Endpoint Protection

Installed the latest version of SEPM on a windows 2008 server and I'm having problems with HOME, MONITORS and REPORTS, (it gets stuck on loading)

OS: windows 2008 Standard 64 bit, installed on a VM.
SEPM installed to D:\Program Files (x86)
SQL 2005 32 bit is installed on a remote server.

WSUS is also installed on the same server. (works fine)
SEPM was installed to custom site (8014)

I read a bunch of posts here about the 403 problem, none seemed to help me.
verified the following:

Network service has permissions to the following:
Adjust memory quotas for a process
Replace a process-level token

"D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Inetpub" has IIS_IUSRS listed with read rights.

If I access http://vm-server1:8014/, I get a 403 error.

I'm able to access http://vm-server1:8014/reporting and cycle thru the different tabs.

I do not have Java installed on the server, but my understanding is that it's not needed on the server.

There was a post that mentioned to check the DSN settings for the database connection. I do not see anything in the system DSN tab. Am I supposed to? since I'm running SQL on a remote server?


Any idea what i'm missing to check here?

This sounds like your Application Pool isnt running under the Network Service account, firstly change the app pool to run under this account. And report back

It looks like permission problem on root directory, kindly double check.

I believe I have both of these set correctly already. Can you please verify?

Are you sure about not needing Java?  I'm pretty sure you need the Java Runtime Environment to use the console: https://www-secure.symantec.com/connect/forums/sep11-problem-tab-home-monitors-reports#comment-2241271

How to work with Data Sources (ODBC) or ODBC connection in 64bit Windows OS
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008021900094548

In the App Pool change the Network service to Local system and then check if it works.
If it is working on Local System account then that means we need to give permission to Network Service.
If that does not work.
Right Click and Browse Wesbite/Default Web Site/Reporting and check what error are you getting.

I'm trying this on the server were SEPM is installed itself.
My unerstanding is that java is only required for remote console connections. The SEPM server itself uses a internal version of java.version = 1.5.0_15.
(at least I think I read that somewhere on the forums)

sav to sep,
thanks for the link about the odbc connection. Unfortunately I don't know the DBA password and can't test this right now.
I changed the app pool to local system and still had the same problem.

As I mentioned before, /reporting works fine. It's only browsing to /default website that produces 403 errors.

Well the odbc connection tested OK. Making changes to the app pool didn't seem to make no difference.

All this time, I was trying this on the server itself where I installed SEPM. I just tried the remote console on my workstation, and it worked fine.
So the problem seems to be limited to the server with SEPM installed. 2008 standard, 64 bit.
I even installed Java 5 update 16 on the server, still did not work.

Any other ideas?

Thank You

First of all your permissions are incorrect.   Permissions for the SEPM folders are basically Admin w/ full control on everything and Users (Authenticated Users on a DC) with read and execute on everything except for the following. 

\SEPM\data and all sub folders need full control for everyone. 
\SEPM\Inetpub\Reporting and all sub folders need full control for Administrators and IUSR.  (or with 2008 the IIS_IUSRS group)

You assigned IUSR to Inetpub, which is the wrong location and you also only assigned it read and execute.  It needs full control, but only on the Reporting pages and their subfolders/files. 

You may also need to make sure Administrators and IUSR have full control on C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection Manager\php\temp along with the subfolders/files.  The path will be different on 2008, something like C:\Program Data\Symantec\SEPM\php\temp.  Its unlikely there is a permissions issue here unless you deliberately messed with these permissions. 

Hope that helps. 

Oh, also one more thing.  Make sure that you add your SEPM IIS site to the trusted sites in Internet Explorer on the server.  There are specific requirements for active X and some other things.  Adding to trusted sites should take care of that. 

Well, turns out permissions were correct, probably why it worked on my workstation.

The problems turned out to because IE's content rating was turned ON, on the server. Thanks to your post about making sure IE works properly on the server helped me figure it out.

Thanks to all.