Endpoint Protection

 View Only

  • 1.  Liveupdate problem

    Posted Jun 10, 2013 04:59 AM
      |   view attached


  • 2.  RE: Liveupdate problem

    Posted Jun 10, 2013 05:00 AM

    We have SEP clients in two domain DMZ1 and DMZ2


    SEPM server and LUA server are all in DMZ1, and we use UNC path "\\150.148.106.29\Definition" for definition download.


    For SEP clients in DMZ2, we applied liveupdate policy with DMZ1 account "DMZ1\account" and password embedded. The SEP clients in DMZ2 can download definition from "\\150.148.106.29\Definition" normally.


    Now, "DMZ1\account" was expired and we changed the account to "DMZ1\account2" with related password.
    Then some((not all)) clients in DMZ2 cannot update policy.


    Check log.Lue,error says
    "* UNC: Wrong username/password, error (1219). Will try NULL credentials.
    * Could not connect to the network resource. Error (1326)
      Server selection failed for server 150.148.106.29\Definition. UNC protocol.
    * Download Error for minitri.flg. SERVER DOES NOT EXIST or some network issue."

    On the faulty SEP client , we open \\150.148.106.29\Definition by windows explorer, we can access the folder with the new account "DMZ1\account2"


    Please help.



  • 3.  RE: Liveupdate problem

    Posted Jun 10, 2013 05:28 AM

    Does DMZ1\Account2 has read write access to  \\150.148.106.29\Definition?



  • 4.  RE: Liveupdate problem

    Posted Jun 10, 2013 05:38 AM

    From the sounds of things, you have the SEPM and LUA ont eh same box, and are currently using a custom Distribution Centre in IIS as well, is that correct?

    Regarding the SEPM and LUA bit, if they are on the same box, then it's recommended that you separate them.  It goes against the LUA Best Practices to have it on the same box as any other tomcat based application, as per the below article:

    http://www.symantec.com/docs/TECH93409

    Regarding the Distribution Centre:  As it is a custom one (as evidenced by the non-default path) then you can set the permissions required for it, and accounts that can use it, as you see fit.  You can even set it to allow anonymous connections if you want, it's just an IIS permissions change.

    Incidentally, this is exactly what you'd up up with if you used the below article for confiruring a custom Distribution Centre:

    http://www.symantec.com/docs/TECH132545

    So the fact you're providing creds in the LU Policy and that the DC is requesting them (for the download), would be down to a configuration choice your company has deliberately taken (in deviating from the Symantec articles).

    To that end, if you want to investigate in more detail, then enable IIS logging for the site. and verify the SEP Clients failing authentication have picked up the latest LU policy from the SEPM (telling them to use the new creds).

    #EDIT#

    Just noticed the UNC bit.  Please confirm the failing SEP Clients have got the latest LU policy (check policy serial numbers).  Also, please advise how your share and ntfs permissions are set, and if there are any failed logon attempts in the event log of the Distribution Centre



  • 5.  RE: Liveupdate problem

    Posted Jun 10, 2013 05:57 AM

    Client is unable to update through a proxy server

    Article:TECH178540  |  Created: 2012-01-09  |  Updated: 2012-07-28  |  Article URL http://www.symantec.com/docs/TECH178540
     

     



  • 6.  RE: Liveupdate problem

    Posted Jun 11, 2013 06:43 AM

    Hi SymQNA,

    Just a question:

    SEPM server and LUA server are all in DMZ1, and we use UNC path "\\150.148.106.29\Definition" for definition download.

    Can the SEPM reach the Internet and download definitions? If so, LUA might not be needed at all in your environment. LUA 2.x is a great tool, when used and configured appropriately.  But if the SEPM can reach the internet itself, it usually does an excellent job of downloading definitions, building deltas, and getting the managed clients updated.  

    Updating the clients to the most recent release of SEP 12.1 and ensuring they all have the latest policy will likely resolve this issue.

    Please keep this thread up-to-date with your progress!

    Mick



  • 7.  RE: Liveupdate problem

    Posted Jun 18, 2013 09:43 PM

    Met similar issue, still investigating.

    Perhaps related with UNC issue, see

    http://community.landesk.com/support/thread/11587

     



  • 8.  RE: Liveupdate problem

    Posted Jun 19, 2013 12:14 AM

    HI, 

    Is SEPM can reach internet ? then no need of live update server.

    Regards

    Ajin



  • 9.  RE: Liveupdate problem

    Posted Jun 19, 2013 12:29 AM

    Hello,

    Agreed with above Mick post.

    Please check with below link.

    http://www.symantec.com/business/support/index?page=content&id=TECH178540



  • 10.  RE: Liveupdate problem

    Posted Jun 20, 2013 12:40 AM

    Hi SymQNA,

    This is a Windows UNC issue. If your client PC have ever connected Network share source on LUA server, Windows will remember the account/password which used firstly. Though LUA account info changed on SEPM, SEP client PC will still use old account to connect with LUA UNC shared folder.

    There is a workaround, to reboot SEP clients will release the connection info in Windows, which will force clients to learn new account info.