Endpoint Protection

 View Only

  • 1.  SEP-NTP causes Node unable re-join Cluster after SEP installed (w/ NTP on); required disable NTP to correct.

    Posted Jul 13, 2011 03:24 PM

     

    Windows 2008 Failover Cluster having two Nodes = Quorum (Node and Disk Majority)
    Installed SEP 11.0.6005.562 on passive Node and found that node could not rejoin Cluster as 'Witness disk' unavailable.
    Node was only able to function in cluster again after Network Threat Protection disabled; so only A/V enabled currently.
     
    Are there specific settings that will allow NTP to operate in the Win2008 FC w/o impairing Cluster itself?
    Or, is NTP not actually supported yet for the Win2008 FC?


  • 2.  RE: SEP-NTP causes Node unable re-join Cluster after SEP installed (w/ NTP on); required disable NTP to correct.

    Posted Jul 13, 2011 04:52 PM

    Please check this article -

    Installing a Symantec Endpoint Protection client to a cluster server

    http://www.symantec.com/business/support/index?page=content&id=TECH91154&actp=search&viewlocale=en_US&searchid=1310590223704

     

    Best,

    Thomas



  • 3.  RE: SEP-NTP causes Node unable re-join Cluster after SEP installed (w/ NTP on); required disable NTP to correct.

    Posted Jul 14, 2011 07:11 PM

    As stated, I need to confirm whether Network Threat Protection is supported for 2008 Srv Cluster Server -- have founf AV only works OR must at least disable NTP (or server cannot re-join cluster and operate after SEP install). So, does not seem that NTP is supported, unless there are specific settings that will allow cluster operation.



  • 4.  RE: SEP-NTP causes Node unable re-join Cluster after SEP installed (w/ NTP on); required disable NTP to correct.

    Posted Jul 14, 2011 07:42 PM

    Create a firewall rule for enabling below ports and keep it as the first rule and try.

     

     

    Application protocol

    		 Protocol Ports
    Cluster Services UDP 3343
    RPC TCP 135
    Cluster Administrator UDP 137


  • 5.  RE: SEP-NTP causes Node unable re-join Cluster after SEP installed (w/ NTP on); required disable NTP to correct.

    Posted Jul 15, 2011 01:40 AM

    http://www.symantec.com/docs/TECH105581
     

    check the above link if that helps you in any case?

    Good Luck!



  • 6.  RE: SEP-NTP causes Node unable re-join Cluster after SEP installed (w/ NTP on); required disable NTP to correct.

    Posted Sep 15, 2011 12:01 AM

    By default, the "Microsoft Failover Cluster Virtual Adapter" (NetFT.sys) uses IPv6 to communicate with other nodes in the cluster. If you have an IPv4 configuration, then IPv6 is tunneled over IPv4 to establish sessions with remote nodes. If IPv6 is completely unavailable in your environment, the nodes will then communicate by IPv4. It is possible to disable IPv6 and still have the cluster function correctly but it is recommended to enable IPv6 with Windows 2008, 2008 R2 Failover clustering.

    Reference: For more information about IPv6 on cluster please refer to the below article from "Windows Failover Cluster Team":
    http://blogs.technet.com/b/askcore/archive/2010/02/12/windows-server-2008-failover-clusters-networking-part-1.aspx

    A default SEP firewall policy has a rule to Block "IPv6" communication and "IPv6 over IPv4" communication, which conflict with the cluster communication over "IPv6" or "IPv6 over IPv4". Currently Symantec Endpoint Protection Firewall doesn't support IPv6.

    Reference: Symantec Endpoint Protection 11.0.6 compatibility with IPv6 and IPv6 over IPv4
    http://www.symantec.com/docs/TECH91244
     
     
    Solutions:

    Solution 1:
    Completely disable IPv6 support on the cluster nodes.

    Solution 2:
    1. Disable (Uncheck) the "IPv6" and "IPv6 over IPv4" rules in the firewall policy of the SEP clients installed in the cluster nodes.
    2. Added a new blank rule and set it to "allow" upon following triggers.
     Host : Local (Add IP addresses of all cluster nodes) and Remote (Add IP addresses of all cluster nodes).
     Service : Local port: 3343,137,135 / Remote port: 3343,137,135.
     (Set all other triggers to "Any")
    3. If a node is still not joining the cluster, remove it from the cluster and add it again.

    Note: Do not delete the rule that blocks IPv6. Do not change its filter action from Block to Allow.


    Also check the following articles:
    About Windows and Symantec firewalls
    http://www.symantec.com/docs/HOWTO26652

    How to disable certain Internet Protocol version 6 (IPv6) components in Windows Vista, Windows 7, and Windows Server 2008
    http://support.microsoft.com/kb/929852