Configuring SSL between Symantec Endpoint Protection Manager and clients involves the following steps. WARNING: if your Endpoint Protection clients are already managed via SSL and you want to change the port, do not proceed with these steps until you have made the preparations in Symantec Endpoint Protection 12.1: How to Change the ports used for communication between the Manager and clients.

1. Check that the desired SSL port is available on the Manager:

The default SSL port is 443. To determine if that port is already in use on the Manager, run the following command from within a Command Prompt window:

If this command returns anything, then that port number is already used; you must change the configuration of the conflicting application or service, or choose a different port. If port 443 is not available, choose an unused port from the high port range (49152-65535). This is the IANA recommendation for private or custom ports.

2. If needed, change the default SSL port:

This is necessary only if port 443 is unavailable or you wish to customize the port.

1. In a text editor, open the following file:
   <Symantec Endpoint Protection Manager Installation folder>\apache\conf\ssl\sslForClients.conf
   Note: By default, this folder is "C:\Program Files\Symantec\Symantec Endpoint Protection Manager" (32-bit) or "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager" (64-bit).
2. Edit the strings Listen 443 and <VirtualHost_default_:443> with the new port number. For instance, if the new port number is 53300, the edited strings become Listen 53300 and <VirtualHost_default_:53300> .
3. Save the file and close the text editor.

3. Opening the SSL port in Apache (Symantec Endpoint Protection Manager):

Edit the httpd.config file on the Symantec Endpoint Protection Manager to enable SSL communication between the Symantec Endpoint Protection Manager and the clients:

1. In a text editor, open the following file:
   <Symantec Endpoint Protection Manager Installation folder>\apache\conf\httpd.conf
   Note: By default, this folder is "C:\Program Files\Symantec\Symantec Endpoint Protection Manager" (32-bit) or "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager" (64-bit).
2. Find this entry: #Include conf/ssl/sslForClients.conf
3. Remove the hash mark ( # ) from the text string.
4. Save the file and close the text editor.
5. Restart the "Symantec Endpoint Protection Manager Webserver" service. This should also restart the Symantec Endpoint Protection Manager service, as it depends on the Symantec Endpoint Protection Manager Webserver.

4. Enable SSL communication on the client:

1. In the Symantec Endpoint Protection Manager console, on the Policies tab, click Policy Components > Management Server Lists.
2. Under Management Server Lists, click on the Management Server List being configured to use SSL and then click Edit, or create a new Management Server List.
3. Click the "Use HTTPS protocol" radio button.
4. Make sure the "Verify certificate when using HTTPS protocol is unchecked. You must have a trusted SSL certificate to use this feature. This article does not address how to obtain a trusted SSL certificate.
5. In defining your server under Management Servers, choose Edit (or Add if you are creating a new Management Server list, adding the server's name and IP number). Under the "Customize HTTPS port" field, enter your SSL port number if it is different than port 443. In the example above, it would be port 53300.
6. Click OK.
7. Assign this policy to a client group.
8. After the clients in this group get this new policy, they will switch to the SSL port for Manager communication.

5. Verify that the SSL port is working correctly:

From a client computer that has been assigned the policy configured in step 4, open the Symantec Endpoint Protection client user interface and choose Help, then Troubleshooting. In the new window that opens, choose Connection Status in the left pane.

This will list the last attempted connection, last successful connection, server name and port over which the client is connected. If the client is not connecting using the SSL port number, click the "Connect Now" button on this same panel to have the client start a heartbeat.

Alternately, you can open an Internet Explorer browser window on the same Symantec Endpoint Protection client and enter the following URL to test SSL communication:

In the URL, ServerHostName is the computer name for the Symantec Endpoint Protection Manager, and <port_number> is the default (443) or your custom port. If OK. is displayed, SSL configuration is successful. If a page error is displayed, repeat the first steps and verify that the string is formatted correctly. Also check that you entered the URL correctly.

Note: if you see a warning that the site is untrusted, this is expected. This article describes enabling SSL using a self-signed (untrusted) certificate. As long as you leave the "Verify certificate..." option unchecked (as described in 4e above), this is not an issue.