Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrade.
Please accept our apologies in advance for any inconvenience this might cause.

Cisco silent monitor not working with sep v12

Created: 26 Nov 2012 | 21 comments

Hello all,

We have Cisco desktop supervisor installed with Symantec End Point Protection version 12 on our pc's. A feature within Cisco desktop supervisor has the ability to silent monitor audio conversation the agent is on. The issue is the silent monitoring feature on Cisco supervisor does not work with sep installed.  Without sep installed on the supervisor and agent pc’s silent monitoring is working fine. The Cisco contact center server and call servers are already excluded on sepm. The sep network threat log file shows mac addresses being blocked but as I understand sepm cannot exclude based on mac address’s and can only use IP address’s as methods to exclude. Would anybody know what exclusions would be needed on sep for audio to be heard on supervisors pc?

 

Thank you in advance,

Securityworld

Comments 21 CommentsJump to latest comment

Ashish-Sharma's picture

HI,

What sep feature do you have installed ?

Did you have try disable NTP Components ?

 

Thanks In Advance

Ashish Sharma

 

 

securityworld's picture

  • Virus & Spyware
  • Proactive Threat
  • Network Threat
  • Network Access

Ashish-Sharma's picture

HI,

Did you have try disable NTP Components ?

Thanks In Advance

Ashish Sharma

 

 

securityworld's picture

Disbaled NTP on both PCs and silent monitoring work's ok, enabled on both PCs the intrusion protection sub component and it's working ok. So that leaves the firewall component.

dhumes0524's picture

Did you ever find a resolution to this?  I am having the exact same issue with the exact same SEP version.

I have noticed that if I turn off the SEP Firewall, silent monitoring works fine.  Soon as I turn it back on, it breaks, even after adding exceptions to SEP Firewall for ports 3000-3999 and 59000-59021 as suggested by Cisco.

Thank you,

_Brian's picture

What is showing in your traffic log as being blocked for this?

 You may need to add the exclusion based on the Ethernet protocol type instead of the ports

dhumes0524's picture

I cannot seem to find any log that indicates the traffic being blocked, yet I know with certainty that SEP is blocking it.  What would be the best log for me to check?

_Brian's picture

Open the GUI and select View Logs

To the right of Network Threat Protection click on View Logs, select the Traffic Log

There may be a bunch of entries so I would do what you need to do to have the app blocked than check the log

 

 

dhumes0524's picture

Also, I am unfamiliar with adding that type of exception.  Is there documentation you can point me towards or can you easily explain it?

Thank you,

_Brian's picture

Is this a managed or unmanaged version of SEP?

This is a good start

About firewall rule network services triggers

Article:HOWTO80716  |  Created: 2012-10-24  |  Updated: 2013-01-30  |  Article URL http://www.symantec.com/docs/HOWTO80716

 

But you'll need to build the rule based on what is in the traffic log

_Brian's picture

If you can post it that would be a huge help but I understand if you can't due to sensitive info possibly being in there

dhumes0524's picture

I should be able to post it shortly.  However, I do not see any applicable entries that show the blocking occurring.  When I make the voice call, I can see traffic going from the phone to the phone gateway server, but the silent monitor session I am starting should come from server IP 10.5.1.3, and there are zero entries for that IP, only 10.5.1.2. 

The phones are configured that the ethernet goes into the phone, then into the PC through switch built into the phone.  Span to PC port is enabled, so the log picks up the traffic between the phone and the controlling gateway.

_Brian's picture

In the log, for the Protocol column, does it show anything?

dhumes0524's picture

So, I was actually able to find a log entry for the right IP address...although I haven't been able to recreate the log entry in all my testing...so not sure on that.  I have trimmed the log to only this one entry and attached it. 

Now the port it blocked is entirely different (47XXX) than what Cisco has told me to allow (3000-3999 & 59000-59021).?

I guess my next question, is there a way for me to say 'allow any ports/all from source 10.5.1.3'?

_Brian's picture

This should be a pretty basic one as you can create a firewall rule to allow traffic to/from that IP

dhumes0524's picture

With attachement this time.  Forgot it on previous post.

AttachmentSize
agent.txt 220 bytes
dhumes0524's picture

Ok, yup in hindsight that was pretty easy.  I added a rule to allow anything to or from 10.5.1.3 and it works now.

I am quite the beginner with SEP.

Thank you for the quick responses, very much appreciated.

_Brian's picture

Cool. Be curious to see what happened with the original poster...