Endpoint Encryption

I installed the SEE server, everything is up and running.  The server is 2012 R2 with 2012 sql express sp1 advance per SEE installation guide.  At first, I have some troubles installing the agent component after I installed the management server.  When I browse and choose (local) as my database server, it will not take it.  I am keep getting “Unable to connect to the specified server. Please verify the server name, database name, and port information are correct and try again”.  Finally after some trial and error, I figure out that you have to type the name of the server instead of local, even though it let you choose local when you browse to it and the database locally located on the same sever. (Wish Symantec will provide better installation instructions).  After that, it was smooth sailing, I installed the rest of the components that came with it. (Like drive encryption, autologon, helpdesk...etc).  Now it is time to install the management agent component on my wins 7.  It failed at the same spot, when I click browse for the database server, it found my server, but I got same error message “unable to connct to the specified server......”   No matter what I do, I cannot get pass this point.  I tried both fqdn and IP.  It is the same exact settings I had when I install the agent component on the server.  I ran out of idea.  Is there installation log or something can give me a clue? Can someone please point me to the right direction?  Thanks

Assuming you're talking about installing the management console onto a different machine than that running the management server itself, then have you checked that the ports are open for this machine too?  Can you telnet the SQL Server instance's port from your Win7 box?

If you're trying to install the actual encryption agent, then you need to export this from the Manager Console first using the wizards, and install those exported MSI files on your target machine.

It sounds more to me like some of the database services are turned off.  In the SQL Server Configuration Manager, check under "SQL Server Services", and make sure the services are running.  I have this happen occaisionally with SQL Server Express, the services don't seem to come up properly after a reboot of the server, which you would have done after installing the SEE components.

"SQL Server Agent" does not need to be running currently, it only kicks on for specific things.

SMLatCST: Yes, I am installing management console so I can remotly manage the server.  I don't understand why SEE call them same manangment agent.  What port I am suppose to be checking?  Firewall is turn off.

Mike:  Don't think it is the sql server service not running.  I am able to install the management console component on the SEE server.  SEE server is running fine with access to the database.

I can able to do what I need to do on the SEE server, but management console is suppose to allow admin to remote control the SEE sever from their machine without remote in to the server.   It is not working.

I spent 4 hours working with the SEE support and check every settings.  They have no clue what is going.   I guess she will have to escalate to the next level.  

The Management Console talks to the same DB as the Manager Server component, so you need to make sure the ports are open for your Win7 machine to connect to the SEEMSDb on the Management Server.

Assuming you're sure the connectivity is not the issue, then I'd recommend checking out the SQL logs to see if you can see evidence of this remote connection, and what else might be the problem.

Greetings,

In addition to the thread above, have you ensured this user who is currently logged on to the Machine where you are trying to install the management console, is added to the SQL connect permissions on the Database. SEEMSdb ?

You may recheck this using the UDL test from the Windows 7 machine and see if the current logged on user is able to reach the SQL Instance and see's the SEEMSDb.

Plus , Please ensure the Server roles are in place for this Logged on user. 

Do let me know if this helps.

SMLatCST,

The problem is that installation is not finding the database.  I don't think the sql database will have the log for that.

CipherGuy,

I am the one install the management server.  I am using the same login I used to setup the server as well database.  I can login the the database fine with my login.

The fact is I've already asked about connectivity, and you said everything was correctly setup.  Therefore if connectivity is not the problem, I can only thinks then that it's something within SQL.

From what you've posted here you:

• said the sql server service for the instance in question is up and running
• have the SEE Management Server connected to SQL, both of which are on the same box
• have said the SEE Manager Console won't find the instance from another box, but haven't said what you've done to find out why yet

Just to recap it then, have you...

• confirmed name resolution is correct, or tried by IP address?
• confirmed the port SQL is listening on?
• locked SQL to a specific port (https://msdn.microsoft.com/en-us/library/ms177440.aspx)?
• confirmed the port is open between the 2 machines?
• checked you have the right instance name (if not using the default instance)?
• successfully used telnet to connect (or tested an OBDC connection to the instance) from your Win7 machine to SQL?

SMlatCST:

Thanks for your pointer.  SQL port for some reason is not turn on my default.  I get passed database part of the installaton and it is asking me for my management password now.  I now to need figure out how to enable with tls/ssl connection with managerment server database.

I get an error when I try to enable tls/ssl connection in see configuration manager. 

Here is the error I got:

Save failed for database configuration due to invaild data. Enter valid data.

Unable toconnect to symantec endpoiint encryption management server database using the connection parameters provided.

Any idea? 

I'd recommend checking out MS documentation for SQL encryption first if you wish to enable encrypted comms between the SQL Server and the SEE Management Server / SEE Manager Console.

As your SQL instance was on the default configuration, none of it will be set up yet.

Do you really need to encrypt SQL Access?

I found the encryption setting in the same area where I enable the SQL port.  But, when I enable the encryption and load the server certificate.  sqlserver service will not start anymore.  I looked the sql error log,  here is what I found:

The server could not load the certificate it needs to initiate an ssl connection. It returned the following error: 0x8009030d.  Check certifcates to make sure they are valid. 

Error: 17182, Serverity: 16, state: 1

Unable to load user-specified certificate [Cert Haash(sha1) "xxxxxxxxxxxxxxxxxxxxxxxxxxx"]. The server will not accept a connection.  You should verify that the certificate is correclty installed.

(This is the same certificate I used for my https for agent to server communication, so I know it is good)

As for your question, is it encrypt sql access needed?  I believed this is something is recommended by the installation guide.  If the SQL traffic is not encrypted, is it vulnerability that someone may able to see the traffic in plain text?  What kind of information is pass through between the database and server or console?   

As this is a SQL error, you'll probably need to pursue whatever MS support paths are available to you.  Only after you get SQL encryption operating, does SEE then get involved.

A very quick google points out the below article though:

https://support.microsoft.com/en-us/kb/900495

Thanks for pointer again SMLatCST.   I am able to get it working using this link instead since I already have certificate created from IIS and I don't know how to complie and run .cpp.  The link below is much easier.

https://thedataspecialist.wordpress.com/category/sql-server-2012/

So after I assign the correct permission to the certifcate, I am able turn on the encryption setting on the sql server. I restarted the sqlserver service, then I am able to enable the SSL/TLS for the database in the SEE configuration manager with no issue.  The issue I have is that after enable ssl/tls setting on the database, all my client is no longer able to check in with ther server anymore.  I thought that ssl/tls setting only effect the communication between SEE agent console and database.  Why the setting cause my client not able to check in with server?  Any idea?

Your interpretation is correct, encryption of SQL communications should not affect the clients' ability to check into the SEE Management Server.

Have you done any troubleshooting yet?

http://www.symantec.com/docs/TECH170865

A lot of these troubleshooting steps looks like does apply in our situation.   We know the client can check in with no issue before.  But, after we turn the SSL/TLS settings on to the database, then the client no longer able to check in.  Once I turn ssl/tls setting off, then it works again. 

I looked at the EAcommunicatorsrv00.log:

Here is the error message:

Error message:  error 1344 0x590 eafrcliadsicomm system submitreport failed with error -Webservice rejected the connection - returned False eafrcliadsicomm.cpp:1423

Oddly enough, that error seems to mirror those seen by someone who had rebuilt their SEE Management Server and DB:

https://www-secure.symantec.com/connect/forums/reinstalled-see-v1100-mp1-management-server-new-database-now-clients-fail-check

Out of curiosity, have you tried updating the client to use encrypted comms to the SEE Management Server and/or tested a new client package?  What do you see in the IIS logs?