What is the database used by SEPM ?

Are there any errors in the IIS logs?

Try these

Title: 'Unable to communicate with the reporting component after logging into the Symantec Endpoint Protection Manager'
Document ID: 2008042212582048
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2008042212582048?Open&seg=ent

Title: 'Error: "Unable to communicate with the reporting component" when opening Symantec Endpoint Protection Manager (Embedded Database)'
Document ID: 2008110803510948
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2008110803510948?Open&seg=ent

Hi,

       Please have a look at the ports used by endpoint. In case the ports are being used by some other application other than endpoint it will help us to narrow down on to the issue. You can use the netstat -anob command to get a list of the listening ports and the corresponding PID number then from the task manager we can know the corresponding application.

Thank you for your responses. I have continued troubleshooting and revied logs and here is what I have.

The steps provided in: Document ID: 2008042212582048
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2008042212582048?Open&seg=ent

Has yeilded negitive results however the IIS log review has tons of data, all of it repeating for each machine on the network. I pulled the common info below:

W3SVC1 <IP> Get /secars/secars.dll (many strings of code) secars - 80 - <IP> - SMC 401 1 64

Honestly, I dont know what this means.

There seems to be no port conflicts with the info provided by Sandip_sali.

Also ODBC has returned successful when tested.

If a reinstall is required so be it, but Id like to make sure its not the server set too restriced. There is no documentation provided by the Gov to make SEPM work while still staying secure.

SMC 401 1 64

 It shows that you have Invalid IUSR Crdentials supplied in IIS

HTTP 401.1: Denied by invalid user credentials
http://support.microsoft.com/kb/907273

Title: '"Java -1" error in event log and the error "Failed to connect to server" at login, with HTTP 401 in scm-server-0.log, HTTP 401 1 0 in IIS Logs'
Document ID: 2008101518485148
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2008101518485148?Open&seg=ent

I have solved this issue wih not being able to see the  Home, Monitor and Reports pages. From Virkram Kumar's post I about IUSR credentials I went checking. We have Deny access from network blocked for the Guests group and the IUSR is a member of Guests. Once I removed Guests from being denied and restarted the IIS service along with the dependent services I was able to see the screens.

Now that I can see whats going on I will continue to see if I can get the clients to connect. I appreciate all the assistance.

So I solved the reporting issue, however I was informed we cant use SEPM Ver 11.0.5, so I had to uninstall it and did so step by step all 25 of them listed in one of the links above. So I rebooted the server and went to install 11.0.4.4014 and wouldnt you know it, issues.

I get the following:
To continue the installation, make sure that the Internet Information Services (IIS) World Wide Web Publishing Service (W3SVC) is installed and running. On computers that run IIS 7.0 or later, the following IIS role services must also be installed: ASP.NET, CGI, and IIS 6.0 Management Compatibility.

So I make sure the W3SVC service is running and because the machine is running IIS 6.0 ASP.Net doesnt have to run (I assume). When the install is restarted it gets to a point and then starts its rollback process.

I have the SEPM_INST.LOG ready, its a rather large txt file, so if you just list the parts you want I have no problem cutting them out and posting them.

I'd be finished by now if I could just use 11.0.5,  but we dont work that way. Again thank you for your help.

In the SEPM inst.log search for Return Value 3 and paste 5-6 lines before and after that.

As requested.

(6) lines (or so)  prior to Return Value 3
CustomActionSchedule(Action=InstallIISConfig,ActionType=3073,Source=BinaryData,Target=InstallIISConfig,CustomActionData=C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Inetpub\ C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin\   C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Php\Php.ini C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection Manager\Php\temp\ 1 80 8014 C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\conf.properties 0)
MSI (s) (8C:C4) [14:45:11:154]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI101.tmp, Entrypoint: InstallIISConfig
SESM CA: InstallIISConfig Begin

(6) lines after (or so)

MSI (s) (8C:B4) [14:45:11:467]: User policy value 'DisableRollback' is 0
MSI (s) (8C:B4) [14:45:11:467]: Machine policy value 'DisableRollback' is 0
MSI (s) (8C:B4) [14:45:11:514]: Executing op: Header(Signature=1397708873,Version=301,Timestamp=994145647,LangId=1033,Platform=0,ScriptType=2,ScriptMajorVersion=21,ScriptMinorVersion=4,ScriptAttributes=1)
MSI (s) (8C:B4) [14:45:11:514]: Executing op: DialogInfo(Type=0,Argument=1033)
MSI (s) (8C:B4) [14:45:11:514]: Executing op: DialogInfo(Type=1,Argument=Symantec Endpoint Protection Manager)
MSI (s) (8C:B4) [14:45:11:514]: Executing op: RollbackInfo(,RollbackAction=Rollback,RollbackDescription=Rolling back action:,RollbackTemplate=[1],CleanupAction=RollbackCleanup,CleanupDescription=Removing backup files,CleanupTemplate=File: [1])

Install updated version of Windows Scripting reboot the server then try installation again

 version 5.7 for Windows Server 2003, downloadable from microsoft. 

http://www.microsoft.com/downloads/details.aspx?FamilyID=f00cb8c0-32e9-411d-a896-f2cd5ef21eb4&DisplayLang=en 

Installed Scripting Ver 5.7 and still no joy.

Lines prior to Return Value 3
CustomActionSchedule(Action=InstallIISConfig,ActionType=3073,Source=BinaryData,Target=InstallIISConfig,CustomActionData=C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Inetpub\ C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin\   C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Php\Php.ini C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection Manager\Php\temp\ 1 80 8014 C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\conf.properties 0)
MSI (s) (D4:D0) [09:12:07:203]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI29B6.tmp, Entrypoint: InstallIISConfig
SESM CA: InstallIISConfig Begin

Lines after
MSI (s) (D4:A4) [09:12:07:641]: User policy value 'DisableRollback' is 0
MSI (s) (D4:A4) [09:12:07:641]: Machine policy value 'DisableRollback' is 0
MSI (s) (D4:A4) [09:12:07:687]: Executing op: Header(Signature=1397708873,Version=301,Timestamp=994396452,LangId=1033,Platform=0,ScriptType=2,ScriptMajorVersion=21,ScriptMinorVersion=4,ScriptAttributes=1)
MSI (s) (D4:A4) [09:12:07:687]: Executing op: DialogInfo(Type=0,Argument=1033)
MSI (s) (D4:A4) [09:12:07:687]: Executing op: DialogInfo(Type=1,Argument=Symantec Endpoint Protection Manager)
MSI (s) (D4:A4) [09:12:07:687]: Executing op: RollbackInfo(,RollbackAction=Rollback,RollbackDescription=Rolling back action:,RollbackTemplate=[1],CleanupAction=RollbackCleanup,CleanupDescription=Removing backup files,CleanupTemplate=File: [1])

Remeber this system has been "hardened" and some of the service accounts do not have the permissions given by default. (Example: IUSR was denied access to this computer from network) If I knew what accts were utlized by the install I may be able to give them access till the install completes.

 Can you upload the load at 
http://www.2shared.com/

Check this aswell...
Symantec Endpoint Protection Manager installation rolls back at Configuring IIS.

 http://service1.symantec.com/support/ent-security.nsf/docid/2007101209193548

Because of repeated issues with the install and worries about client management, I was allowed to install 11.0.5 SEPM, however that too encountered problems. To expidite the management of our clients the best course of action is to restore from the last full backup and use what has been discussed here to "unhose" the server again. I appreciate all of your assistance, however with our machines being very locked down the solutions people provided were not successful. Thank you for your time and help.

Well... you can try using
https://www-secure.symantec.com/connect/downloads/authentication-and-access-control-diagnostics

Hello again!

Seems the time has come again to migrate SEPM from 11.4014 to 11.4202 MR4 MP2. I wish it was straight to 11.5 and let me get on with more pressing matters, but the powers that be have said we must upgrade and wouldn't you know it.... Broken again.

I followed the migration article of backup the database to the letter. Stopping the services and halting replication. I thought this would be easy as it says I can install right over the previous version. However.... Again the DoDs requirements for hardened systems bites back. Upon install which this post was about has returned. When it gets to about 80% complete it rolls back. Now being a veteran of this I thought I was smart enough to write what I did down, and I swear I did, but seem to have lost my notes. Which leads me to... I have the logs and what not its pointing to some PHP.ini file that does exist, but I know for a fact its a service we removed from the policy that is causing it to fail. I will post the log entry and the Event log entry so you can get a warm fuzzy but in reading the other forum posts the Windows scripting has already been upgraded as per one of my previous posts in this topic. 5.7 has no effect. So come up with what groups/service accts/users need to have specific access in the policy. I remember something about the local service and what not but I did so much before I have forgotten. Below are the log entries you will want.

SEPM_INST Log
M CA: ShellExecuteEx succeeded.
SESM CA: Process return value: 5
SESM CA: hInstApp: 42
SESM CA: RunCommandFromBin End
SESM CA: Failure in IIsConfig.vbs script - See the Windows Event Viewer application log for the failure event.
SESM CA: MigrateIISConfig End
Action ended 14:51:25: InstallFinalize. Return value 3.
MSI (s) (48:98) [14:51:25:567]: User policy value 'DisableRollback' is 0
MSI (s) (48:98) [14:51:25:567]: Machine policy value 'DisableRollback' is 0

Event log entry:
IISConfig.vbs error( 5 ) - In function ConfigPhpIni() - The phpIniFile param points to a folder that does not exist: C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Php\Php.ini

Please tell me what to check, what policy settings effect the install, and if possible how I can work around this without having to reduce the security posture of the machine.

Thanks in advance, I know you guys will figure it out.

 copy the content of the PHP folder from program files\symantec...manger\php
to C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Php\Php.ini and try again.

Huh?! Copy it from the dir it already exists in to the same dir, that doesn't make sense. The PHP.ini exists and the path is correct. If you could elaborate on your solution I'd appreciate it. I mean, I could copy the folder away then put it back, but seriously, what will that do? Which is what I'm going to do and Ill try the install again and post the log. If this works.... Oh I'll feel dumb.

 Oops my mistake I messed up with the locations..

But when you go to C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Php\

do you see the php.ini file or its not there ?

Do you have any other application that uses PHP ?

Yes the PHP file is there. And most likely something else uses PHP but.... When I eventually got SEPM installed before this was no issue. However looking at the previous logs this happened before but what I did to fix the issue I cant rememeber. It was a policy setting we had removed one of the accounts from that allowed it to be installed, it looks like the above error is the problem but it really isnt. Hence why I need to know what the script makes calls to for the install. Kind of how the IUSR is part of the Guests group which we have in the policy as denied. Even if I remove the guests from Denied it doesnt install, so that isnt the one.

 Can you attach the SEPM_INST.log over here..

Its a 12mb txt file. What part do you want. It keeps giving the same error I posted above.

My mistake 8Mb

 Edit your main post on the top ( the first one) on the bottom you will see a Attachment button

Log attached. The event log enrty is as follows.

Event log entry:
IISConfig.vbs error( 5 ) - In function ConfigPhpIni() - The phpIniFile param points to a folder that does not exist: C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Php\Php.ini

 http://www.symantec.com/connect/forums/failure-iisconfigvbs-script#comment-1757511

Same issue suggested solution is to update Windows Install Script
from here 
http://www.microsoft.com/downloads/details.aspx?FamilyID=f00cb8c0-32e9-411d-a896-f2cd5ef21eb4&DisplayLang=en

Ok installed Windows Install Script from your link and ran the install again and as expected, same error msg in the sepm_inst.log

Nice try but no dice, try again.

 Did you reboot the machine after installing the install script ? It needs to be rebooted.

check this discssion will help you out

https://www-secure.symantec.com/connect/forums/failure-iisconfigvbs-script#comment-1757511

Same link in case he missed out :)

@rafeeq-- Lol..

@Bowpro-- Try giving permission to everyone for full access for 

C:\Program Files\Symantec\Symantec Endpoint Protection Manager\
and 

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection Manager

Do the upgrade and after that you can remove the permission..

Ok, to hopefully tempt the server god I rebooted the thing and tried the install again. Still failed and rolled back. Checked the log and same error in SEPM_INST log and the Event log. Next time, if you recommend to install something that will require a restart to happen, please say so. I cant just shut these things off whenever I want.

Anyway, next item to be looked at please.

I tried that as well. I was thinking it would elevate the privledge of the service needed but no it didnt work either. I went so far as to go into each folder and make sure the permission was propigated down and elevated the users group rights also.

We dont have an "everyone" group anymore on our systems. So I had to do what is closest. Will it matter and does something specificly need the Everyone group?

 Authenticated Users, Users, Administrators, ISUR_xx ( or which account the SEPM web server is using in IIS )

Follow this article for IIS permission
 http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007103114091748

Also make sure you are doing things locally on the server.. RDP causes a lot a problems in Symantec products..

Oh the frustration continues.
That above article with the things used by IIS was exactly what I was looking for, however after making the changes that the article had said I was still unsuccessful. I am starting to doubt myself and what I believe fixed the issue before. I may have to remove the whole instalation of SEPM and start over, if I can. Also I tried to login to the console and was greeted by a hanging login process. So now I am not just having an issue migrating to the next version, but Im also unable to manage the thing. Hopefully SEPM still works once the services are enabled.

Is there anything else you guys want me to try or should I remove it and try from scratch again? If I do remove it, I will have the install issue again reguardless. I so hate hardening!!!

 Try the AuthDiag Tool once and see if that helps finding the issue
https://www-secure.symantec.com/connect/downloads/authdiag-will-help-check-authentication-permission-iusr-account

 Good to know that even this can cause install failure..

what permissions need to be given to everyone.  The server team run the STIG on my server and killed it.