Troubleshoot client/server connectivity in Endpoint Protection

Article:TECH105894  |  Created: 2008-01-12  |  Updated: 2014-11-21  |  Article URL http://www.symantec.com/docs/TECH105894
Article Type
Technical Solution


Environment

Issue



This article describes how to troubleshoot client-to-manager connectivity issues. To quickly check if this issue exists or has been resolved on the computer, download and run SymHelp.

 Symptoms include:

  • SEP client is not receiving definition updates.
  • SEP client is not receiving policy updates.
  • SEP client is not showing a green dot in the Taskbar.
  • SEP client is not showing a green dot in the Symantec Endpoint Protection Manager console.

Solution



About communication problems

    Check network connectivity before you call Symantec Technical Support. Once that has been verified, check the communication between the client and the server. For example, the client may not be receiving Policy updates or it may not be receiving Content updates. It is important to gather as much information as possible about which communications are working and which are not.



About checking the communication between the client and the management server

    If you have trouble with the client and the server communication, you should first check to make sure that there are no network problems. You can test the communication between the client and the management server in several ways.

    Table 2-1 describes the steps that you can take to check the communication
    between the client computer and the management server.



Viewing the client status in the management console

    You can check the client status icon in the management console as well as on the client directly to determine client status.

    Table 2-3 shows the various icons that might appear in the management console
    for the client status.




    To view the client status in the management console:
      1. In the management console, on the Clients page, under "View Clients", select the group in which the client belongs.
      2. Look on the Clients tab.

        The client name should appear in the list next to an icon that shows the client
        status.


About the client status icon on the client

    You can find the client status icon in the notification area of the taskbar on the client computer. The icon appears as a yellow shield icon with a green dot when the client can communicate with the management server.



Viewing the policy serial number

    You should check the policy serial number on the client to see if it matches the serial number that appears in the management console. If the client communicates with the management server and receives regular policy updates, the serial numbers should match.

    If the policy serial numbers do not match, you can try to manually update the policies on the client computer and check the troubleshooting logs.

    To view the policy serial number in the management console
      1. In the management console, click Clients.
      2. Under "View Clients", select the relevant group, and then select the Details tab.

    The policy serial number and the policy date appear at the bottom of the details list.

    To view the policy serial number on the client
      1. On the client computer, in the client user interface, click on the Help and Support button, select Troubleshooting.
      2. In the Management section, look at the policy serial number.

    The serial number should match the serial number of the policy that the management server pushes to the client.



About performing a manual policy update to check the policy serial number

    You can perform a manual policy update to check whether or not the client receives the latest policy update. If the client does not receive the update, there might be a problem with the client and server communication.

    You can try a manual policy update by doing any of the following actions:

      • In the client click on the Help and Support button, click Troubleshooting. Under Policy Profile, click Update. You can use this method if you want to perform a manual update on a particular client.
      • For the clients that are configured for pull mode, the management server downloads policies to the client at regular intervals (heartbeat). You can change the heartbeat interval so that policies are downloaded to the client group more quickly. After the heartbeat interval, you can check to see if the policy serial
        numbers match. (For the clients that are configured for push mode, the clients receive any policy updates immediately.)

    After you run a manual policy update, make sure that the policy serial number that appears in the client matches the serial number that appears in the management console.


Using the ping command to test the connectivity to the management server

    You can try to ping the management server from the client computer to test connectivity.

    To use the ping command to test the connectivity to the management server
      1. On the client, open a command prompt.
      2. Type the ping command. For example:

      ping name

      Where name is the computer name of the management server. You can use the server IP address in place of the computer name. In either case, the command should return the server's correct IP address.

    If the ping command does not return the correct address, verify the DNS service for the client and check its routing path.


Using a browser to test the connectivity to the management server

    You can use a Web browser to test the connectivity to the management server.

    To use a browser to test the connectivity to the management server:

    1. On the client computer open a Web browser, such as Internet Explorer.
    2. In the browser command line, type a command that is similar to either of the following commands:
      • http://<management server IP address>:<port used by the SEPM website>/reporting/index.php

        If the reporting log-on Web page appears, the client can communicate with the management server.
      • http://<management server name>:9090

        If the Symantec Endpoint Protection Manager Console page appears, the client can communicate with the management server.
    3. If a Web page does not appear, check for any network problems. Verify the DNS service for the client and check its routing path.


Using Telnet to test the connectivity to the management server

    You can use Telnet to test the connectivity to the IIS server on the management server. If the client can Telnet to the management server's HTTP or HTTPS port, the client and the server can communicate. The default HTTP port is 8014 (80 for the earlier builds of SEP); the default HTTPS port is 443.

    Note: You might need to adjust your firewall rules so that the client computer can Telnet into the management server.

    For more information about the firewall, see the Administration Guide for Symantec Endpoint Protection and Symantec Network Access Control.

    To use Telnet to test the connectivity to the management server
      1. On the client computer, make sure the Telnet service is enabled and started.
      2. Open a command prompt and enter the Telnet command. For example:

        telnet ip address 8014

        where ip address is the IP address of the management server.

    If the Telnet connection fails, verify the client's DNS service and check its routing path.


Verify the Windows Firewall is not enabled on the management server (SEPM) or the client.


Windows Server 2003:

Use the netsh command line to disable the firewall:

netsh firewall set opmode mode = disable

Windows Server 2008

Server 2008 uses a profile based approach to the firewall settings. Again, use the netsh command but you will need to specify profile you want to configure (or disable in this case):

netsh advfirewall set <profile> state off

Values for <profile> are as follows:

allprofiles - change the settings for all the profiles.
currentprofile - change the setting for just the current profile.
domainprofile - change the settings for the domain profile.
privateprofile - change the settings for the private profile.
publicprofile - change the settings for the public profile.

If SEPM and its associated processes (Tomcat, IIS, etc..) are the only applications on this server, we recommend using the "allprofiles" profile for the command line; otherwise choose the appropriate profile.

Windows XP

1. Click Start, click Run, type Firewall.cpl, and then click OK.
2. On the General tab, click Off
3. Click OK.

Windows Vista/Windows 7

Note: The Windows Firewall should be under control of the SEP client, however this is still a good check regardless.

1. Click Start button , Control Panel, Choose Security (System and Security in Windows 7), and then click Windows Firewall.
2. Click Turn Windows Firewall on or off. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
3. Click Off, and then click OK.
 

Checking the IIS logs on the management server

    You can check the IIS logs on the management server. The logs show GET and POST commands when the client and the server communicate.

    To enable logging in IIS:
      1. In the IIS manager, right click each site where you wish to have the logs (such as Reporting, Secars, etc.) and select Properties
      2. On the Virtual Directory tab: ensure a check in the box that corresponds to Log visits.
      3. Click OK.

    To check the IIS logs on the management server:
      1. On the management server, go to the IIS log files directory. A typical path to the directory is:

        \WINDOWS\system32\LogFiles\W3SVC1
      2. Open the most recent log file with a text application such as Notepad.
        For example, the log file name might be ex070924.log.
      3. Review the log messages.

    The file should include both GET and POST messages.



References
"Symantec Endpoint Protection Manager 11.x communication troubleshooting." at:

http://www.symantec.com/docs/TECH102681

"Troubleshooting Content Delivery to the Symantec Endpoint Protection client." at:
http://www.symantec.com/docs/TECH106034

 

 



Legacy ID



2008091215040048


Article URL http://www.symantec.com/docs/TECH105894


Terms of use for this information are found in Legal Notices