Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SEPM cannot login to computers to detect SEP

Created: 22 Jul 2013 | 7 comments

Hi,

I have question about search network client, I use client deployment wizard to scan client in SEPM 12.1

Client is joined domain, OS is win7. If I enable windows firewall from client. SEPM cannot detect client, result as below:

.JPG

But when I disable client windows firewall, SEPM can detect client, result as below:

未命名.jpg

So it is because of windows firewall. I have open TCP 139, 445 and UDP 137, 138. but it still fail.

Does anyone know which port should be open? Thanks.

Operating Systems:

Comments 7 CommentsJump to latest comment

Ashish-Sharma's picture

Prepare computers for remote deployment and management

Modify firewall settings to allow communication between Symantec Endpoint Protection Small Business Edition components:
■ Push deployment ports, used on management servers and clients: TCP 139 and 445, UDP 137 and 138, and TCP ephemeral ports.
■ For legacy communications, open UDP port 2967 on all computers.
■ General communication: TCP 8014 (HTTP)/TCP 443 (HTTPS) for management servers. These are the default ports, and may be customized. See Symantec Endpoint Protection 12.1: How to Change the ports used for communication between the Manager and clients.

Steps to prepare computers to install Symantec Endpoint Protection 12.1 client

Article:TECH163112  |  Created: 2011-06-23  |  Updated: 2013-07-15  |  Article URL http://www.symantec.com/docs/TECH163112

Thanks In Advance

Ashish Sharma

pete_4u2002's picture

check this link

http://www.symantec.com/business/support/index?page=content&id=TECH163112

Push deployment ports, used on management servers and clients: TCP 139 and 445, UDP 137 and 138, and TCP ephemeral ports.
 

Mithun Sanghavi's picture

Hello,

Check these Articles:

Preparing Windows operating systems for remote deployment

http://www.symantec.com/docs/HOWTO80805

About firewalls and communication ports

http://www.symantec.com/docs/HOWTO81451

For preparing Windows Vista, Windows 7, or Windows Server 2008 computers - 

Windows User Account Control blocks local administrative accounts from remotely accessing remote administrative shares such as C$ and Admin$. You do not need to fully disable User Account Control on the client computers during the remote deployment if you disable the registry key LocalAccountTokenFilterPolicy. For more information, visit the following URL:

http://support.microsoft.com/kb/951016

To push the client software to computers, you should use a domain administrator account if the client computer is part of an Active Directory domain. Remote deployment also requires administrator privileges to install.

Perform the following tasks:

  • Disable the Sharing Wizard.

  • Enable network discovery by using the Network and Sharing Center.

  • Enable the built-in administrator account and assign a password to the account.

  • Verify that the account has administrator privileges.

  • Disable or remove Windows Defender.

Prepare computers for remote deployment and management

Modify firewall settings to allow communication between Symantec Endpoint Protection Small Business Edition components:

■ Push deployment ports, used on management servers and clients: TCP 139 and 445, UDP 137 and 138, and TCP ephemeral ports.
 

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

AjinBabu's picture

HI, 

Have you checked the communication ports using for push deployment. This needs to be open from SEPM server to client

TCP 139 and 445, UDP 137 and 138.

Regards

Ajin

.Brian's picture

Is the remote registry service running?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

Is the Windows User Account Control (UAC) on Windows 7 machine been turned off? Make sure it is turned off. (requires a restart of the machine)

Windows User Account Control blocks local administrative accounts from remotely accessing remote administrative shares such as C$ and Admin$. You do not need to fully disable User Account Control on the client computers during the remote deployment if you disable the registry key LocalAccountTokenFilterPolicy. For more information, visit the following URL:

http://support.microsoft.com/kb/951016

To push the client software to computers, you should use a domain administrator account if the client computer is part of an Active Directory domain. Remote deployment also requires administrator privileges to install.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Chetan Savade's picture

Hi,

Thank you for posting in Symantec community.

I would be glad to answer your query.

I would suggest to disable firewall if going to use SEP NTP feature.

If planning to use Windows firewall then disable it temporary till the time SEP install finishes.

These are the troubleshooting steps specifically applicable on Windows 7 machine.

Windows User Account Control blocks local administrative accounts from remotely accessing remote administrative shares such as C$ and Admin$. You do not need to fully disable User Account Control on the client computers during the remote deployment if you disable the registry key LocalAccountTokenFilterPolicy. For more information, visit the following URL:

http://support.microsoft.com/kb/951016

To push the client software to computers, you should use a domain administrator account if the client computer is part of an Active Directory domain. Remote deployment also requires administrator privileges to install.

Perform the following tasks:

  • Disable the Sharing Wizard.

  • Enable network discovery by using the Network and Sharing Center.

  • Enable the built-in administrator account and assign a password to the account.

  • Verify that the account has administrator privileges.

  • Disable or remove Windows Defender.

Refer this article:

Preparing Windows operating systems for remote deployment 

http://www.symantec.com/docs/HOWTO81300

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<