The LAN Enforcer and Symantec Network Access Control client fail to talk to the Symantec Endpoint Protection Manager 12.1 using port 443 (HTTPS) for client commmunications in a custom installation

Article:TECH163121  |  Created: 2011-06-23  |  Updated: 2011-06-30  |  Article URL http://www.symantec.com/docs/TECH163121
Article Type
Technical Solution


Issue



After a custom installation, the LAN Enforcer and Symantec Network Access Control client fail to talk to the Symantec Endpoint Protection Manager using port 443 (HTTPS) for client commmunications.


Solution



Enabling SSL or HTTPS on Symantec Endpoint Protection Manager 12.1 requires special instructions.

 

A quick step-by-step guide

This document shows you how to enable SSL, also called HTTPS, on the Apache Webserver. Symantec Endpoint Protection 12.1 uses the Apache Webserver as a replacement for Microsoft IIS. All client and reporting communication that used to happen via Microsoft IIS will now happen using Apache.  Since we will be testing with Apache for our testing in the future, we need to know how to enable SSL for various test cases.

Note that from Symantec Endpoint Protection 12.1 onwards, reporting server communication is via HTTPS by default. The following steps are to enable HTTPS communication between the Symantec Endpoint Protection client and server.

In order to enable HTTPS for client-server communication we define a new <virtualhost> tag similar to one existing for reporting. The editing mentioned below should be done in the <virtualhost>..</virtualhost> section which is defined for client-server only. If the virtual host for reporting is change by mistake, reporting-server communication might break.

 

Client-Server SSL communication using SEPM default reporting certificates:

1. Open %SEPM%\apache\conf\httpd.conf.

2. Look for the following line:
#Include conf/ssl/sslForClients.conf

Uncomment the line, by deleting # from line:
#Include conf/ssl/sslForClients.conf
So the line would look like:
Include conf/ssl/sslForClients.conf

NOTE: Make sure the port in sslForClients.conf is not already used by another application on machine. This can be tested by running netstat -an command from command prompt. Currently the default port number in sslForClients.conf is 443. So if netstat -an returns 443, we need to modify sslForCleints.conf to a unused port. e.g. For windows 2007 sbs server, port 443 is used by some application of out of box. In this case we will change following lines in sslForClients.conf. Assume port ("newport" e.g. 4431) is not used by any application.

Old value New value Example
Listen 443 Listen newport Listen 4431
<VirtualHost default:443> <VirtualHost default:newport> <VirtualHost default:4431>

Save sslForClients.conf.

3. Restart the Symantec Endpoint Protection Manager Webserver.
4. Test to see if the following URL returns OK.

https://ServerHostname:<newport>/secars/secars.dll?hello,secars

5. If step 4 works, then Apache is now listening on port <newport>.

NOTE: In order to make sure that client communicates with server on "newport", we need to modify the Management Server List to use "newport" and apply it to the client.

 

Client-Server SSL communication using custom certificates:

This section shows step-by-step how to create and use a Self-Signed Certificate for client-server communication.

1. Click Start --> Run: CMD<enter>
Browse to the SEPM\apache\bin directory, the command should be:
cd "\Program Files\Symantec Protection Center\apache\bin"<enter>
Enter the following series of commands:

openssl req -config ..\conf\ssl\openssl.cnf -new -out request.csr -keyout clientserver.pem

NOTE: When asked what is the 'common name', enter the host name of the server. This will allow you to use the "Verify SSL" feature later on if needed.

openssl rsa -in clientserver.pem -out ..\conf\ssl\clientserver.key
openssl x509 -in request.csr -out ..\conf\ssl\clientserver.crt -req -signkey ..\conf\ssl\clientserver.key -days 365

Open the sslForClients.conf file with is located at %SEPM%\apache\conf\ssl\sslForClients.conf.

1. Open %SEPM%\apache\conf\ssl\httpd.conf.

2. Look for the following line:
#Include conf/ssl/sslForClients.conf

Uncomment the line, by deleting # from line:
#Include conf/ssl/sslForClients.conf
So the line would look like:
Include conf/ssl/sslForClients.conf
Save the file.

3. Open the sslForClients.conf file.
Find the two following lines:

SSLCertificateFile "conf/ssl/server.crt"
SSLCertificateKeyFile conf/ssl/server.key
 

Update them to show:

SSLCertificateFile "conf/ssl/clientserver.crt" SSLCertificateKeyFile conf/ssl/clientserver.key

Save and close the sslForClients.conf file.

Restart Apache. You can either open the services menu and restart Symantec Protection Center Webserver, or you can type net stop/start semwebsrv at the command prompt.

Now you can log into your Symantec Endpoint Protection Manager server and create or modify a Management Server List using SSL. The default port SSL port for Apache is TCP port 443. Do not use the "Verify certificate when using HTTPS protocol" option unless you know what you are doing.

 

Enable Verify SSL

Clients have feature where they can 'Verify' SSL. What this means is, not only do they communicate over SSL, but they also verify that the person they are talking to has a trusted certificate that is current.

To enable/test this feature, do the following:

Follow the steps in the 'A quick step-by-step guide' section. Be sure to set the Common Name to the host name of your server.

Copy the resulting 'server.crt' (or clientserver.crt) file onto the client.

On the client. Launch mmc.
Click File --> Add/Remove Snap-in --> Add... button.
Select "certificates" and click Add.
Important: At the box, "This snap-in will always manage certificates for:" select "Computer account".
If you do not select the 'computer account' everything will look correct, but the client will refuse to communicate.
Close out the Add/Remove Snap-in dialog.

You should now see the 'Certificates' icon in the MMC panel.
Right click on Trusted Root Certificates
Click All Tasks --> Import...
Browse to the 'server.crt' (or clientserver.crt) certificate.
Complete the wizard.

Restart the Symantec Endpoint Protection client.

You should now be able to use the 'verify' option.

To test/troubleshoot, open IE on the client. Go to:

https://ServerHostname:443/secars/secars.dll?hello,secars

You should go to the hostname, not the IP address.

If you see a big "OK", without any certificate warnings from IE, then things should work.

If you client cannot resolve your server's hostname, add the hostname and IP address to Windows' "hosts" file.


Supplemental Materials

SourceETrack
Value2331561


Article URL http://www.symantec.com/docs/TECH163121


Terms of use for this information are found in Legal Notices