Proxies and compatibility with Java LiveUpdate and Symantec Endpoint Protection

Article:TECH103527  |  Created: 2007-01-02  |  Updated: 2014-06-19  |  Article URL http://www.symantec.com/docs/TECH103527
Article Type
Technical Solution



Issue



Which proxies are compatible with LiveUpdate on the Macintosh?

 


Error



In the LiveUpdate log (/Library/Application Support/Symantec/LiveUpdate/liveupdt.log), references to attempted connections to a proxy server, then:

A LiveUpdate server could not be selected.

The Java LiveUpdate session did not complete successfully.
Return code = -2,001

 


Environment



Versions of Symantec Endpoint Protection earlier than 12.1.4 (12.1 RU4).
 


Cause



Java LiveUpdate (JLU) can go through Web proxy servers. Java LiveUpdate cannot go through FTP or SOCKS proxy servers.

 


Solution



LiveUpdate on Macintosh uses the HTTP proxy from the Macintosh Network System Preferences, but will authenticate anonymously. It is recommended to whitelist the Symantec servers at the proxy, bypass the proxy for the client, use an internal LiveUpdate server (LiveUpdate Administrator 2.x or the legacy LiveUpdate Administration Utility 1.x), and/or add proxy information to the /etc/liveupdate.conf file.

 

To whitelist the Symantec servers:

The default HTTP servers are liveupdate.symantec.com and liveupdate.symantecliveupdate.com, and the default FTP server is update.symantec.com. Examine the /etc/liveupdate.conf file for any custom URLs that may have been set. Consult with the documentation specific to your proxy server to configure a whitelist for these addresses.

 

To bypass the proxy on the client machine: 

  1. On the Apple menu, click System Preferences.
  2. Under Internet & Network, click Network.
  3. Click Proxies.
  4. In the "Select a proxy server to configure" box, click Web Proxy (HTTP).
  5. In the "Bypass proxy settings for these Hosts & Domains" box, enter all URLs specified in /etc/liveupdate.conf.
  6. Quit System Preferences.

 

To use an internal LiveUpdate server:

If there is no web proxy that provides access without login or password, you can update via an internal LiveUpdate server. See Using the LiveUpdate Administrator on a PC to download updates for Symantec Endpoint Protection.

If using an internal LiveUpdate server, ensure proxy exceptions are correctly entered for local addresses. The following Apple article is included for your convenience:
Entering Proxy Server Settings (http://docs.info.apple.com/article.html?path=Mac/10.5/en/8760.html)

 

To add proxy authentication information to /etc/liveupdate.conf:

To specify a proxy for LiveUpdate, add a "proxy=a.b.c.d:port" entry to /etc/liveupdate.conf. Note that this file is not visible in the Macintosh Finder--you must edit it in a terminal window using vi, pico, or other command-line editor, and run the editor command with sudo. You cannot add proxyusername or proxypassword settings; LiveUpdate for Macintosh does not work with proxies that require authentication. For more details, see the document How to set proxy settings in Java LiveUpdate

Note that LiveUpdate on Macintosh uses the HTTP proxy from the Macintosh Network System Preferences and that setting (if configured) will override any in /etc/liveupdate.conf. If you don't want to use the OS proxy settings for LiveUpdate, add the URL(s) from /etc/liveupdate.conf to the proxy bypass settings in the Macintosh Network System Preferences.

WARNING: do not edit the following file:
/Library/Application Support/Symantec/LiveUpdate/liveupdate.conf
That conf file is overwritten with a combination of /etc/liveupdate.conf and the OS proxy settings every time LiveUpdate runs.

For managed SEP for Mac clients, changes to the LiveUpdate server source (delivered by policy on heartbeat) does not appear to overwrite the whole file (and delete the proxy settings), but merely replaces specific values (such as hosts) within the configuration files with updated information.

Note: In SEP 11.x for Macintosh and older, location awareness is not available; laptops with those client versions won't be able to connect to LiveUpdate servers to retrieve updates when they leave the corporate network unless this proxy info is commented out of /etc/liveupdate.conf (# at the beginning of the line indicates a comment).

 




Legacy ID



2007733776807898


Article URL http://www.symantec.com/docs/TECH103527


Terms of use for this information are found in Legal Notices