Endpoint Protection

I have Symantec EndPoint 1.0.4014.26.
I had a Symantec Server witht eh Console  that was able to see all the 350 clients on the main Domain network, and ALSO see about 8 clients that were on their own workgroup.

I was 1 of 4 network people at my organization, 2 were laid off.
One of those 2  was the one that discovered how to do this.
I since upgraded and built a NEW server, but the Symantec console on the New server can only see what is on its own Domain.
I have tried opening ports on switches and various other methods...do need to edit a host file?

Has anyone else use the Symantec console to see clients that are OFF the main domain and located on a Workgroup elsewhere?
I have excluded certain IP ranges in the Excluded host section, opened ports up....just not sure how the guy, no longer here, did it!
Any ideas?

Endpoint client & the manager communication happen on port 8014 over http.... If you can ping the client & there is not firewall blocking the port 8014 then you should be able to see the client located on a workgroup eleswhere. Even after having the port open the clients are not talking to the manager then the first thing you should try is to replace the sylink file.. 

Thanks...I have opened 8443 and port 80 ....as for the Sylink.xml file...I feel I am expert with that one.

Replacing that that has been the cause of many issues during my time as Symantec Adminstrator.
I have reloaded the Client and replaced the Sylink.xml file with the one I use on the main Domain network.

I can successfully ping the Workgroup computers from the Symantec server. And I ping them both by name and by IP.

I will look into thw port 8014 and see if it is being blocked somewhere. Thanks.

P.S. if anyone reads this, I replace the Sylink.xml file manually sometimes. You have to click on START-RUN and type "SMC -STOP"
Then copy/paste the Sylink.xml file over the top of the existing one. Then START-RUN and type "SMC-START".  The Gold shield by the clock will disappear while it is in STOP mode.

 Please let me know if my suggestions resolves the problem....

Dont know if this would help much

service1.symantec.com/support/ent-security.nsf/docid/2009010622472148

Give this doc a dekko.

Thanks for updating with the document.... 

I think you did not read the  comment the network was alredy working & was able to "ALSO see about 8 clients that were on their own workgroup " This meas that the client communication was fine but then the server was upgraded & the manager on the new server is not able to see the client in the workgroup.... SO this means we dont need to follow the Best Practices document which says about working on the client where in the change is done on the server end..... :-)

@ Saeed

Please read my first line in the comment above "Dont know if this would help much"

I think the grammar in itself sums it all up that I'm not too sure if the document would help.

I have opened up that port on the switch.
Also..I have added a line in the host file for the IP address of the Symantec Server and then the server name.
If any readers are looking for such a file...it located at .....C:\Windows\Systems32\Drivers\etc\Hosts

use Notepad to open it.


Anyways...hosts files do not take effect until the server is rebooted.
So I will not know if this worked until i reboot and presently the servers are in use.

I will let you know.

The ASA Cisco switch has the IP address and the Server name listed in there for allowing access thru.  I have had port 8014 added and it did not help.
I did -re-read about port 8014 being over http.  i saw the ASA Cisco switch entry as being over tcp.  But in general, I think this is an issue of a Cisco switch blocking the clients in the WORKGROUP.  The old server that I used still sees the clients in the WORKGROUP just fine even though I have the new version and the new XML running on the WORKGROUP clients.  Is there a need for a Certificate or something else?

I did read the article supplied by Abhishek Pradhan.
I made the change in the local group policy by using GPEDIT.MSC as well as the other recommendations. 
The issue was still that the clients on the WORKGROUP could be seen by the old server SEPM, but not on the new server running the SEPM.
As mentioned, I am on a Domain Network and would like to be able to see and manage my clients on a WORKGROUP from the same SEPM server.

Thank you for your time as advice so far.

I was able to use the "Find Unmanaged Clients" on the SEPM manager that is on the Domain....and put in an IP address range of the clients that are OFF the Domain, but on a WORKGROUP.   The SEPM found them..and pushed out the new client...and installed them.   Although the new Gold Shield appearred by the clock, the green dot never appeared.  The log files on the client say  it can not connect to the server  <ServerName>:2967.

A TraceRT command successful makes it in only 1 hop.  I have opened the ASA Cisco and the firewall up all the way for all port numbers and still do not see the Clients show up onthe SEPM manager screen.

Any ideas?

Ok. Looks like the client is trying to contact a GUP (Group Update Provider) tht may not be present. Check the LiveUpdate policy for the group that these clients are reporting to, and try to remove the GUP computer from there.

Thank you for all your help so far! I have tried the GUP and still do not have communication

I have opened all ports on the firewall.  Still not getting the WORKGROUP computers to communicate to Domain.  I put the SyLink file that represents  the old server back on the WORKGROUP client and all works ok.  I point to the new server with the new Sylink file and there is no communication back inward from the clients.  I can PUSH the client outward to those servers and PC's but they do not communicate back.  No green dot on top of the Gold Shield by the Clock .  There is only an ASA switch between the Domain and the WORKGROUP. I think there has to be something in there blocking it.  I will keep you all informed.  If anymore ideas are available, i am open to them. Thank you again so far.