Endpoint Protection

Hi,
I have 5 machines on a small network. I am using SEPM and all 5 machines have SEP installed. All machines can access ANY website except 1 particular website. I can access this one website from ANY other computer at other locations. I am thinking SEPM has blocked/firewalled this 1 website.

How and where would I check this? I have logged into SEPM and found Firewall however not sure where to check for blocked sites.

Thanks

SEPM will not block any website.

its not an antivirus software at all..

Can you let me know the site you are trying to access??

is it an internal website / external one?

It's a actually a social network site.   Bebo.com   We can access the site however can not log in. We can log in from any other machines at other locations such as neighbors, library, etc.... When we try to log in it goes to the Internet Explorer Can Not Display the Webpage......  Have even tried disconecting from the router and plugging directly up the internet connection to the individual machines, bypassing any router issues..... I was thinking SEPM was somehow blocking it. since this is the only common program on all machines.

Does it work when your disable Symantec Network threat protection??


 

Haven't tried it. Do I just right click on the shield and choose "Disable Symantec Protection"  ?

Yes you can do that or open Symantec Endpoint -Under Network Threat Protection -click on options-then Disable NEtwork Threat Protection
both will disable NEtwork threat Protection..

Do the network troubleshooting first.

nslookup bebo.com

if you get an output, then ping the IP of that website. Or you can telnet to port 80 to see if its accepting connection.
If the above fails then its a network issue. However, if the network level things are looking good and you want to make sure that the SEP client is not the cause of the issue, then you can stop the SEP service and try again.

Cheers,
Aniket

Ok. I tried pinging bebo.com and can not ping it. I tried pinging 4 other websites and all 4 worked ok. I have opened SEP and diasbled Network Threat and Proactive Threat, still unable to log into bebo.

I have no other security software running on the machines except SEP & SEPM. I have made sure Windows Firewall is disabled. Also, I have unhooked the internet line from the router and plugged it directly into the back of the 4 machines, by-passing any issues with the router. 

Is there anything in SEPM or SEP that would be causing this website to be blocked? By opening SEP and disabling Network Threat Protection, does this completly ignore SEP or is there a way to completly shut it down to test it out.

Do all 5 systems have the same FW policy? Are the Browser and OS versions the same for the working and non-working computer?

Yes. All 5 machines have the same policies and all 5 machines are Xp with IE7. I can access this website from other machines, outside the network (neighbors, library,etc...) and wich are also XP and IE7 machines.

in command prompt, execute a command: nslookup bebo.com

whatever IP address you get as an o/p , please put that IP in IE as http://x.x.x.x

Let us know if that works.

Cheers,
Aniket

Ok I went to cmd typed it in and it returned an address of 208.75.184.192 

I went to IE and typd in  http://208.75.184.192  It did not work. It says Internet Explorer Can Not Display The Webpage

do you have a different browser to try, my be you can try that IP address in firefox.

I just downloaded Mozilla FireFox, installed it and tried it in Mozilla. Same thing. Not working......  Is there anything in SEP that would block it?

Can you load pages from other social networking sites listed below?

facebook.com
twitter.com
myspace.com

Yes I can. All of them, plus all other websites work.... The strange thing is that I can log onto the bebo account from other computers at othter locations, just not the ones here on the network. I currently have the internet line plugged directly into the back of the computer to avoide any router issues.  Also still can't ping this website either.....

can you do  a tracert 208.75.184.192 in command prompt and let us know the output.

If the packets are not going out of your machine, then its issue with your machine.

If the packets go till the gateway/router then thats the culprit.

I am providing steps to make sure that we have a root cause analysis of the situation.

Cheers,
Aniket

You can go into the Add & remove program on of the Machine
Select Symantec Endpoint Protection & try to modify the feature sets
Disbaled the NTP & PTP on one fo the system keep only AV & ASPY feature & see if that machine is able to access this website.
If yes tehn you can enable the PTP & do the same thing & then Enable the NTP & see how it works.

Ok. Here is what it returned with:


C:\>tracert 208.75.184.192

Tracing route to www.bebo.com [208.75.184.192]
over a maximum of 30 hops:

  1    42 ms     1 ms     1 ms  75-104-199-115.cust.wildblue.net 
  2  2579 ms  1126 ms  1127 ms  10.45.0.1
  3  1632 ms  1229 ms  1129 ms  10.231.20.9
  4  1637 ms  1126 ms  1126 ms  10.231.30.31
  5  1637 ms  1228 ms  1090 ms  10.231.30.1
  6  1739 ms  1740 ms  2047 ms  10.231.100.2
  7  1739 ms  1229 ms  1144 ms  10.231.110.2
  8  1228 ms  1228 ms  1228 ms  POS0-1-2.GW3.MSP3.ALTER.NET [157.130.115.229]
  9  1130 ms  1223 ms   824 ms  0.so-4-0-0.CL1.MSP3.ALTER.NET [152.63.65.202]
 10  1358 ms  1330 ms  1722 ms  0.so-7-0-0.XL3.NYC4.ALTER.NET [152.63.10.21]
 11  1765 ms  1638 ms  1433 ms  0.xe-4-2-0.BR2.NYC4.ALTER.NET [152.63.3.110]
 12  1739 ms  1330 ms  1740 ms  204.255.168.58
 13  2755 ms  1740 ms  1263 ms  bb2-new-p1-0.atdn.net [66.185.152.197]
 14  1638 ms  1188 ms  1165 ms  bb1-new-p0-0.atdn.net [66.185.152.192]
 15  1222 ms  1228 ms  1051 ms  bb1-ash-p14-0.atdn.net [66.185.152.48]
 16   921 ms   715 ms  1229 ms  bb1-sjg-p7-0.atdn.net [66.185.153.59]
 17  1738 ms  1432 ms  1638 ms  pop2-sjg-p0-0.atdn.net [66.185.150.97]
 18     *        *        *     Request timed out.
 19     *        *        *     Request timed out.
 20     *        *        *     Request timed out.
 21     *        *        *     Request timed out.
 22     *        *        *     Request timed out.
 23     *        *        *     Request timed out.
 24     *        *        *     Request timed out.
 25     *        *        *     Request timed out.
 26     *        *        *     Request timed out.
 27     *        *        *     Request timed out.
 28     *        *        *     Request timed out.
 29     *        *        *     Request timed out.
 30     *        *        *     Request timed out.

Trace complete.

C:\>

Hi

As earlier mentioned by you, we do get the login page of Bebo.com coming up. Its when you try loggin after you put your credentials, it doesnt work. I hope i have understood it correctly..

So here are few basic steps that we can try...

1) Try adding this website to your trusted sites of IE.

2) As you are using IE7, i would like you to downgrade it to IE6.
     * I understand that you did also try installing Mozilla Firefox, but i am not sure if you did/didnt import the same settings as IE.

3) And i would appreciate if you could once again confirm, if on disabling SEP are you able to go through the website or no?

Awaiting your reply,

Hay,

sorry for the delayed response...

So, the tracert worked just fine. Correct me if I am wrong, but you mentioned that none of the computers in this location are able to access this website. Is there any computer that does not have SEP installed, you can try to browse the site on that machine and see if it works.

That would be the fastest way to eliminate SEP as a probable cause and move on with the RCA.

Woul be possible for you to run Wireshark 1.2 on your machine while you try to browse this website?

also, refer to the steps mentioned in the article: https://www-secure.symantec.com/connect/articles/trace-location-traffic-geoip-technology-implemented-wireshark

if you do not know how to run wireshark, refer to https://www-secure.symantec.com/connect/videos/capturing-network-communication-packets-wireshark-utility

Cheers,
Aniket

Thanks for the reply. All of the machines do have SEP installed on them. I would need to uninstall SEP from one machine to try it.

I have never ran Wireshark. I can give it a try.

One thing I noticed. As shown a few post above with the TRACERT report, notice how it "times out?" Number 17 seems to go through good then 18 times out and it's like that from there out.

Computer TRACERT That WON'T Connect
17  1738 ms  1432 ms  1638 ms  pop2-sjg-p0-0.atdn.net [66.185.150.97]
18     *        *        *     Request timed out.

I ran a TRACERT from a computer at another location that will connect. From above, the time out happened after the pop2-sig-xxxxxxxxx location. The next location (where the timeout happens is at the beboinc.com {66.185.141.210} location (as shown below from the computer where I can access it)

Computer TRACERT At other location that will connect
 8   345 ms   459 ms   349 ms  pop2-sjg-p0-0.atdn.net [66.185.150.97]
 9   234 ms   359 ms   275 ms  te3-1.border01.beboinc.com [66.185.141.210]
10   658 ms   484 ms   561 ms  www.bebo.com [208.75.184.192]

Could this mean that bebo.com has my IP address blocked? I get this same TRACERT on all 4 machines.

I did some digging on the IP address above. Looks like it is registered for AOL Transit Data Network.
And AOL Transit seems to host the mail server for Bebo.com.

So probably, the traffic is being blocked there. One possibility I could think of is if the DNS server gets blacklisted this can happen.
These blacklosts are called as RB:_ Realtime BlackLists which save the IP addresses of the SPAM servers in the world.

http://www.robtex.com/ could be a good website to check for that.

Cheers,
Aniket