Installing the Symantec Endpoint Protection client to a Windows cluster server

Article:TECH91154  |  Created: 2008-01-01  |  Updated: 2014-10-01  |  Article URL
Article Type
Technical Solution



You would like to install a Symantec Endpoint Protection (SEP) client on a Windows Server 2000/2003/2008/2012/2012 R2 cluster. In Windows Server 2000 and 2003, this is referred to as "Windows Clustering" (as opposed to Network Load Balancing). In Windows Server 2008, this type of clustering has been renamed to High Availability/Failover Clustering.In Windows 2012, new and changed functionality in Failover Clustering supports increased scalability, easier management, faster failover, and more flexible architectures for failover clusters.



Installing to the cluster

To install the Symantec Endpoint Protection client to the cluster server:

  1. Put the node in passive mode during the install.
  2. Install the Symantec Endpoint Protection client to the passive node.

Uninstalling from the cluster

To uninstall the Symantec Endpoint Protection client from the cluster:

  1. Put the node in passive mode during the uninstall.
  2. Uninstall the Symantec Endpoint Protection client from the passive node.

Repeat these steps for any additional nodes.


  • You do not have to break the cluster by bringing down one of the nodes for installation or uninstallation. In the past, some administrators preferred to break the cluster in order to ensure the cluster would not have resource or performance issues during the install.
  • While a default install of Symantec Endpoint Protection on a new system does not require a reboot if only installing Virus and Spyware Protection, an installation of IPS (Intrusion Prevention System) requires a reboot in order for the driver installation to the TCP/IP stack to complete.
  • If the install is an upgrade from a previous version of Symantec Endpoint Protection, the upgrade may require a reboot. This requirement can be due to other products and/or applications on the system using shared files, such as runtime libraries. If these files are in use at the time of the installation and the installation cannot replace them, the installation marks them for replacement so that they are replaced upon the next reboot.
  • If you install the Symantec Endpoint Protection firewall, you must create a new firewall rule to allow Clustered Server communications. In this rule, allow TCP traffic to remote ports 49000-50000, and do not specify a local port. Without this rule in place, you cannot connect to the cluster.
  • Do not install the Symantec Endpoint Protection client to the cluster's shared drives. When the server fails over, access to the Symantec Endpoint Protection software is lost.
  • If you install remotely, install the Symantec Endpoint Protection client software using the local server names and not the shared cluster name.

Additional cluster server guidance:

  • Installing a Symantec Endpoint Protection Manager (SEPM) on a Windows 200x Cluster is not supported.
  • The Symantec Endpoint Protection client is not "cluster-aware". You should not configure it as a cluster server, as it should remain active and running to protect the local server, even when the local server is the "passive node" and is not in control of the shared resources.
  • The Symantec Endpoint Protection client is supported in both Active/Active and Active/Passive clustering.
  • In an Active/Passive cluster pair with Symantec Endpoint Protection 12.1.x, you should disable the policy component “Block all traffic until firewall starts and after the firewall stops” on the group or groups in which the cluster servers reside. This component can cause the cluster communications to fail and result in an undesired Active/Active scenario where both cluster partners attempt to manage the shared data. An alternate workaround is to set the cluster service to manual startup and then script launching the service once the machine has finished its boot process or a user logon event occurs. This arrangement ensures the cluster service starts after the smcservice, and that the firewall service starts before the cluster service comes on online.
  • High Availability for the Symantec Endpoint Protection Manager backend (Microsoft SQL Server database) should be achieved by installing it into a Microsoft SQL cluster. High Availability for the Symantec Endpoint Protection Manager web front-end should be achieved by installing more than one Symantec Endpoint Protection Manager connecting to the same Microsoft SQL database.
  • Auto-Protect on the local Symantec Endpoint Protection client protects the local server resources. Auto-Protect on an active server node protects the shared resources.
  • Each Symantec Endpoint Protection client installation is managed separately and provides protection in the event of a failover.
  • If failover occurs while a manual scan runs on the shared drives, the scan does not automatically restart.
  • If one Symantec Endpoint Protection client in the cluster is temporarily down, virus definitions on that node will not be updated until the Symantec Endpoint Protection client successfully starts and updates itself from the designated management server.
  • Event logging and alerting include the name of the local system and not the cluster server name. The local system name better helps to identify which system encountered the event.

Note: Symantec Endpoint Protection 11.0.2 (11 MR2) and later supports Windows Server 2008.

Symantec Endpoint Protection on Windows 2012 Server is supported from SEP12.1 RU2 version and Windows Server 2012 R2 from SEP 12.1 RU4 version


Legacy ID


Article URL

Terms of use for this information are found in Legal Notices