Endpoint Protection

To all in the know

Just nearing the end of a large deployment - can anyone advise on the issues / problems experienced whilst pushing clients out to all flavours of vista? (most of the machines are 2000 / XP)
The packages (at the moment) only contain A/V and Antispyware - steering clear of SNAC / firewall etc for the time being.
Are there any particular communication issues with the clients communicating back to the SEPM for updates etc? Does anything specific need to be amended / changed on the Vista local firewall, i.e additional opened ports, network file sharing etc etc.

Any and all advice is greatly recieved and appreciated.

Regards

Mr_Miyagi

wax on, wax off.....

Hi

If you are installing only Antivirus and Antispyware on the clients, you should not face any communication issues.

Only if you have SEP Manager installed on Win 2008 Server, then you need to create an exception for port 8014 in the Windows Firewall

For Win Vista Clients when you install the SEP client, make sure that the Windows Defender is turned off.

Apart from that you should not face any issues for communication.

Hello Mr. Miyagi,

There are some special considerations if you need to deploy the SEP client to Vista machines else the deployment might fail.

Please take a look at the following article that talks about preparing Vista machines for deployment.

Symantec Endpoint Protection: Preparing computers that run Windows Vista for remote client deployment

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/3ec2f0e3cc93a02288257353001ab1fc?OpenDocument

Once the deployment and installation is successful there should not be any issues with communication if SEPM is installed on a Windows 2000 or 2003 Server. However, if it is installed on a Windows 2008 Server then either the Windows firewall needs to be disabled or an exception for TCP port 8014 needs to be created to allow client-SEPM communication.

I hope this is helpful :-)

Thanks warrior

I have enabled port 8014 on the server firewall as the SEPM is installed on 2008 - are you saying I need the same port exception in the Vista client firewall?

Mr_Miyagi


Wax on, Wax off....

Thanks here2help - I'll check out the link you have provided - your second comment answers my question back to Warrior.

Mr_Miyagi

Wax on, Wax off.....

Hi additional question what if the majority of our workstation are windows vista, do we need to do the procedure that you provided on every workstation?

NO not required to create exception for port 8014 in Win Vista.

If the Windows Defender is turned off it should work fine.

Hi

As I said earlier if installing client on Windows Vista no special procedure is required.

Only if SEP Manager is installed on Win 2008 then an exception for port 8014 is required in the Windows Firewall

As PeterPan states, the link provided by here2help has a number of cumbersome tasks that if required to be performed on every machine would make a vista remote deployment rollout prohibitive (from my perspective, as there a large number of machines spread over different locations)

Warrior, just to confirm, if you ensure that port 8014 is open on the 2008 server SEPM console for communication, and turn off winows defender on the vista client, there are no other issues that would stop the client from working? Is this from the experience of a remote deployment process you have been through or simple manual install on a few vista clients- did you perfrom any of the tasks listed in the link?
Sorry for all the clarify questions - just need to be sure as to the best way to go about it.

many thanks for all your comments so far

Mr_Miyagi

Wax on, Wax Off....

Yes Mr_miyagi   If the port used by Symantec in the IIS ( by default 8014) is opned and the windows defender is turned off on the client then IDEALLY there should be no commuincation issues.

I am saying this from my Expreince of working with SEP for last 2 years.

In SEP the Client commuincates with the SEPM on the IIS port ( 8014). All the policy and updates are passed from the SEPM to client on this port. And the clients then upload their logs using the same port.

SO ,, If there is nothing that is blocking the port 8014 then there  will be no commuincation issues irrespective of the OS.

If the SEPM is on 2003 and Client on XP and the port is blocked then the client will not commuincate with SEPM.

So in simple words for Comuincation the ports need to be opened , irrespective of the OS being used.

Hope this answers your question and clarifies your doubt

I understand the situation with the communication part - I'm just looking to find out if any other user has used remote deployment to push the agents out to vista and NOT had to implement any of the pre requisites (on the link supplied by here2help) and had no issues.

Thanks

Mr_Miyagi

Wax On, Wax Off...

We can't give you the names of the Customer , But I have tried this in many cases and it has worked.

When the Install fails then we come to the link that you are refreeing to

I think you need to wax off the firewall of windows vista just to wax on the installation and proceed to the deployment. how many vista clients that you have?

'......must remember to breathe...very important....'

There are quite a few - approximately 50 or so.


Mr_Miyagi


Wax On, Wax Off....

  I cannot believe this. I could install antivirus with no problem but as soon as I installed the Network parts (NTP, FW etc) my vista computer would bluescreen every few minutes. I could not figure it out.

So I tried your suggestion and it has been over an hour so far and everything is working fine.
I cannot believe this was all that was needed.