Endpoint Protection

HI Guys,

I have a brand new install of SEP running in a multi-server environment. All of the server report into |Clients| except for the server where the Manager Console is installed. The status is "Not Scanned" and "Not reporting Status". My question is, did something go wrong with the deployment or something else? I have uninstalled the LCient and redeployed it several times. I have also deleted the computer account from SEP Manager Console and added it again.

What Am I doing wrong?

Thanks in advance,

Jannie

hi, on the client do you see the server name listed?
is the green dot visible on the client? are you using the same package to install (used on other system)
run sylink and check if it communicates with the SEPM.

Pete!

HI,

Please try to replace the Sylink definately your issue will resolve.

Thanks for the prompt response. I am using the same package to install on all the clients. No, there is no green dot on the client. The "Shield" tray icon has got errors listed. The error messag complains about the definitions being too old. I ran the SyLinkMonitor and the results are below:

04/16 12:51:48 [2836] ~~~Sylink log started. (SEP Product Version in registry: 11.0.4000.2295, Sylink File Version: 11.0.4000.2261)
04/16 12:51:48 [2836] Stored HostGUID=3622EFF90A65011300C7491046FFD1A1; outlen=16
04/16 12:51:48 [2836] <RestoreSettings>Stored UserGuid=0; outlen=2
04/16 12:51:48 [2836] <mfn_DecodeSSN>Sygate-SSN=63
04/16 12:51:48 [2836] <mfn_DecodeSSN>Read CSN=64
04/16 12:51:48 [2836] Product Type=3,Major Ver=6,Minor Ver=0,Platform ID=18,OSType=50724882
04/16 12:51:48 [2836] OS=Windows Server 2008 Standard Edition; number=6.0.6001
04/16 12:51:48 [2836] SyLinkCreateInstance => Instance created: 031A95B0 Registry path: SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK
04/16 12:51:48 [2836] <GetOnlineNicInfo>:Netport Count=0
04/16 12:51:48 [2836] <GetOnlineNicInfo>:NicInfo
04/16 12:51:48 [2836] SyLinkCreateConfig => Created instance: 031B5F38
04/16 12:51:48 [2836] UseNewConfig => Created m_hNewConfig: 031B5F38
04/16 12:51:48 [2836] Importing ConfigObject: 0315B5B0 into: 031B5F38
04/16 12:51:48 [2836] Importing ConfigObject: 0315B5B0 into: 031B3AD8
04/16 12:51:48 [2836] <PostEvent>stopping...ignore event ID=EVENT_SYLINK_CONFIG_SETTING_CHANGED
04/16 12:51:48 [2836] SSA packageType is set as 105
04/16 12:51:48 [2836] SyLinkDeleteConfig => Deleting instance: 0315B5B0
04/16 12:51:49 [2836] <SetHiStatus>HI status is changed to=3; reason=0; rule=Host Integrity check is disabled.
Host Integrity policy has been disabled by the administrator.
04/16 12:51:50 [2836] SyLinkCreateConfig => Created instance: 048B1480
04/16 12:51:50 [2836] SetCurLocationName: Name is set to - Default
04/16 12:51:50 [2836] SetCurLocationID: ID is set to - 846CC5410A6501130000273DB227BE45
04/16 12:51:50 [2836] SyLinkCreateConfig => Created instance: 048B2720
04/16 12:51:50 [2836] Importing ConfigObject: 048B2720 into: 031B5F38
04/16 12:51:50 [2836] Importing ConfigObject: 048B2720 into: 031B3AD8
04/16 12:51:50 [2836] <PostEvent>stopping...ignore event ID=EVENT_SYLINK_CONFIG_SETTING_CHANGED
04/16 12:51:50 [2836] SyLinkDeleteConfig => Deleting instance: 048B2720
04/16 12:51:50 [2836] SyLinkDeleteConfig => Deleting instance: 048B1480
04/16 12:51:50 [2836] <CSyLink::Start()>
04/16 12:51:50 [2836] <CSyLink::ImportConfigFile()>
04/16 12:51:50 [2836] </CSyLink::ImportConfigFile()>
04/16 12:51:50 [2836] <GetDomainHostName>msz_DomainName is taken from szDomainName
04/16 12:51:50 [2836] <GetDomainHostName>DomainName (Final)=Airborne.local
04/16 12:51:50 [2836] *********Netport Count=1
04/16 12:51:50 [2836] Not PCI-->Local Area Connection
04/16 12:51:50 [2836] MAC= Wireless=
04/16 12:51:51 [2836] <Start>Unable to create Session with 'No Proxies' settings - Error Code: 87
04/16 12:51:51 [3916] <HeartbeatThreadProc:>Thread is about to begin..
04/16 12:51:51 [5440] Successfully created the heartbeat thread
04/16 12:51:51 [2836] <Start>Started, contact SMS every 3600 seconds
04/16 12:51:51 [2836] <PostEvent>going to post event=EVENT_SYLINK_CONFIG_SETTING_CHANGED
04/16 12:51:51 [2836] <PostEvent>done post event=EVENT_SYLINK_CONFIG_SETTING_CHANGED, return=0
04/16 12:51:51 [2836] </CSyLink::Start()>
04/16 12:51:51 [5676] <CExpBackoff::CExpBackoff()>
04/16 12:51:51 [5676] </CExpBackoff::CExpBackoff()>
04/16 12:51:51 [2836] <SetClientAuth>Received new User/Domain from SMC.. User: jfranzsen User Domain: AIRBORNE
04/16 12:51:51 [2836] <SetClientAuth>Getting RDNS Domain Name (user domain in AD setup)..
04/16 12:51:51 [2836] <GetLoginRdnsDomain>DNS domain=AIRBORNE.LOCAL
04/16 12:51:51 [2836] <SetClientAuth>Setting the User Domain to RDNS Domain ..
04/16 12:51:51 [2836] <SetClientAuth>Logged in user info set to: AIRBORNE.LOCAL/jfranzsen
04/16 12:51:51 [2836] <SetClientAuth>Marking User Change Notify to redo registration..
04/16 12:51:52 [3916] <CheckHeartbeatTimer>====== Heartbeat loop starts at 12:51:52 ======
04/16 12:51:52 [3916] <GetOnlineNicInfo>:Netport Count=1
04/16 12:51:52 [3916] <GetOnlineNicInfo>:NicInfo<SSANICs><SSANIC Ip="10.101.1.19" Mac="00-15-5d-e7-0c-02" Gateway="10.101.1.1" SubnetMask="0.0.0.0"/></SSANICs>
04/16 12:51:53 [3916] <CalcAgentHashKey>:CH=8A5DFBCB0A65011301E5FC9D3B169A971OspreyAirborne.localE56866258871193C89D6C2059F2AB807
04/16 12:51:53 [3916] <CalcAgentHashKey>:CHKey=FA69ED5CE7C2B025BC5C120D72048071
04/16 12:51:53 [3916] <CalcAgentHashKey>:C=8A5DFBCB0A65011301E5FC9D3B169A971OspreyAirborne.local
04/16 12:51:53 [3916] <CalcAgentHashKey>:CKey=B9BAFB56BF1DBCC2EAC9A4371FF8FF02
04/16 12:51:53 [3916] <CalcAgentHashKey>:UCH=8A5DFBCB0A65011301E5FC9D3B169A970jfranzsenAIRBORNE.LOCALOspreyAirborne.localE56866258871193C89D6C2059F2AB807
04/16 12:51:53 [3916] <CalcAgentHashKey>:UCHKey=74E67DF51D57AD66098F7958F7F49887
04/16 12:51:53 [3916] <CalcAgentHashKey>:UC=8A5DFBCB0A65011301E5FC9D3B169A970jfranzsenAIRBORNE.LOCALOspreyAirborne.local
04/16 12:51:53 [3916] <CalcAgentHashKey>:UCKey=F7E28654B69E8A920B3D489BE78E702C
04/16 12:51:53 [3916] <DoHeartbeat>HardwareID=E56866258871193C89D6C2059F2AB807
04/16 12:51:53 [3916] <DoHeartbeat>CHKey=FA69ED5CE7C2B025BC5C120D72048071
04/16 12:51:53 [3916] <DoHeartbeat>CKey=B9BAFB56BF1DBCC2EAC9A4371FF8FF02
04/16 12:51:53 [3916] <DoHeartbeat>UCHKey=74E67DF51D57AD66098F7958F7F49887
04/16 12:51:53 [3916] <DoHeartbeat>UCKey=F7E28654B69E8A920B3D489BE78E702C
04/16 12:51:53 [3916] <DoHeartbeat> Set heartbeat event
04/16 12:51:53 [3916] Use new configuration
04/16 12:51:53 [3916] <RegHeartbeatProc>====== Reg Heartbeat loop starts at 12:51:53 ======
04/16 12:51:53 [5044] SyLinkCreateConfig => Created instance: 048BA840
04/16 12:51:53 [5044] Importing ConfigObject: 031B3AD8 into: 048BA840
04/16 12:51:53 [5044] SyLinkDeleteConfig => Deleting instance: 048BA840
04/16 12:51:53 [3916] HEARTBEAT: Check Point 1
04/16 12:51:53 [3916] HEARTBEAT: Check Point 2
04/16 12:51:53 [3916] <PostEvent>going to post event=EVENT_SERVER_CONNECTING
04/16 12:51:53 [3916] <PostEvent>done post event=EVENT_SERVER_CONNECTING, return=0
04/16 12:51:53 [3916] HEARTBEAT: Check Point 3
04/16 12:51:53 [3916] <RegHeartbeatProc>Setting the session timeout on Profile Session (Registration) to 30000
04/16 12:51:53 [3916] HEARTBEAT: Check Point 4
04/16 12:51:53 [3916] <RegHeartbeatProc>===Registration STAGE===
04/16 12:51:53 [3916] <MakeRegisterData:>logon id (domain/user)=AIRBORNE.LOCAL/jfranzsen

read error, exit
04/16 12:51:53 [3916] <SendRegistrationRequest:>SMS return=468
04/16 12:51:53 [3916] <ParseHTTPStatusCode:>468=>468 Request not allowed
04/16 12:51:53 [3916] <SendRegistrationRequest:>Content Lenght => 48
04/16 12:51:53 [3916] <mfn_DecodeSSN>Sygate-SSN=5
04/16 12:51:53 [3916] <mfn_DecodeSSN>Read CSN=6
04/16 12:51:53 [3916] HTTP returns status code=468
04/16 12:51:53 [3916] <SendRegistrationRequest:>RECEIVE STAGE COMPLETED
04/16 12:51:53 [3916] <SendRegistrationRequest:>COMPLETED
04/16 12:51:53 [3916] HEARTBEAT: Check Point 5.1
04/16 12:51:53 [3916] <RegHeartbeatProc>switch to another server
04/16 12:51:53 [3916] HEARTBEAT: Check Point 9
04/16 12:51:53 [3916] HEARTBEAT: Check Point 8
04/16 12:51:53 [3916] <PostEvent>going to post event=EVENT_SERVER_DISCONNECTED
04/16 12:51:53 [3916] <PostEvent>done post event=EVENT_SERVER_DISCONNECTED, return=0
04/16 12:51:54 [3916] HEARTBEAT: Check Point 1
04/16 12:51:54 [3916] HEARTBEAT: Check Point 2
04/16 12:51:54 [3916] <PostEvent>going to post event=EVENT_SERVER_CONNECTING
04/16 12:51:54 [3916] <PostEvent>done post event=EVENT_SERVER_CONNECTING, return=0
04/16 12:51:54 [3916] HEARTBEAT: Check Point 3
04/16 12:51:54 [3916] <RegHeartbeatProc>Setting the session timeout on Profile Session (Registration) to 30000
04/16 12:51:54 [3916] HEARTBEAT: Check Point 4
04/16 12:51:54 [3916] <RegHeartbeatProc>===Registration STAGE===
04/16 12:51:54 [3916] <MakeRegisterData:>logon id (domain/user)=AIRBORNE.LOCAL/jfranzsen

read error, exit
04/16 12:51:54 [3916] <SendRegistrationRequest:>SMS return=502
04/16 12:51:54 [3916] <ParseHTTPStatusCode:>502=>Uninterpreted Status
04/16 12:51:54 [3916] <SendRegistrationRequest:>Content Lenght => 4057
04/16 12:51:54 [3916] HTTP returns status code=502
04/16 12:51:54 [3916] <SendRegistrationRequest:>RECEIVE STAGE COMPLETED
04/16 12:51:54 [3916] <SendRegistrationRequest:>COMPLETED
04/16 12:51:54 [3916] HEARTBEAT: Check Point 5.1
04/16 12:51:54 [3916] <ScheduleNextUpdate>new scheduled heartbeat=32 seconds
04/16 12:51:54 [3916] HEARTBEAT: Check Point 8
04/16 12:51:54 [3916] <PostEvent>going to post event=EVENT_SERVER_DISCONNECTED
04/16 12:51:54 [3916] <PostEvent>done post event=EVENT_SERVER_DISCONNECTED, return=0
04/16 12:51:55 [3916] <RegHeartbeatProc>====== Registration Procedure stops at 12:51:55 ======
04/16 12:51:55 [3916] HEARTBEAT: Check Point 10
04/16 12:51:55 [3916] HEARTBEAT: Check Point Complete
04/16 12:51:55 [3916] <RegHeartbeatProc>Done, Heartbeat=32seconds
04/16 12:51:55 [3916] HeartbeatProcFailed to get profile with proxy setting 1
04/16 12:51:55 [3916] <CheckHeartbeatTimer>====== Heartbeat loop stops at 12:51:55 ======
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Thanks for the helps so far.

Jannie

What's the server brand?

If it is HP, immediately update the Network Adapter driver. You can obtain it from the HP website.

Note that the HP servers have a considerable conflict with Microsoft SP2, and the issue is not related only to SEPM. If you have an HP server, u MUST update the drivers especially the Network Adapter. Otherwise the server will function abnormally without any clear cause.

Hi Farzad, This server is a Virtual Server in Hyper-V. Therefore I conlude that the network card should not be the problem.

Mansoor, the Sylink did not resolved the issue

Thanks for everyone's helps on this. Really appreciate it

Jannie

Hi Jannie, did you install NTP on the server?

Jannie,

You didn't mention your server brand, therefore I return to the subject:
If your server (physical server) is HP, you do need to update the drivers.
Since the Virtual servers use the physical servers drivers, you need the update.

Do you have ISA or Proxy in your environment.?

Can also dp a Secar test and check if you are getting "OK'

http://<SEPM_name_or_IP>:<Port>/secars/secars?hello,secars

Correct me if I'm wrong here. But I treat the manager and the client as 2 different pieces of software. Meaning, on the server, there is a manager and a client. The client handles the server where the manager is installed. I'm not sure how SEP handles the updates but I have seen SAV servers that is not updated even if their clients are.

From the log that you have posted, It looks like something is blocking the communication in the IIS.

A possibility can be that in the directory security part of the website the server IP is set to blocked under the "IP address and domain name restriction."

Sandeep is correct.
 Check out the IIS connectivity and do the needfull configuration settings

Ajit

Check IIS and also check the right sylink.xml has installed.

hi jannie,
try chking the IIS communication settings and also check for the permissions of the SEPM users, do they have full permission in the inetpub wwwroot folders...

Is NTP included on the installation of the client?