Configuring Endpoint Protection Manager (SEPM) for SSL on Windows 2008

Article:TECH134468  |  Created: 2010-01-30  |  Updated: 2011-10-03  |  Article URL http://www.symantec.com/docs/TECH134468
Article Type
Technical Solution


Environment

Issue



How can I configure the Symantec Endpoint Protection Manager (SEPM) Internet Information Services (IIS) Web Site to utilize Secure Sockets Layer (SSL) for Reporting and client communication on Windows 2008?

 


Solution




Before you begin:

While Symantec supports SSL communications between a SEPM and its SEP clients, Symantec does not provide support on creating, implementing, or maintaining an SSL Public Key Infrastructure (PKI). The following document was written with this in mind. Please read the "About the SEPM Internet Information Services (IIS) Web Site" and "Prerequisites for encrypting IIS traffic" sections of this document thoroughly to determine if this document is appropriate for your environment.




About the SEPM Internet Information Services (IIS) Web Site:

The Symantec Endpoint Protection Manager utilizes an IIS web site in order to communicate with clients and provide reporting services. The web site utilizes Hyper Text Transfer Protocol (HTTP) for all communications. HTTP is an unencrypted protocol and does not provide for the confidentiality or integrity of the communications over it. It is possible to configure the SEPM IIS web site to utilize a Secure Sockets Layer (SSL) certificate to sign and encrypt data using a Hypertext Transfer Protocol Secure (HTTPS) connection.

    Note: Although the protocol used to communicate with the SEPM IIS server by SEP clients is not directly encrypted, all data transferred over the connection is encrypted and signed by the SEPM and SEP client using the pre-shared key contained in the sylink.xml file by default.


Prerequisites for encrypting IIS traffic:

Symantec supports the use of SSL encryption for the SEPM IIS web site, but assumes customers already have the following knowledge/infrastructure:

  • An understanding of PKI and how it pertains to SSL
  • A working PKI and a web site certificate signed by a valid Certificate Authority (CA) or a valid self-signed web site certificate
    • To function completely, this certificate must be installed on the SEP clients that will be communicating with the SEPM via SSL.



Configuring IIS:

    Note: While it is possible for SEP clients to communicate with the SEPM IIS web site using HTTPS, it is not possible for the SEPM Tomcat server to communicate with the SEPM IIS web site using HTTPS. For this reason, it is not possible to configure IIS to require an SSL connection. Setting the SEPM IIS web site to require an SSL connection will cause the SEPM Service to fail.


    Importing the SSL Certificate into IIS:
    1. Open the IIS Manager by clicking Start > Administrative Tools > Internet Information Services (IIS) Manager
    2. Select the local IIS server from the Connections pane on the left side of the IIS Manager window
    3. Double click the Server Certificates icon in the Home panel
    4. Click on Import... in the Actions Pane
    5. Click the ... button on the Import Certificate dialog and browse for the .pfx certificate file
    6. Supply the password for the .pfx file and click the OK button

    Configuring the SEPM IIS web site to use SSL:
    1. Open the IIS Manager by clicking Start > Administrative Tools > Internet Information Services (IIS) Manager
    2. Select the local IIS server from the Connections pane on the left side of the IIS Manager window
    3. Expand Sites and choose the SEPM IIS web site from the list (Symantec Web Server by default)
    4. Click on Bindings in the Actions Pane
    5. Click the Add... button on the Site Bindings dialog
    6. Make the following configurations on the Add Site Binding dialog:
      1. Select https from the Type drop-down box
      2. Ensure the correct IP address is selected in the IP address drop-down box ("All Unassigned" by default)
      3. Specify a port to utilize for HTTPS communications in the Port field
      4. Leave the Host name field blank unless specific security specifications require otherwise - provide the Subject name from the web site Certificate (usually the Fully Qualified Domain Name (FQDN) of the SEPM)
      5. Select the correct SSL certificate for the Symantec Web Server from the SSL certificate drop-down list
      6. Click the OK button


Configuring the SEPM Console:

Note: This step is not necessary to enable SEP client to SEPM communications over HTTPS. For machines with IPv6 enabled, connecting to the SEPM using an FQDN or hostname will result in the SEPM console immediately logging out after a successful login. Do not configure the SEPM Console to use the HTTPS Reporting web site if the SEPM server has IPv6 enabled.

    Editing conf.properties:

    The SEPM Console will utilize an HTTP connection to display the Home, Monitors and Reports tabs unless specifically configured to use HTTPS. The steps below will ensure the SEPM Console accesses Reporting data via HTTPS
    1. Locate the conf.properties file, create a backup copy, and open the original in a text editor (default location: %ProgramFiles%\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\conf.properties for 32-bit systems or %ProgramFiles(x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\conf.properties for 64-bit systems)
    2. Add the following two lines to the bottom of this file:
      • scm.use_https=1
      • scm.iis.https.port= (where is the numerical value of the SEPM IIS web site HTTPS port)
    3. Save the changes to conf.properties
    4. Restart the Symantec Endpoint Protection Manager Service


    Editing sesm.bat:

    Once configured to utilize an HTTPS connection to display the Home, Monitors and Reports tabs, the SEPM Console will display a security warning until configured to point to the Subject name from the SEPM IIS web site certificate (this is usually the FQDN of the SEPM)
    1. locate the sesm.bat file, create a backup copy, and open the original in a text editor (default location: %ProgramFiles%\Symantec\Symantec Endpoint Protection Manager\bin\sesm.bat for 32-bit systems or %ProgramFiles(x86)\Symantec\Symantec Endpoint Protection Manager\bin\sesm.bat for 64-bit systems)
    2. Add the following parameter before "-jar": -Dscm.server= (where is the Subject name from the SEPM IIS certificate)
    3. Save the changes to sesm.bat
    4. Close any open SEPM Console windows and open the SEPM Console
    5. Verify the Server field on the SEPM Console login page points to the Subject name from the SEPM IIS certificate (example: "sepm.mydomain.com:8443" instead of "localhost:8443")

   The last step is to import the .pfx into the SEPM for use with the Web Console

  1. Login to the SEPM
  2. Admin->Servers->Local Site->Server Name
  3. Under Tasks click Manage Server Certificate
  4. Click Next, select Update the server certificate, and click Next
  5. Select PKCS12 keystore (.pfx or .p12) and click Next
  6. Browse to the Self-signed Certificate you exported earlier, type in the password, and click Next.
  7.  



Configuring SEP Client communications:

Once the SEPM IIS server has been configured to listen for HTTPS traffic, clients have to be configured to contact the SEPM over HTTPS instead of HTTP. Communications settings can be configured per group and/or location.

    Creating a Management Server List (MSL) for HTTPS communications:

    It is highly recommended to create a new MSL for HTTPS communications. It is not possible to mix HTTP and HTTPS connections between
    1. Within the SEPM Console, select the Policies tab
    2. Expand Policy Components in the View Policies pane and choose Management Server Lists
    3. Create a new MSL by selecting Add an Management Server List... from the Tasks pane
    4. On the Management Server Lists dialog, Specify a name for the new MSL in the Name field
    5. Toggle the Use HTTPS protocol radio button
    6. Optionally check the Verify certificate when using HTTPS protocol checkbox

      Note: Selecting the option to Verify certificate when using HTTPS protocol in the Management Server List will force SEP clients to verify the SSL certificate used by the SEPM IIS server. This means the SEP client can only connect to the SEPM using the Subject name from the SEPM IIS certificate (i.e., if the Subject name of the certificate is SEPM01.test.local, and the MSL specifies to connect to SEPM01, the connection will fail). The SEP client must also be configured to trust the SEPM IIS certificate (there must be a valid chain of trust) - this can be verified by browsing to https://:/secars?hello,secars in Internet Explorer. If the page displays with an SSL error, the connection will fail.
       
    7. Select the proper priority in the Management Servers section and click the Add >> button
    8. Enter the Subject name from the SEPM IIS certificate into the Server address field (usually the Fully Qualified Domain Name (FQDN) of the SEPM)
    9. If the SEPM IIS site uses a non standard HTTPS port ensure the Customize HTTPS port checkbox is selected and the correct port number is entered in the Customize HTTPS field
    10. Click the OK button on the Add Management Server dialog to save the new Management Server
    11. Click the OK button on the Management Server Lists dialog to save the changes to the new MSL


    Assigning a Management Server List for HTTPS communications:

    For clients that need to be able to connect to the SEPM via HTTPS while in one environment, and via HTTP while in another (i.e., laptops which connect to the SEPM over the Internet off-site, and over the private LAN/WAN on-site), the MSL can be assigned on a per-Location basis. For machines that do not require location-based communications settings, the MSL can be assigned statically by Group.

      Assigning a Management Server List by Location:
      1. Within the SEPM Console, select the Clients tab
      2. Expand My Company in the View Clients pane and choose the Group to be configured

        Note: If the Group to be configured inherits its policy from another Group, select the Group its policies are inherited from instead.
      3. Select the Policies tab from the pane
      4. Locate the Settings for Location: sub-section under the Location-specific Policies and Settings section for the location to be configured
      5. Expand the Location-specific Settings sub-section
      6. Find Communications Settings under the Location Specific Settings sub-section and click Tasks
      7. Ensure the Use Group Communications Settings checkbox is un-checked and click Edit Settings...
      8. On the Communications Settings for window, select the SSL-enabled MSL from the Specify the management servers this group will communicate with drop-down box
      9. Click the OK button to close the Communications Settings for window


      Assigning a Management Server List statically by Group:
      1. Within the SEPM Console, select the Clients tab
      2. Expand My Company in the View Clients pane and choose the Group to be configured

        Note: If the Group to be configured inherits its policy from another Group, select the Group its policies are inherited from instead.
      3. Select the Policies tab from the pane
      4. Select Communications Settings from the Settings section
      5. On the Communications Settings for window, select the SSL-enabled MSL from the Specify the management servers this group will communicate with drop-down box
      6. Click the OK button to close the Communications Settings for window

Optional hardening:

For environments where further hardening is required, the SEPM IIS web site can be configured to only accept HTTP traffic from the localhost connection. This will prevent any external access to the SEPM via an unsecured channel. It is not possible to completely disable the SEPM IIS HTTP port, or configure IIS to only accept HTTPS connections. The SEPM Tomcat server only communicates with the SEPM IIS server using HTTP.

    Note: Ensure all SEP clients have been able to download a Management Server List with the SEPM's HTTPS information before making the changes below. These changes will orphan any SEP clients that are still connecting to the SEPM over HTTP.
    To limit the SEPM IIS web site HTTP connection to localhost:
    1. Open the IIS Manager by clicking Start > Administrative Tools > Internet Information Services (IIS) Manager
    2. Select the local IIS server from the Connections pane on the left side of the IIS Manager window
    3. Expand Sites and choose the SEPM IIS web site from the list (Symantec Web Server by default)
    4. Click on Bindings in the Actions Pane
    5. Select the http type on the Site Bindings dialog and click the Edit button
    6. Replace All Unassigned with 127.0.0.1 in the IP address field
    7. Click the OK button to modify the binding settings
    8. Click the Add button on the Site Bindings dialog
    9. Replace All Unassigned with ::1 in the IP address field
    10. Edit the Port field to contain the SEPM IIS Server port (8114 by default)
    11. Click the OK button to save the binding settings
    12. Click the Close button to save the changes
    13. IIS will now only respond to unencrypted HTTP requests on its IPv4 and IPv6 loopback interfaces.
    14. HTTPS traffic is unaffected by this modification.

 



Legacy ID



2010063006574348


Article URL http://www.symantec.com/docs/TECH134468


Terms of use for this information are found in Legal Notices