Endpoint Protection

I am running a VPN gateway product on Server2008 R2. The server has 2 network interfaces. One is a VMWare interface, the other a virtual interface installed by the gateway software. The VPN clients come in through the VM interface, which is the same as a physical network interface in a physical server, and they get an IP address consistant with the virtual interface the gateway software installs and manages.
When I tell the gateway to NAT VPN addresses to LAN addresses, RDP sessions between my workstatoin and the gateway server get flaky and disconnect every so often.
NAT also does not work.
If I remove SEP totally the RDP issues go away and the gateway happily NATs the VPN client addresses to the LAN addresses and the clients appear to be on our LAN with the NAT addresses.
Install SEP, NAT fails, RDP gets funky.
I can "disable" the SEP firewall, same result.
I can create a top rule that says "allow all traffic to and from all things from anywhere to anywhere anything at all" to open things up wide as can be, same issue. RDP is not stable and NAT stops working if SEP is installed.

As soon as I uninstall SEP, the product works GREAT.

If I do not NAT, everything is fine but our clients can't get to all resources due to the VPN IP addresses not being allowed to all things. We need to NAT those addresses to LAN addresses so must have NAT working, but SEP is killing that.

Any ideas? Any way to tell SEP to deal with 1 interface and TOTALLY ignore the other interface? Or set it different for each interface?
Can I tell SEP to watch the LAN interface, which is the VMware equal of a physical interface and leave the rest alone, or somehow make SEP stop interfering with NATting??
 

Odd that SEP blocks the NATting, and messed with RDP as well, remove SEP, RDP is flawless, fast and stable and NAT works.
Traffic passes between the two interfaces, Microsoft routing is installed on tis server.

Any known issues?

I don't believe there is a way to configure SEP to ignore specific NICs. If there is, I can't find any info on it. May need to engage the support folks. Seems more of an issue with the driver itself and how it processes traffic as opposed to the rulesets in use. Creating an allow rule for specific interfaces should resolve it in theory but that doesn't appear to be it.

Does anything show in the Traffic log?

That's just it, if I uncheck the bottom rules which are to block all other traffic and log plus block all other traffic and don't log, there's nothing at all in the logs.

The logs on the VPN gateway server, the VPN client, the DCs, everything, are empty of any traffic related to this situation. It's as if it's a driver issue like you say, or SEP is doing something it simply never logs.

I've got to get this resolved as we are about to go live with this server - and my early tests showed all was well, but I was testing for INSIDE access only, not for Internet access and without NAT, the firewalls at the state offices won't let our VPN traffic through. I have to have NAT to make it work and SEP is breaking NAT on that server.

It is absolutely SEP as I've had SEP off twice, and each time I remove SEP, it all works perfectly.

Put SEP back, even with full allow rules for all traffic, it breaks the VPN gateway.

And I guess yeah on support although honestly there's no way I'm going normal channels as I waste days and days on the first-line support and have to argue to get it escelated.

I need a real engineer or 2nd or 3rd tier support right out of the gate. I can't waste any time at all, not so much as an hour or two explaining "I have already uninstalled and reinstalled twice now, that ain't gonna fix it, trust me!"

I don't contact support until I have already done things that the first line support would suggest so I sit bored while they have me check this, uncheck that, uninstall, reinstall, try again, uninstall, reinstall....... I need an engineer and Symantec doesn't make that happen easily so I really cringe at having to open a ticket and avoid it whenever possible.

They never check posts in here so I guess it's sort of a waste trying in a way.