Cisco silent monitor not working with sep v12
Hello all,
We have Cisco desktop supervisor installed with Symantec End Point Protection version 12 on our pc's. A feature within Cisco desktop supervisor has the ability to silent monitor audio conversation the agent is on. The issue is the silent monitoring feature on Cisco supervisor does not work with sep installed. Without sep installed on the supervisor and agent pc’s silent monitoring is working fine. The Cisco contact center server and call servers are already excluded on sepm. The sep network threat log file shows mac addresses being blocked but as I understand sepm cannot exclude based on mac address’s and can only use IP address’s as methods to exclude. Would anybody know what exclusions would be needed on sep for audio to be heard on supervisors pc?
Thank you in advance,
Securityworld
Comments
What version of SEP 12.1 is
What version of SEP 12.1 is this?
SEP Knowledge Base
Endpoint SWAT
SEP version: 12.1.1101.401
SEP version: 12.1.1101.401 release: RU1 MP1
HI, What sep feature do you
HI,
What sep feature do you have installed ?
Did you have try disable NTP Components ?
Thanks In Advance
Ashish Sharma
SEPM Knowledgebase Documents
Virus & Spyware Proactive
HI, Did you have try disable
HI,
Did you have try disable NTP Components ?
Thanks In Advance
Ashish Sharma
SEPM Knowledgebase Documents
Disbaled NTP on both PCs and
Disbaled NTP on both PCs and silent monitoring work's ok, enabled on both PCs the intrusion protection sub component and it's working ok. So that leaves the firewall component.
Did you ever find a
Did you ever find a resolution to this? I am having the exact same issue with the exact same SEP version.
I have noticed that if I turn off the SEP Firewall, silent monitoring works fine. Soon as I turn it back on, it breaks, even after adding exceptions to SEP Firewall for ports 3000-3999 and 59000-59021 as suggested by Cisco.
Thank you,
What is showing in your
What is showing in your traffic log as being blocked for this?
You may need to add the exclusion based on the Ethernet protocol type instead of the ports
SEP Knowledge Base
Endpoint SWAT
I cannot seem to find any log
I cannot seem to find any log that indicates the traffic being blocked, yet I know with certainty that SEP is blocking it. What would be the best log for me to check?
Open the GUI and select View
Open the GUI and select View Logs
To the right of Network Threat Protection click on View Logs, select the Traffic Log
There may be a bunch of entries so I would do what you need to do to have the app blocked than check the log
SEP Knowledge Base
Endpoint SWAT
Also, I am unfamiliar with
Also, I am unfamiliar with adding that type of exception. Is there documentation you can point me towards or can you easily explain it?
Thank you,
Is this a managed or
Is this a managed or unmanaged version of SEP?
This is a good start
About firewall rule network services triggers
But you'll need to build the rule based on what is in the traffic log
SEP Knowledge Base
Endpoint SWAT
Managed. Checking that log
Managed. Checking that log now.
If you can post it that would
If you can post it that would be a huge help but I understand if you can't due to sensitive info possibly being in there
SEP Knowledge Base
Endpoint SWAT
I should be able to post it
I should be able to post it shortly. However, I do not see any applicable entries that show the blocking occurring. When I make the voice call, I can see traffic going from the phone to the phone gateway server, but the silent monitor session I am starting should come from server IP 10.5.1.3, and there are zero entries for that IP, only 10.5.1.2.
The phones are configured that the ethernet goes into the phone, then into the PC through switch built into the phone. Span to PC port is enabled, so the log picks up the traffic between the phone and the controlling gateway.
In the log, for the Protocol
In the log, for the Protocol column, does it show anything?
SEP Knowledge Base
Endpoint SWAT
So, I was actually able to
So, I was actually able to find a log entry for the right IP address...although I haven't been able to recreate the log entry in all my testing...so not sure on that. I have trimmed the log to only this one entry and attached it.
Now the port it blocked is entirely different (47XXX) than what Cisco has told me to allow (3000-3999 & 59000-59021).?
I guess my next question, is there a way for me to say 'allow any ports/all from source 10.5.1.3'?
This should be a pretty basic
This should be a pretty basic one as you can create a firewall rule to allow traffic to/from that IP
SEP Knowledge Base
Endpoint SWAT
With attachement this time.
With attachement this time. Forgot it on previous post.
Ok, yup in hindsight that was
Ok, yup in hindsight that was pretty easy. I added a rule to allow anything to or from 10.5.1.3 and it works now.
I am quite the beginner with SEP.
Thank you for the quick responses, very much appreciated.
Cool. Be curious to see what
Cool. Be curious to see what happened with the original poster...
SEP Knowledge Base
Endpoint SWAT
Would you like to reply?
Login or Register to post your comment.