Endpoint Protection

 View Only
Expand all | Collapse all

Open port 2967 for a GUP

Migration User

Migration UserNov 27, 2013 11:01 AM

  • 1.  Open port 2967 for a GUP

    Posted Nov 27, 2013 07:42 AM

    Hi,

    I'm using Symantec Endpoint Protection v12.1 in my company. We recently add a new remote site connected to the main site through a SDSL 1Mb link.

    We encounter some problems because remote clients download their updates from the SEPM which is located in the main site, so we saturate the SDSL link.

    We set up a GUP on the remote site and we use a live update policy in order that remote clients download their updates in local from the GUP and not from the SEPM.

    The problem is that the port 2967 is closed so the GUP is unreachable for deliver the update packages.I try to set up a firewall policy to open this port but without success. The GUP remains unreachable, i have test with a telnet on port 2967.

    Does anyone can explain me how to open the 2967 port on the GUP?

    The GUP machine is under Windows 2008 and the firewall is assumed by Symantec Endpoint Protection. The Windows firewall seems desactivated and managed by Symantec Endpoint Protection.

    Thanks for your help.

    Regards



  • 2.  RE: Open port 2967 for a GUP

    Posted Nov 27, 2013 07:53 AM

    If the SEP firewall is disabled and you have no other hardware firewall in place than the port should be open by default.

    Do you have any other type of firewall in place?



  • 3.  RE: Open port 2967 for a GUP

    Posted Nov 27, 2013 08:01 AM

    Hi,

    First of all check your GUP Server policy which you define on Live update. because when your policy has been correct, from the server 2967 port has been released request for the GUP server port 2967.

    After that can see in GUP servers System log for GUP policy enable or not.

     

     

     



  • 4.  RE: Open port 2967 for a GUP

    Posted Nov 27, 2013 08:13 AM

    Does GUP policy assgin particular GUP machine ?

    Below is an example of a system registry after the GUP is activated:

    • [HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\LiveUpdate]
      "Description"="Created automatically during product installation."
      "Enabled3rdPartyManagement"=dword:00000000
      "MasterClientHost"="192.168.2.4"
      "MasterClientPort"="2967"
      "UseLiveUpdateServer"=dword:00000000
      "UseManagementServer"=dword:00000001
      "UseMasterClient"=dword:00000001
      "HttpEncrypt"=dword:00000001
      "HttpProxyMode"=dword:00000000
      "HttpProxyRequireAuthentication"=dword:00000000
      "FtpEncrypt"=dword:00000001
      "FtpProxyMode"=dword:00000000
      "FtpProxyRequireAuthentication"=dword:00000000
      "AllowLocalScheduleChange"=dword:00000000
      "AllowManualLiveUpdate"=dword:00000000
      "EnableProductUpdates"=dword:00000000
      "LastLuProductInventoryHash"=hex:72,59,31,36,a8,3f,47,02,70,5f,bd,52,29,d0,25,\49
      "LastGoodSession"=hex:68,13,c8,94,d1,8b,c8,01

    Troubleshooting the Group Update Provider (GUP) in Symantec Endpoint Protection (SEP)

     

    Article:TECH104539  |  Created: 2008-01-01  |  Updated: 2011-09-15  |  Article URL

    Test SEP to GUP and GUP to SEPM communication

     

    Article:TECH153328  |  Created: 2011-02-14  |  Updated: 2011-08-16  |  Article URL http://www.symantec.com/docs/TECH153328

     



  • 5.  RE: Open port 2967 for a GUP

    Broadcom Employee
    Posted Nov 27, 2013 08:16 AM

    Hi,

    Thank you for posting in Symantec community.

    Make sure in the liveupdate policy you have configured GUP to use 2967 port.

    2967 is the default port and you can change it via liveupdate policy.

    If SEP client is installed with Network Threat Protection (NTP) then it will make necessary exception automatically.

    Make sure UAC is disabled on Windows 2008 Server.

    Check the communication with the help of following article & share the result.

    Test SEP to GUP and GUP to SEPM communication

    http://www.symantec.com/docs/TECH153328



  • 6.  RE: Open port 2967 for a GUP

    Posted Nov 27, 2013 10:57 AM

    Hi,

    Thanks for yours replies,

    You can find in attachment a screenshot of the live update policy, the GUP configuration, the registry of a GUP client and the NTP log of the GUP which show all reject for GUP clients.

    GUP Ip adress: 192.168.2.250

    Gup clients range: 192.168.2.xx / 24

    I have tested :

    SEP to GUP: failed, connexion failed like with telnet

    GUP to SEPM: ok

    SEP to SEPM: ok

    The port 2967 remains closed...



  • 7.  RE: Open port 2967 for a GUP

    Posted Nov 27, 2013 11:01 AM

    Hi,

    Sep Client and GUP are same Group ?



  • 8.  RE: Open port 2967 for a GUP

    Posted Nov 27, 2013 11:04 AM

    I've not seen this happen before, however, you can add a rule in the SEP firewall to allow access over 2967



  • 9.  RE: Open port 2967 for a GUP

    Broadcom Employee
    Posted Nov 27, 2013 12:05 PM

    Hi,

    Which features are installed on SEP client machine?

    What's the operating sytem details where SEP client is installed?

    Is there any third party software installed in the network?

    Change the default port 2967 to any other customer port which is not in use. Test the connectivity again after changing default port.



  • 10.  RE: Open port 2967 for a GUP

    Posted Nov 27, 2013 01:03 PM

    Your fourth image seems to indicate that a SEP firewall rule is blocking the traffic to the GUP. Please check the name of the rule. You can see it by pulling the slider of the traffic log's window to the right.

    Additionally, please check the SEPM settings for the SEP client hosting the GUP if it is in Server Control, Mixed Control or Client Control mode:

    serverMode.jpg

    If it is in Client Control mode, the FW can only be changed at the SEP client itself. In Mixed Mode, the SEPM and client FW rules are mixed, depending on the infamous blue line in the SEPM FW rule table.

    Only in Server Control the SEPM FW rules have exclusive responsibility.

    So if you are not in Server Control, it's possible that a local client FW rule is blocking port 2967 that you cannot change via SEPM console.



  • 11.  RE: Open port 2967 for a GUP

    Posted Nov 27, 2013 01:52 PM
      |   view attached

    Hi,

    @ Chetan

    On the GUP, i have: virus & spyware protection, threat proactive protection and network threat protection

    On the SEP, it's the same thing.

    My SEP machines are Windows 2012 64 bits, Windows Vista Pro 32 bits, Windows 7 Pro 64bits.

    No other third party software.

    I have tried to change the port but it have'nt solve the problem.

    @James 007

    No GUP and SEP client are in two differents group so i can use 2 two live update policies.

    @Greg12

    The rule which block the traffic is "Block and log any other ip traffic".

    The GUP is in "Server control"

     

    I don't understand because i have only one firewall rule in the SEPM. This rule has been created by the installation and isn't used on any clients, cf screenshot.



  • 12.  RE: Open port 2967 for a GUP

    Posted Nov 27, 2013 08:00 PM

    Hi julien74,

    For testing purpose try to move one or two Sep client particular GUP group and check status.



  • 13.  RE: Open port 2967 for a GUP

    Posted Nov 27, 2013 08:15 PM

    Create a rule to allow 2967 and see what happens



  • 14.  RE: Open port 2967 for a GUP

    Posted Nov 28, 2013 02:15 AM
      |   view attached

    Hi,

    I have created a rule which allow every port on the GUP, no success.

    I can't put GUP and SEP client in the same group because they will have the same live update policy. So the SEP will not download updates from the GUP.

    I have tried to disable Symantec Endpoint Protection on the GUP, even with this, it remains unreachable.

    In attachment, a screenshot of the Windows firewall of the GUP.

    The firewall seems to be manage by Symantec but i haven't any policy activate in Symantec.



  • 15.  RE: Open port 2967 for a GUP

    Posted Nov 28, 2013 02:22 AM

    Hi,

    I can't put GUP and SEP client in the same group because they will have the same live update policy. So the SEP will not download updates from the GUP.

    If you move SEP client from GUP Group SEP client still update From GUP client not SEP server.

     



  • 16.  RE: Open port 2967 for a GUP

    Posted Nov 28, 2013 02:37 AM

    The GUP Group update from SEPM, the SEP Group update from the GUP.

    If i move a SEP client in the GUP group, it will take the live update policy of the GUP group no?



  • 17.  RE: Open port 2967 for a GUP

    Posted Nov 28, 2013 02:46 AM

    Yes But you have mention Gup server IP so all client will update only GUP Client .

    You can move one sep client and check are you able to telnet and check registry key in as per my previous comments



  • 18.  RE: Open port 2967 for a GUP

    Posted Nov 28, 2013 02:49 AM

    Once if sep client are update for GUP you can confirm to below articles

    How to confirm if SEP Clients are receiving Live Update content from Group Update Providers (GUPs)

    http://www.symantec.com/docs/TECH97190



  • 19.  RE: Open port 2967 for a GUP

    Posted Nov 28, 2013 03:45 AM

    I move a SEP client in the GUP group, no success.

    The GUP remains unreachable via telnet or http://192.168.2.250:2967/content/contentinfo.txt

     



  • 20.  RE: Open port 2967 for a GUP

    Posted Nov 28, 2013 03:49 AM

     

    We have perform all troubleshooting steps.I suggest you can open support ticket for same.



  • 21.  RE: Open port 2967 for a GUP

    Broadcom Employee
    Posted Nov 28, 2013 03:53 AM

    Hi,

    As you said policy is not assigned to any group because location count is '0'.

    Right click on the policy and assign it to the group where GUP is listed. Location count should change now.