Endpoint Protection

A little background first:

Starting at a company and they currently use Symantec Endpoint Protection Manager within Microsoft System Center. They recently overhauled the network and switched to a different IP scheme. There are roughly 100 machines that need protection and nearly 30 servers.

Issue: For some reason, this network change (or something else) has caused nearly 80% of the clients to disappear from withing the MSSC Console. I see clients from both IP scheme's in the pane's. . .and some are duplicated as well. If I go in to the SEP Manager Console, and navigate to the Clients button, not only do I see more machines, I see several more groups. Having said that, there are still many machines that are showing up when I search for unmanaged clients as well (Both Unmanaged, and Unknown). When I deploy the software to one of the machines (mine), it tells me that the deployment was successful, but the machine never gets added to the group, nor is the software showing up on my machine. However, if I deploy the software from the Remote Client Install portion of the System Center Console, the machine will show up in that group, and the software gets installed. It's quite confusing to me.

So, here is what I'd like to do. Overhaul and reconfigure everything (properly) so that all the clients are showing up in their correct groups on both Consoles. Short of redeploying and rebuilding the entire environment, is there a tip or suggestion that can be had to possibly figure out where the (literal) disconnect is? I'd like to avoid tearing everything down if I can, but will do what I need to do to make it right.

Make sure communication mode is push mode

1. Click on the "Clients" tab.
2. Click on the name of the group.
3. Click on the "Policies" tab.
4. Under "Location-independent Policies and Settings" click on "communication settings".
5. Under "Download" check "Push Mode"

then Delete all the clients from the SEPM connsole..they will automatically re-register themselves in next heartbeat..and the duplicates will be gone

So this is a mixed environment of SEP and SAV?

SEP: Did the SEPM server also change IP numbers?  This could be cause for confusion for the clients, as they would be looking for the IP configured in the sylink file.

SAV: Troubleshooting communication problems with Symantec Client Security 3.x or Symantec AntiVirus Corporate Edition 10.x

http://www.symantec.com/docs/TECH101171

sandra

Hi Vikram,

Thank you for the comment. It appears that they're already set for push mode. Also, the clients are duplicating on the System Center Console (with the Symantec Snap-In), not the SEPM Console. The SEPM Console isn't updating after I manually push a deployment to a client, but the System Center Console is to the very same machine if I manually push through there. Am I making sense?

Hi Sandra,

I'm going over the communications document you linked. It pretty much sums up the problems over here. I'll report back after getting through it all. Thank you.

Are you in the process of migrating form SAV to SEP11?

You're welcome!

sandra

Ok. Update. I'm not seeing the 2967 port open on the server, BUT, these facts are true. . .

1. I can ping the server from any machine.

2. The server can ping some machines, but not all. Testing on two machines that are identical, one can be reached (co-worker), the other can't (mine). The server is on a different IP scheme and gateway than both machines.

3. I manually installed the latest client on to my machine. It shows up in the SEPM Console now but, depending on which Console you look at, it's in two different groups.

Also, Sandra, to answer your question regarding a mixed environment, I'd have to get more information. Visually, it would appear that way. I'm not sure if that's the way it is being operated however. I get the impression that the ideal would be one environment that is used and managed. A question for you (or the group) too: Having both the SEPM and the Symantec System Center doesn't mean you can't use one or the other for the environment does it? That is, if I'm having an issue with one, can I switch to the other without losing anything? Or are the two mutually exclusive?

SEP and SAV are mutually exclusive.  SEP clients can't appear in the System Center (SSC), and SAV clients can't appear in the SEPM.   You can have both up and running in parallel the same environment--in fact, the SEPM can be installed on the same server that's running the primary SAV server--but they are completely independent of one another and must be separately administered.  SAV clients will appear as 'unmanaged' when searched for in the SEPM via 'Find Unmanaged Computers'.

If you've just installed SEP on your machine, and it shows up in the SEPM, what you're seeing in the SSC is probably old data.  SSC is not a real-time display, and clients purge themselves if they have not checked in for (I think) 30 days.

Where TCP port 2967 is critical for SAV 10.x communications, it is only used in SEP for communication with a Group Update Provider (web caching proxy for content to minimize traffiv over a WAN).

Some policies can be migrated when going from SAV to SEP (see the SEP Installation Guide PDF in the Documentation folder included with the download), but typically I recommend building policies in the SEPM from the ground up.  Since SAV is end-of-lifed (no longer being sold, but is still being supported), and SEP provides additional protections beyond antivirus alone, you'll want to migrate to SEP.

sandra