache\conf\ssl\sslForClients.conf.
  2. Change the following lines to list the specified alternate port instead of the default of 443:

    • Listen 443
    • <VirtualHost_default_:443>
  3. Save the file and close the text editor.

Enabling SSL in Apache

  1. Open the following text file for editing: <Symantec Endpoint Protection Manager Installation folder>\apache\conf\httpd.conf.
  2. Remove the # from the beginning of the following line:

    #Include conf/ssl/sslForClients.conf
  3. Restart the Symantec Endpoint Protection Manager Webserver service.

Confirm SSL is enabled

  1. Browse to the following URL in an SSL-enabled Web browser: https://<SEPM address>:<SSL Port>/secars/secars.dll?hello,secars
  2. The word OK should display on an otherwise blank page if the configuration was successful.

Note: If you have not updated the manager with a Certificate Authority (CA) signed certificate and private key pair, the  the Web browser will present a warning that the certificate is not trusted. The same warning is presented when you attempt to access the Web site from a URL that is different than the subject name on the manager certificate. This is expected behavior.


Configuring the Clients

Clients choose their manager based on the entries in their Management Server List (MSL). Create a new MSL, or edit an existing MSL to point clients to their manager(s) over SSL.

Creating/Editing the Management Server List

  1. Log in to the SEPM console and click Admin>Policies.
  2. Expand Policy Components, and click Management Server Lists.
  3. Click Add a Management Server List, or select a pre-existing MSL and click Edit the List.
  4. Select Use HTTPS Protocol.

    Note: Do not check Verify certificate when using HTTPS protocol unless you have updated your manager with a CA signed certificate and private key pair. For more information on this process, see How to update Symantec Endpoint Protection Manager certificates without breaking server/client communication.
  5. Click Add>New Server or select an existing Manager from the Management Servers list and click Edit.
  6. Add the server address if required, Check Customize HTTPS port, and confirm the correct HTTPS port is listed, click OK.
  7. Ensure this policy is assigned to the group(s) and location(s) you wish to communicate with the SEPM over HTTPS.


Confirm client>server communications

The SEP client will download the updated MSL from the SEPM during its next heartbeat after the changes were made. During its next heartbeat, it will evaluate the new MSL to determine which manager to communicate with, and over which protocol to communicate. It can take up to three heartbeat intervals for clients to receive and apply the new communications settings policy.

  1. Open the SEP client interface and click Help>Troubleshooting>Connection Status.
  2. Confirm the Last Attempted Connection and Last Successful Connection both show the new URL and port number configured above.
  3. This change can take up to 3 heartbeat intervals. To force the update, click Connect Now.


Supplemental Materials


Article URL http://www.symantec.com/docs/TECH162326

Terms of use for this information are found in Legal Notices