Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

HOW TO determine what port clients are communicating with SEPM on

Created: 20 Dec 2012 | 15 comments

Our production SEPM is running RU7 MP1.

What report will show what port clients are communicating with the SEPM on?

We are trying to troubleshoot an issue to determine which clients are communicating with SEPM on port 80, rather than then recommended port of 8014.

Comments 15 CommentsJump to latest comment

pete_4u2002's picture

the clients online on the SEPM will show the clients connecting the port the SEPm is hosted, rest other clients will be offline. you can run unmanaged detector.

.Brian's picture

There is no report in SEPM

You would need to check via something like Wireshark

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Ashish-Sharma's picture

HI,

You can't get any report in sepm .

Port No 8014 in MR3 and later builds Port 80 use older version.

Port Number Port Type Initiated By Listening Process Description
80, 8014 TCP SEP Clients svchost.exe (IIS)
httpd.exe (Apache)
Communication between the SEP manager and SEP clients and Enforcers.
(8014 in MR3 and later builds, 80 in older).
The 11.x product line uses IIS. The 12.x product line uses Apache

Thanks In Advance

Ashish Sharma

RSASKA's picture

Ok if that is the case, what is the registry key value that displays the port number that SEP client last communicated with SEPM console.

There are registry values, such as last SEPM communicated with, i.e.

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink

Registry Name: LastServerIP

Tell me the registry value of the port where client last communicated with SEPM on (at some point, Symantec recommended we configure settings such that client communicates on port 80) I can create a simple script and post it for Symantec community. :-)

Running Unmanaged Detector on SEP 11 is really user-unfriendly (you cannot copy and paste the results).

The Enemy's greatest fear is that you'll discover who you really are, what you're really worth, and where you're headed.

.Brian's picture

Check the CommunicationStatus key under

HKEY_LOCAL_MACHINE\software\symantec\symantec endpoint protection\SMC\SYLINK\SyLink

Should show [servername:port]

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

RSASKA's picture

Check the CommunicationStatus key under

HKEY_LOCAL_MACHINE\software\symantec\symantec endpoint protection\SMC\SYLINK\SyLink

Should show [servername:port]

Brian I don't see it anywhere.

The Enemy's greatest fear is that you'll discover who you really are, what you're really worth, and where you're headed.

.Brian's picture

Do you see the CommunicationStatus key?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

pete_4u2002's picture

why not look into sylink.xml file?

and yes the "CommunicationStatus" shows serverip:port

RSASKA's picture

I only see the CommunicationStatus key on test clients with SEP 12.

I cannot see CommunicationStatus key on production clients with SEP 11 RU7 MP1.

There must be some other registry key.

There are over 1000 SEP 11 RU7 clients that I must check - please help!!!!!!!

The Enemy's greatest fear is that you'll discover who you really are, what you're really worth, and where you're headed.

cus000's picture

hmm...you may do simple check via "netstat -an"

SMLatCST's picture

Unfortunately, while a netstat will show you if the SEPM is listening on port 80, it will not specifically show you which clients are trying to use port 80 unless they happen to be connected at the time the netstat is run.

While wireshark will do the trick ("Thumbs Up" to Brian), you might have better luck just enabling logging within IIS on your SEPM (as you're using SEP11 anyway).  IIS Logs will show the client IP address and port used to communuicate, so you can see which clients are using which port.

RSASKA's picture

SMLatCST says

... you might have better luck just enabling logging within IIS on your SEPM (as you're using SEP11 anyway)...

Ah ha!!!!!!

Now my question is, how do I enable logging? I am not familiar with IIS. Can you provide links to documentation.

The Enemy's greatest fear is that you'll discover who you really are, what you're really worth, and where you're headed.

SMLatCST's picture

Erm, it's different for Win2k3 amd 2k8 soooo:

http://support.microsoft.com/kb/324279

http://technet.microsoft.com/en-us/library/cc754631(v=ws.10).aspx

RSASKA's picture

Ok SMLatCST I will check these links

The Enemy's greatest fear is that you'll discover who you really are, what you're really worth, and where you're headed.

SMLatCST's picture

Cool cool, it's worth noting that after installing the IIS logging feature in IIS7 (Win2k8) you then have to enable logging for the individual site(s) you want data for, so make sure you read through the "See Also" section of the second link.