Video Screencast Help

SEPM Monitor to verify Mgmgt Server is Available

Created: 18 Aug 2010 • Updated: 19 Sep 2010 | 7 comments
This issue has been solved. See solution.

We set up a monitor in F5 global traffic manager (DNS) load balancer so that if one of our SEPM servers has an issue where it cannot deliver updates to the SEP clients, the load-balancer won't hand out that server's IP in DNS responses.

I set up the following health monitor in the F5 load balancer:

http://<server_name>:8014/secars/secars.dll?secars...

The above URL returns an HTTP 400 Bad Request error.  The above URL is listed in the SEP11 Administration Guid in the Troubleshooting communication problems section.

Next I set up the following health monitor::8014/reporting/index.php">

http://<server_name>:8014/reporting/index.php

This URL does return a login page for reporting.  However, I am told by our server mgmt team that this login page continues to successfully return even when the SEPM service is disabled on the server.

My question is this:

What URL or other "object" is the best indicator that the SEP and it's services are up and avilable so the clients will be able to get their AV and Firewall policy updates?

I see the clients heartbeat to the first URL and so this URL seems to be the best candidate to use as the health check in the load-balancer.  Is this the best one, or is there some other check that can be made to verify that clients can connect and they can successfully retrieve content updates?  If this is the best URL to check, then why does it not work as specified in the Admin guide?  Are there any other health checks (URLs) I can try, such as the POSTs that appear to be register transactions when new clients connect to the SEPM?

Our server mgmt team thinks we need to set up a dual monitor, one to check that clients can connect to the IIS web service running on TCP port 8014, and one to check that the TOMCat web server is running on TCP port 8443.  I would prefer a single health check that is the most appropriate.

Thanks.

Comments 7 CommentsJump to latest comment

rdilallo's picture

I tried http://servername:8014/secars?hello,secars against all of my SEPMs and received an "OK".

If you want to go a step further, https://localhost:8443/servlet/ConsoleServlet?Acti... will give you information on all the tasks that run on the SEPM as well as other information.  It's more detail that your F5 load balancer would need, but you could write something to parse the results of the query to better understand the health of your SEPM.

Good luck! 

thatdude's picture

I get a blank page when I tried the first link. When I tried the second link I didnt get any detailed information, only

xml version="1.0" encoding="UTF-8" ?>

  <Response />
thatdude's picture

I started getting an OK using the first link but the second link still doesnt provide any information

Ken Nadsady's picture

To: rdilallo

Thanks for replying, but can you confirm the URL and result again?  Is the exact syntax shown in your posting, because it is different than what I read in the Admin guide.  I get the same result whether I use your URL or the one in the Admin guide - a Page not found message in the browser, but an HTTP 400 error is seen in a wireshark trace.

I tried your https:// 8443 check but from a remote machine instead of lfrom the server itself pointing at localhost, and I get the same xml response as in the other response in this thread.

<?xml version="1.0" encoding="UTF-8" ?>

  <Response />

Thanks

Kurt G.'s picture

I'm noticing a discrepency with the URL utilized here to test Secars. I checked the RU6a Administrator Guide and I was not able to locate the URL that you have been testing with. We should be able to enter the following URL into a browser and receive an OK displayed on the page when the SEPM service is running. Stopping the SEPM service would either return an error or a blank page in the browser.

http://<server_name or IP address>:8014/secars/secars.dll?hello,secars

Let us know if this helps, as this would be the URL utilized to ensure communications with the SEP clients is working correctly.

Regards.

Kurt G.
Symantec Technical Specialist: Endpoint Security Advanced Team

Symantec Corporation www.symantec.com

Symantec Enterprise Support: (800) 342 0652 

SOLUTION
Ken Nadsady's picture

Kurt G - Thank You! Yes the URL in the Admin guide looks like it has the "hello,secars" portion of the URL transposed as "secars,hello".  I just got off the phone with Symantec tech support and after about 90 minutes of explanation and testing we figured out that the hello needs to come first in order to get the "OK" response

I was told that the Symantec tech suppt database would be updated with info regarding this issue, and I hope that is the case becasue anybody that wants to load balance the SEP 11 Managers using F5 local or global traffic managers would definietly be interested in this information in order to set up the best health check for this application.

Hopefully the Administration Guide will be corrected in future versions as well.

Thanks again, Ken

Rafeeq's picture

the url is to test the connectivity of the brower to the SEPM website hosted in IIS
you wil get ok from any IE need not have SEP client installed, if sepm service is running it would return OK (if there is no restriction on IIS)
this would only return okay if sepm service is running ;  you can use this url
the correct format is here
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007101711140148