Video Screencast Help

Open port 2967 for a GUP

Created: 27 Nov 2013 | 20 comments

Hi,

I'm using Symantec Endpoint Protection v12.1 in my company. We recently add a new remote site connected to the main site through a SDSL 1Mb link.

We encounter some problems because remote clients download their updates from the SEPM which is located in the main site, so we saturate the SDSL link.

We set up a GUP on the remote site and we use a live update policy in order that remote clients download their updates in local from the GUP and not from the SEPM.

The problem is that the port 2967 is closed so the GUP is unreachable for deliver the update packages.I try to set up a firewall policy to open this port but without success. The GUP remains unreachable, i have test with a telnet on port 2967.

Does anyone can explain me how to open the 2967 port on the GUP?

The GUP machine is under Windows 2008 and the firewall is assumed by Symantec Endpoint Protection. The Windows firewall seems desactivated and managed by Symantec Endpoint Protection.

Thanks for your help.

Regards

Operating Systems:

Comments 20 CommentsJump to latest comment

Brɨan's picture

If the SEP firewall is disabled and you have no other hardware firewall in place than the port should be open by default.

Do you have any other type of firewall in place?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Amit Suthar's picture

Hi,

First of all check your GUP Server policy which you define on Live update. because when your policy has been correct, from the server 2967 port has been released request for the GUP server port 2967.

After that can see in GUP servers System log for GUP policy enable or not.

James007's picture

Does GUP policy assgin particular GUP machine ?

Below is an example of a system registry after the GUP is activated:

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\LiveUpdate]
    "Description"="Created automatically during product installation."
    "Enabled3rdPartyManagement"=dword:00000000
    "MasterClientHost"="192.168.2.4"
    "MasterClientPort"="2967"
    "UseLiveUpdateServer"=dword:00000000
    "UseManagementServer"=dword:00000001
    "UseMasterClient"=dword:00000001
    "HttpEncrypt"=dword:00000001
    "HttpProxyMode"=dword:00000000
    "HttpProxyRequireAuthentication"=dword:00000000
    "FtpEncrypt"=dword:00000001
    "FtpProxyMode"=dword:00000000
    "FtpProxyRequireAuthentication"=dword:00000000
    "AllowLocalScheduleChange"=dword:00000000
    "AllowManualLiveUpdate"=dword:00000000
    "EnableProductUpdates"=dword:00000000
    "LastLuProductInventoryHash"=hex:72,59,31,36,a8,3f,47,02,70,5f,bd,52,29,d0,25,\49
    "LastGoodSession"=hex:68,13,c8,94,d1,8b,c8,01
Troubleshooting the Group Update Provider (GUP) in Symantec Endpoint Protection (SEP)
Article:TECH104539  |  Created: 2008-01-01  |  Updated: 2011-09-15  |  Article URL

Test SEP to GUP and GUP to SEPM communication

Article:TECH153328  |  Created: 2011-02-14  |  Updated: 2011-08-16  |  Article URL http://www.symantec.com/docs/TECH153328
Chetan Savade's picture

Hi,

Thank you for posting in Symantec community.

Make sure in the liveupdate policy you have configured GUP to use 2967 port.

2967 is the default port and you can change it via liveupdate policy.

If SEP client is installed with Network Threat Protection (NTP) then it will make necessary exception automatically.

Make sure UAC is disabled on Windows 2008 Server.

Check the communication with the help of following article & share the result.

Test SEP to GUP and GUP to SEPM communication

http://www.symantec.com/docs/TECH153328

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

julien74's picture

Hi,

Thanks for yours replies,

You can find in attachment a screenshot of the live update policy, the GUP configuration, the registry of a GUP client and the NTP log of the GUP which show all reject for GUP clients.

GUP Ip adress: 192.168.2.250

Gup clients range: 192.168.2.xx / 24

I have tested :

SEP to GUP: failed, connexion failed like with telnet

GUP to SEPM: ok

SEP to SEPM: ok

The port 2967 remains closed...

GUP.PNG Live update policy.PNG registry on GUP client.PNG log GUP.PNG
Brɨan's picture

I've not seen this happen before, however, you can add a rule in the SEP firewall to allow access over 2967

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Chetan Savade's picture

Hi,

Which features are installed on SEP client machine?

What's the operating sytem details where SEP client is installed?

Is there any third party software installed in the network?

Change the default port 2967 to any other customer port which is not in use. Test the connectivity again after changing default port.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

James007's picture

Hi,

Sep Client and GUP are same Group ?

greg12's picture

Your fourth image seems to indicate that a SEP firewall rule is blocking the traffic to the GUP. Please check the name of the rule. You can see it by pulling the slider of the traffic log's window to the right.

Additionally, please check the SEPM settings for the SEP client hosting the GUP if it is in Server Control, Mixed Control or Client Control mode:

serverMode.jpg

If it is in Client Control mode, the FW can only be changed at the SEP client itself. In Mixed Mode, the SEPM and client FW rules are mixed, depending on the infamous blue line in the SEPM FW rule table.

Only in Server Control the SEPM FW rules have exclusive responsibility.

So if you are not in Server Control, it's possible that a local client FW rule is blocking port 2967 that you cannot change via SEPM console.

julien74's picture

Hi,

@ Chetan

On the GUP, i have: virus & spyware protection, threat proactive protection and network threat protection

On the SEP, it's the same thing.

My SEP machines are Windows 2012 64 bits, Windows Vista Pro 32 bits, Windows 7 Pro 64bits.

No other third party software.

I have tried to change the port but it have'nt solve the problem.

@James 007

No GUP and SEP client are in two differents group so i can use 2 two live update policies.

@Greg12

The rule which block the traffic is "Block and log any other ip traffic".

The GUP is in "Server control"

I don't understand because i have only one firewall rule in the SEPM. This rule has been created by the installation and isn't used on any clients, cf screenshot.

parefeu.PNG
Brɨan's picture

Create a rule to allow 2967 and see what happens

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Chetan Savade's picture

Hi,

As you said policy is not assigned to any group because location count is '0'.

Right click on the policy and assign it to the group where GUP is listed. Location count should change now.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

James007's picture

Hi julien74

,

For testing purpose try to move one or two Sep client particular GUP group and check status.

julien74's picture

Hi,

I have created a rule which allow every port on the GUP, no success.

I can't put GUP and SEP client in the same group because they will have the same live update policy. So the SEP will not download updates from the GUP.

I have tried to disable Symantec Endpoint Protection on the GUP, even with this, it remains unreachable.

In attachment, a screenshot of the Windows firewall of the GUP.

The firewall seems to be manage by Symantec but i haven't any policy activate in Symantec.

windows firewall.PNG
James007's picture

Hi,

I can't put GUP and SEP client in the same group because they will have the same live update policy. So the SEP will not download updates from the GUP.

If you move SEP client from GUP Group SEP client still update From GUP client not SEP server.

julien74's picture

The GUP Group update from SEPM, the SEP Group update from the GUP.

If i move a SEP client in the GUP group, it will take the live update policy of the GUP group no?

James007's picture

Yes But you have mention Gup server IP so all client will update only GUP Client .

You can move one sep client and check are you able to telnet and check registry key in as per my previous comments

julien74's picture

I move a SEP client in the GUP group, no success.

The GUP remains unreachable via telnet or http://192.168.2.250:2967/content/contentinfo.txt

James007's picture

Once if sep client are update for GUP you can confirm to below articles

How to confirm if SEP Clients are receiving Live Update content from Group Update Providers (GUPs)

http://www.symantec.com/docs/TECH97190

James007's picture

We have perform all troubleshooting steps.I suggest you can open support ticket for same.