How to bypass the IIS proxy after upgrading to Symantec Endpoint Protection Manager 12.1

Article:TECH162324  |  Created: 2011-06-14  |  Updated: 2012-02-16  |  Article URL http://www.symantec.com/docs/TECH162324
Article Type
Technical Solution


Subject

Issue



If the legacy 11.x server  is using a shared web site or is using client-to-server SSL prior to upgrade, to ensure that client server communication is maintained, a proxy is installed into IIS that will continue listening on the same port.

For more information on when the ISAPI proxy is used please see: What is the Endpoint Protection 12.1 IIS ISAPI proxy and when is it installed?


Solution



The IIS proxy is installed to ensure clients that have not been migrated to SEP 12.1 will not be orphaned when they connect to the port previously used by the 11.0 SEPM.  It is important to ensure that clients are aware of the new 12.1 SEPM's communications settings before removing the IIS proxy if it is present. One way to ensure this is the case is to confirm that all clients have checked-in with the new 12.1 SEPM and are using a current client policy.


To bypass the SEP IIS client communications proxy
Once clients are able to communicate with the 12.1 SEPM directly the IIS proxy can safely be removed.  You may also completely uninstall IIS if it is not used to host other websites.
To remove the IIS proxy without a loss of client communication please use the following steps.

Configure Apache to accept legacy SEP client communications
Apache can be configured to listen on the port that had been proxied by IIS. If clients are no longer expected to communicate on this port it is safe to skip this step.

  1. To configure Apache open the following file in a text editor:
    \Program Files\Symantec\Symantec Endpoint Protection Manager\apache\conf\httpd.conf
  2. Add the following line if it does not exist:
    Listen <port>
    - where "<port>" is the legacy client communication port.

    Examples:
    Listen 80
    Listen 443
    Listen 8080

    Note: It is important to ensure that any port added to the Apache configuration described above is no longer in use by IIS. If IIS and Apache attempt to use the same communication port a conflict will arise and one or both web sites may fail to function normally.

Remove legacy IIS configuration settings
The SEPM is configured to be aware of IIS proxy settings when the proxy is installed. It is recommended that this information be removed so that it will not be read by future SEP migrations.

  1. To remove this information from the SEPM configuration open the following file in a text editor:
    \Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\conf.properties
     
  2. Delete the following lines (if present):
    scm.iisproxy.http.port=<port>
    scm.iis.http.port=<port>
    scm.iisproxy.https.port=<port>
    - where "<port>" is the legacy client communication port.

    Examples:
    scm.iisproxy.http.port=2380
    scm.iis.http.port=80
    scm.iisproxy.https.port=443

    Note: The lines must be deleted and the file saved with the changes. Commenting the lines is not sufficient.
  3. Restart the Symantec Endpoint Protection Manager and Apache services.
    You can do so from a Windows command prompt using the following commands:
    net start semsrv
    net start semwebsrv

If necessary, restart IIS

  • This can be accomplished by typing the following at a Windows command prompt:
    iisreset /start

Remove the IIS web site, web page, or installation
Once SEPM is no longer reliant upon IIS to provide client communications the SEPM web site, web pages, or the entire IIS installation can be removed.

To remove the SEPM web site

  1. Open IIS manager by clicking Start, then Run. Type %SystemRoot%\System32\inetsrv\iis.msc then click OK.
  2. Navigate to the Symantec Web Server web site.
  3. Right-click the Symantec Web Server site, then click Delete.
  4. Click Yes when prompted.

To remove the SEPM web pages

  1. Open IIS manager by clicking Start, then Run. Type %SystemRoot%\System32\inetsrv\iis.msc then click OK.
  2. Navigate to the Default Web Site
  3. Under the default web site right-click each of the following pages, then click delete:
    ClientPackages
    content
    secars
    secreg
    license

To remove IIS
If IIS is no longer required it may be completely removed. To accomplish this please see the following article from Microsoft: Uninstalling IIS

 

 


Supplemental Materials

SourceETrack
Value1929002


Article URL http://www.symantec.com/docs/TECH162324


Terms of use for this information are found in Legal Notices