Network Access Control

Hi,

How to push the SNAC component upgrade in the SEPM ?

I have successfully created new group in the Clients tab, and in the install packages I right click to add SNAC version 12.1.1000.157 WIN32BIT but somehow it doesn't kick off ?

hi,

Check this thread

http://www.symantec.com/connect/forums/how-add-snac-sepm-1104014mr4-mp1

Yes I have checked that I got the proper license for SNAC and activated as per the thread solution below:

"Yeah, You just have to paste the license file inside the licenses folder and restart the SEPM service. That activates the SNAC part for SEPM."

List of Scenarios on how the SNAC component behaves and how the SNAC components get enabled on the client.

http://www.symantec.com/business/support/index?page=content&id=TECH173814

Components of Symantec Endpoint Protection and Symantec Network Access Control

http://www.symantec.com/business/support/index?page=content&id=HOWTO27562

Any luck with above suggestions ?

"Thumbs Up" to Ashish's post above.

Essentially, assigning the SNAC Client package to a group on the SEPM, will allow clients that are running the SNAC client only, to upgrade to the version assigned.

If the clients are running SEP, then you need to assign a SEP Client package to the group to upgrade those clients.  A separate assignment of SNAC is not required for these endpoints as the SNAC client is included in SEP.

If the clients are running SEP, then you need to assign a SEP Client package to the group to upgrade those clients.

Yes the client has already got SEP client v 12.1 but no SNAC component deployed so far :-| ??

Do I have to enable it somewhere ?

When SEPM 12.1, becomes  SNAC manager by dropping the SNAC.xml file in \etc \license folder, Host Integrity policy cannot be assigned to a group or location right away (unlike SNAC Manager 11.x). To do this, Host Integrity template must be enabled in SEPM>Admin>Server>Local Site>Content Types to Download section. One this is enabled and after the next live update, Host Integrity policy can be applied to any group. Only then the SNAC feature will be enabled on client side.

I'm lost in this section "Content Types to Download section"

Can you showme what does that means ?

Content Types to Download section. One this is enabled and after the next live update, Host Integrity policy can be applied to any group. Only then the SNAC feature will be enabled on client side

AH yes,

"Host Integrity policy can be applied to any group. " --> that is the key !!

many thanks Ashish !

"When SEPM 12.1, becomes  SNAC manager by dropping the SNAC.xml file in \etc \license folder,"

Please don't do this.  In 12.1, if this method is used, after 30 days Live Update for the SNAC templates will not work anymore.  Use the .exe to install SNAC.

What do you mean by the EXE to install SNAC ?

is it by executing the installation from the setup.exe 

ah yes, many thanks for all of the suggestion and guidance. I have now see the fourth components appears in some of the SEP clients.

There is an installer for SNAC (setup.exe).  The SNAC media is downloadable from fileconnect.symantec.com (if you have purchased the license).  Use that to enable SNAC in the SEPM.  This method will also import the stand-alone SNAC clients (no AV, IPS, Firewall) which you can use in conjunction with 3rd party AV products.

As I mentioned before, in 12.1, if you use the old shortcut from the 11x series and just drop the SNAC.xml file in the license folder, LiveUpdate will not be enabled for the SNAC templates.  Part of the install routine for SNAC in 12.1 adds a checkbox in the LiveUpdate policy section (and checks it) for the automatic update of the SNAC templates.  This is important to have, as when a 3rd party AV solution changes (which occurs at least once a year when they release a new version of their software), we will send out an update to the SNAC templates to reflect those changes, allowing us to still check the integrity of these 3rd party solutions. 

So where is any of this documented? We upgraded from SEPM and SEP 11.xx last December. I had to jump through crazy hoops to get SNAC back in SEPM.

Then we upgraded the SEPM servers to SEPM 12.1 MP1 and SNAC again disappeared! That's poor integration, IMO - especially since it is not documented - so Im now stuck with no SNAC and unable to configure, change, whatever.

It shows the licenses, but even that contradicts itself. No one seems to know anything at all about this, and half the info out there is incorrect as shown in this thread.

Why were we not warned that this all changed? I've got weeks in this, especially since support made me trash the whole SEPM structure and recreate the database upon their mistaken conclusion the database was corrupted. I have been through more hoops and headaches, and I have posted in another thread about needing to know how to get SNAC back into the SEPM servers after upgrading from RU1 to MP1 and no one can answer.

I went from SEPM 12.1.1000.157  to SEPM  12.1.1101.401  and in the process, lost SNAC  - the only version I can find to download say something about a starter edition - that's not what we had - it used to be part of SEP.
*I find nothing in the release notes, help files, or other documents explaining why it disappears and how to get it back.*

Symantec needs to communicate better with customers - we are a government agency, ourselves, in fact the whole state, spends a lot of money - and yet I get nothing, no notices or emails, no alerts, nothing telling me of new releases, and now SNAC has totally changed, and we're not told how to get it back when it disappears. As if we are supposed to know or guess......

Maybe if I get all the other agencies who run this together and create one big letter stating all of this.........

Again - how do I get SNAC back, why is it now "starter edition", why no notices of changes, new versions, and why were we not told of the change - SNAC is now apparently, don't know for sure, no longer part of SEP?
Most of all, where is the documentation in the SEP and SNAC packages explaining why SNAC disappears, and how to get it back?

Sorry, folks who know me know I will chase this one all the way to the top of the flag pole until I get an answer that is solid.

Yes, you are right Papa !

I have noticed that after I upgraded the SEPM and SEP client to v 12.1 RU1 MP1 the SNAC component that I need to dwonload from Fileconnect is the "Starter" edition ?

How could this be possible ? I was under the impression that I no longer able to use the LAN enforcer anymore ?

That's one of the issues - these things get changed, we, the customer, don't get told why. Suddenly there's a new patch (which we find by accident as we aren't told about that, either), we go to get it - and find, "gee, our version of SNAC isn't here, but there's this starter edition instead -  that is not what we use".

One of the replies I found over the months of seeking answer was "just run setup...." no way, last time I did that on an assumption, it did a full reinstall of the SEPM and I ended up having to do a full uninstall and starting over.

This time they have changed what setup does in SNAC - but are we told? "it's in the release notes". No, that isn't where it should be. That's too important to bury. That's a critical change that should be announced up front, not page 20 of 30 pages of "notes".

We IT people, even the security, antivirus, whatever, folks wear more than one hat - me it's about 10. I don't have time to read all 1500 pages of getting started, administrators guide, installation guide and so on to find buried bits that are critical in nature. When such a big change is made, it's important to us and needs to be treated as a top item in any documentation, even announced here.
I guess my thing is that as much as I like the products, and yes, even the people, the documentation from Symantec, on the other hand, has been second class since SEP started and they moved away from SAV CE.
It's poorly organized, too large - a lot of words without saying anything. Give me facts, bullet points, place the critical stuff right up at the top "IMPORTANT: SNAC is now called the starter edition - same SNAC, different name" and "IMPORTANT: If you upgrade your SEPM or have to reinstall SEPM for any reason, you will need to run SETUP in SNAC to recover the SNAC features on your SEPM server". Those simple things, at the very top of a document would have saved me several days time.

Worse - the tech support people I've worked with this year - on 4 cases, 2 people, phone calls, emails, etc. - formal cases - they did not know any of this either! In fact, I had to train one of them on how to recover SNAC abilities if you reinstalled SEPM - after I figured it out on my own. Then along comes this release and WHAM, we start over! They changed it AGAIN! Quit doing that! Once you have an install or upgrade method for the 12.1 seriies, MAKE NO OTHER CHANGES. Save the next way you install or set it up for version 12.2 or 13.0 or something, but geesh, this constantly changing how you install and set things up - ALL in the same version is just too much. That is a major change and should come with a major update, not a patch. Making such a change in a maintenance patch, then not documenting it where we can find or see it - no wonder there is much frustration. The people there don't have to deal with this on a daily basis - I do. And it's worse when there are so many bugs and issues that I have to reinstall several times, then there's a minor version change and suddenly product names change, and install methods change.
The product is fine - it's the presentation, installation, and documentation - plus the fact that support doesn't even know what's going on...... and now this is the second time in a week I've found advice that contradicts. one says copy an xml file in, another says "no, don't do that!"
A weeks or so ago, it was the same thing - one fellow  - an advisor or employee, can't recall, says you don't want a space after a comma in a certain spot in an IPS sig, others say you don't want any spaces after commas in the sig in any place, another says that both are wrong, you DO want a space after each comma (and he went through the same thing I did with all the wrong or bad information)

(suggestion - if you don't have a fact, are not dead-certain you are right, please don't pass along iffy or bad advice. Others are lurking, watching, and will follow said bad advice, even passing it along to others later.)

Right - I'm not in a very good mood over this - I have spent months on cases that so far have solved nothing, I've wiped and reinstalled and created databases that didn't need wiped or recreated thanks to mistakes in support, I've ended up reinstalling SEPMs multiple times because no one there can keep track of SNAC or how to get it back after reinstalling SEPM (that's just plain dumb that the SEPM install doesn't see that you have SNAC and retain it, or let you know that if you own SNAC you need to run something else. The licenses are there - can't the install see the licenses and put it back???).
We've not had SNAC availble to work with because each SEPM reinstall blows it away and no one knew how to get it back. I've lost just a ton of time on these - It's just plain too complicated - and that's because of poor documentation and KB articles, and support simply not knowing the product.
And no offense, but the caliber and quality of answers in the connect forums for SEP has sort of dropped in the last year or so. it's getting harder and harder to find the correct answers - there are a lot of guesses out here, but few solid correct answers, and the numbers of people answering correctly seems to have dropped as well.
But then I did predict this several months ago - it's quantity vs. quality. The numbers are up, the quality of the answers, the correct answers, that's down.
Over the past several months, I've had more than one question in here go totally unanswered. Back when I was doing support in the 90s, that was not allowed! No question or post ever went unanswered, ever. Now you see a lot of them.