Endpoint Protection

Server: Windows Server 2008, all updates. That is also our Active Dir server...

I can see other PCs on the network to add to the client manager... I can select them for the remote install... console accepts the username and password, files copy over. Then it all fails, on more than one machine. Uninstalled and reinstalled the entire program from the server, removed and recreated all packages with several options.. Silent, Attended, etc. The ONLY thing that partially worked was the Attended one... and that only worked when I killed and restarted the setup.exe file that was running on the target PC... and doing nothing. However, after that the install can't find a file...

Machine 1, Win7 Pro 64 - App NEVER installs. Vpremote just hangs. Reboot, repeat. There is almost always a file set to rename in the reg that I need to kill to get the install to start.. rebooting doesn't help. Tried installing the packages locally (copied from server) no luck there either. ALL AV apps have been removed, firewall off... full admin on the machine. Installing from the CD works just fine, but in this version it's a pain in the *** to go from unmanaged to managed...

Removed and re-added the install packages... tried to overwrite the unmanaged client... FAIL. I never get an error message and according to the console, the app installed just fine on the PC yet it's still unmanaged.

Machine 2, Win7 Pro 64 - Package installs, will not update from server, does not add the client to the server.. and yes, that box is checked to auto-add it to the group. All the other options in the client are set to what I wanted them to be. This PC is NOT listed under clients and will not get def updates. It IS managed.

The ONLY time this worked 100% is when I used the console to install the client on itself. Using the exact same packages, on PCs on the same domain, logged and out, it simply doesn't work. An error message on the server side would have been helpful.. same with a process that makes sure the install works BEFORE saying it's installed.

I've been out of IT for a few years, but have plenty of experience with previous Symantec software, managing over 200 PCs and a few Windows servers at my last IT job. I've NEVER seen/experienced anything like this before. Unfortunately, the powers that be are asking me to now look into other products as this has been a huge pain for days. :(

Any and all help is appreciated!

what is the verion of symantec you are using as of now?
11.0.??????

Is Windows Firewall turned on for your Windows 2008 server?  If so, add an exception for port 8014 TCP.  You are blocking the client's ability to report back installation status.  Clients can't request policies, etc., unless you allow port 8014 on your Windows Server.

Does this help?

Unmanaged to Managed is VERY simple...

Export Communication File from the SEPM
 - Right-click a group (Clients Tab) > Export Communication Settings > Browse > Export

Import Communication File to the Client
 - Double-click Shield Icon (system tray) > Help & Support > Troubleshooting > Import Communication Settings > Select the exported sylink.xml


As for pushing/installing the client, it's true that there have been some issues with pushing to Win7 and 2008 R2 computers. This is more of a Windows issue than a SEP issue.
Many times you have to install LiveUpdate before running the client install.
 - To do this, simply run LUSETUP.exe (which can be found in a number of folders on the CD).

Try this
About preparing computers for remote deployment

Hello

I understand your frustration with SEP and SEPM.  I struggled with this product for the first few months and really considered canning it for something else.

I had all kinds of issues with servers not reporting in to SEPM, and problems deploying installs to clients.
It wasn't clear what was going on, so I called Symantec as a last resort to fix the problems.

My problem was that I had installed SEPM over a remote desktop connection.  I was told by support this is not supported and causes problems.

So the solution was to uninstall SEPM, reboot the server, re-connect at console or using something simulating a console connection (VNC, Dameware, etc) and re-install the manager.

Once I had done this, I was able to use the SylinkDrop tool that support can provide to move the clients to the new manager.

Hope this helps!

I am having the same problem with SEPM and its clients. There has been no communications between client & server for 6 months. The only reason SEP is still in house is because the clients have been set to use LiveUpdate. But all clients show the SEPM server as Offline. This is the 2nd SEPM server I have created. Originally I had installed SEPM 11.05 on a WIndows 2008 virtual machine. I tried everything and Symantec support tried everything but nothing worked. I ran Sylink Monitor and the SEP Support Tool. I made registry patches. I upgraded to SEPM 11.06. I manually pushed the install packages to the existing clients. I redownloaded the package from Symantec. NOTHING worked.

So this week I built a PHYSICAL Win 2008 Server and installed a clean copy of SEPM. I migrated my database over and set the new server to Priority1. All clients show up and none are communicating with the new server. I even pushed the client from the new server to 3 new systems and even they aren't communicating. I have shutoff the firewall on the new server - no change. I have added exceptions for ports 9090, 8014 & 8443 - no change. I have deleted the clients and tried to force a policy update to re-establish communication - NO CHANGE plus now I show no clients at all. I can see the server using http://servername:9090 so IIS is working properly but that plus the SEPM console are the only things that appear to work. The client software works in managed mode only you cannot manage them.  As far as I can tell, this product simply does not work. I cannot call support again because it was their idea to move to a physical server which I did and I don't have another 3 weeks to devote to troubleshooting their product. I am about to move my company to Trend Micro as I have used it before and never encountered anything this bad. I am really angry at Symantec because I was the one who chose them over McAfree & Trend. I should have looked at these forums first before I committed myself to this fools errand.

You should start a new thread if you need help.  Sounds like antivirus was ignored if clients didn't communicate for six months before being caught.  This usually means no-one is responsible for antivirus and no-one has learned it.  Long story short, Trend Micro will be better because it's a fresh start.  But you just as easily could do a fresh start of SEP11 and it will be better because you've put in the effort on knowing what you're doing.  Though it's possible both will be equally horrible if you haven't identified the cause of the current problem in your environment.

I work in some restrictive environments, and I was able to set up SEP11 in under 10 hours for an entire company.  That includes finishing tests and pilot, does not include deploying to 100% production.  There aren't a whole lot of requirements for client communication.

I think my situation is beyond help. I've tried Symantec Support and after 3 weeks, all they could suggest was to try SEPM on a physical rather than a virtual server. Well, I've done just that and nothing changed. So, I decided to start from scratch. Everywhere. I uninstalled all clients. I ran CleanWipe on said clients. I wiped away everything on the server, rebooted and started over. I exported new clients and manually deployed them to my desktops. They all show the new version but still report the server The end result: out of over 50 computers, exactly ONE client is now reporting to the SEPM and it's a Server 2008 x64 test server. The other 2008 & 2003 servers aren't communicating at all and neither are any of my Windows 7 or Vista Business client machines.

The problem has to be with the product. I have full connectivity between client and server. I'm not running on a segmented network. My systems aren't locked down. I can access the web portal for SEPM from any system in the place. I have turned off all firewalls on client systems save for Symantec's. There's really nothing left to try. I'll run the SEPM Support tool and Sylink Montior to give Symantec some more data but this is just like the last time when they confirmed that everything was setup properly and communications where setup right and nothing worked.

Sounds like you imaged all your computers with SEP11 and they all have the same identifier.  Your one client that works, does it have the green circle on the SEP icon?  And for the 49 that don't, do they have the green circle on the SEP icon?

Have you seen this article?  This is very helpful in troubleshooting client connections.  I've referred to it on a few occasions:
Troubleshooting client communication in Symantec Endpoint Protection - Flowchart
https://www-secure.symantec.com/connect/articles/troubleshooting-client-communication

"Configuring Symantec Endpoint Protection client for deployment as part of a drive image"
From the article: One symptom of a misconfigured drive image for a SEP client running RU5 is that for all the clients the image is rolled out to, you only see one record in the Symantec Endpoint Protection Manager (SEPM) that is constantly changing what computer name, or user
http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/d84071c5137d6d318825738a00663b8d?OpenDocument

Try this from your clients...

http://server:8014/secars/secars.dll?hello,secars

Success is indicated by an "OK"
Otherwise, troubleshoot the HTTP errors accordingly

"They all show the new version but still report the server The end result:"

Still report the server offline?

I would suggest requesting your technician send you the credentials to obtain TestSec, which is a rights and permissions assessment tool.  I have talked to many people using the operating systems mentioned above who do not experience the kinds of issues you're describing.

Just a suggestion... hope it helps.

sandra

Funny how some people can't get it working and others have it running on hundreds of thousands of systems on every different operating system and configuration.

Sure the issue is with the product...haha!!

If you have an issue then engage support and start working with them (even though they are slow)
Post a forum post with your SEP_inst.log and your sylinkmonitor logs

Although, I am happy to concede there are definitely sometimes issues with SEP that are only resolved in the next release

Hey, I have 5 11.6a SEPM servers all running on windows 2008 R2 VMWare virtual.

Couple of things I have noticed.

For the SEPM server

1: Make sure UAC is turned off
2: Make sure IE ESC is turned off (Internet Explorer Enhanced Security)
3: Your firewall may say it is turned off, but the service more than likely is still running, it like to lie. Disable service and stop.

Number 3 goes for workstations as well, I have found that we use GPO to turn it off, but 9 times out of 10 it does not work and I have to disable and turn it off manually.

Thanks
Dan

Do you have a support Case ID# ?  Can you provide this information so we can see the latest status?

Eric

My case ID 412-180-684 was closed but I'll reopen it. All clients still show the server as offline. Curious thing, the http://server:8014/secars/secars.dll?hello,secars test fails everywhere. Also to respond to an earlier question: No, these systems are not imaged alike. They were essentially built from the ground up (long story). All of our systems are Windows 7 with a few Vista Business units. Our servers are Server 2008 R2 x32 & x64. 

And to answer Zero: Everything was working until January when after a Windows Update, the clients stopped communicating. I'm a small IT shop so since the clients were set to use LiveUpdate, I thought OK. I figured that that it was an issue with SEPM & Windows 7 and I hoped that an update to SEP would correct this issue. Well, the 11.06A update did not and so I'm back to square one. It took me 3 weeks to find the time to bring up a new 2008 R2 box which is where the SEPM is now running instead of from the Xenserver VM of a 2008 Server. I have tried a migration and when that didn't work, I ran CleanWipe and performed a fresh install. Suffice to say, I was greatly miffed when that did not work.

I believe I'll try Crush2090's suggestion. I, too am using GPO to shutdown the Windoze FW because I want to use the SEP FW. Thanks one and all for these suggestions. They are much appreciated.

You'll want to open a new case linked to this one if it's been greater than 10 days since the case was closed.

What is the HTTP error code that comes back with the "hello,secars" test?  IIS logs may provide additional info.

As I understand it, Windows Server 2008 R2's firewall is on by default.  Something to check...

The Windows firewall should automatically shutdown when SEP (with NTP) is installed; in the case of Windows 7, SEP takes over firewall management.

Title: 'Advanced Settings for Windows 7 Firewall indicate that it is on, even when Symantec Endpoint Protection (SEP) 11.0 Network Threat Protection (NTP) is installed.'
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010030706451148

sandra

I have FINALLY resolved this problem after nearly 6 months  but it wasn't easy at all. The issue appears to have been with Windows 7 and SEP's NTP. For some reason, the NTP was not shutting down the Windows Firewall properly and I had to manually disable the Windows Firewall service. Here's what I had to do to finally get things working properly:

Manually run CleanWipe on all systems. About half of my systems needed CleanWipe to be run twice as SEP was still installed after the initial CleanWipe reboot was done.

Manually install the SEP client (x32 or x64) on client system. Deployment through SEPM to Windows 7 & Server 2008 systems does not work properly in my environment. Have no idea why.

When completed, open the SEP client, select Troubleshooting and check to see if client shows the SEPM server as online. If offline, reboot system and repeat procedure until client shows SEPM server as online. Next, click on Fix to force virus def update and wait until green dot shows up. REBOOT once more and client should now be communicating with SEPM server. 

What I've learned:

Issue exists when using Citrix Xenserver VM to host SEPM. SEPM may work on VMware and Hyper V but not on Xenserver. I had to prepare a physical server to host SEPM.

Something screwy with Windows 7 clients and using SEPM to deploy from server. SEP clients deploy just fine but never connect to SEPM server.

Half of my Windows 7 clients had to run CleanWipe twice in order to remove SEP. Never saw that before.

SEPM Java console won't work in Google Chrome even using IE Tab extension.

Thanks for all of the suggestions from one and all particularly the ones about the @$#!&* WIndows Firewall. I hate that thing...