Video Screencast Help

Symantec EndPoint Protection on Domain Controller

Created: 29 Jun 2009 • Updated: 21 May 2010 | 6 comments

I have Symantec EndPoint protection on my PDC. This PDC is also my DNS server. The trouble I'm having is that VPN connected clients are getting some blocked IP traffic, and I've narrowed it down to SEP's Network Threat Protection. When I disable the NTP, the VPN clients are no longer blocked. I figured that I would configure the NTP to allow the traffic as opposed to totally disabling NTP.

I figured to start with the least about of rules then add what I can. On the SEP Manager, I disabled the Firewall Policy for the group that the PDC is in. I also edited the client options for NTP: on the Firewall tab I only have the first three options checked (Enable Smart DHCP, DNS, and WINS). The Intrusion Prevention tab, nothing is checked. At this point, the traffic is still blocked - I looked at the logs:

Application C:\WIndows\system32\drivers\ipnat.sys  is being blocked by rule  GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-TCP

I see no where to configure this 'rule'.

Comments 6 CommentsJump to latest comment

teiva-boy's picture

Dont enable the FW policy on servers.  If you do, only enable a blank rule set with nothing selected or an any<->any traffic rule.  

The main thing is that you want IPS from NTP, not the FW.


There is an online portal, save yourself the long hold times. Create ticket online, then call in with ticket # in hand :-) http://mysupport.symantec.com "We backup data to restore, we don't backup data just to back it up."

Kbalz's picture

In my SEP Manager, I go to the group that the server is in, I see Firewall Policy [shared], it is greyed out because I've unchecked the 'Enable this policy' box. So it is already disabled (in my mind). But the are Action - Blocked items in the log still.

teiva-boy's picture

 Try this, create a new or copy of a FW policy, except remove all the policies except for single blank rule.

Apply this to the server, rinse repeat and see what happens.


There is an online portal, save yourself the long hold times. Create ticket online, then call in with ticket # in hand :-) http://mysupport.symantec.com "We backup data to restore, we don't backup data just to back it up."

Prashant Bharadwaj's picture

Symantec strongly recommends not to install NTP on server computer, as it may result in lot of performance and DoS issues.

You may uninstall the NTP feature from the control panel > Add/Remove Programs

Prashant Bharadwaj, CEH, MCTS Windows Server 2008 Active Directory, Configuration, SCS Symantec Endpoint Protection 11.0

Paul Mapacpac's picture

BharRie is correct, Symantec recommends not to install NTP component if you are behind a corporate firewall. but if this is a requirement you need to enable IP protocol 47 (GRE) and TCP port 1723.

teiva-boy's picture

LOL, Symantec Product Management will say otherwise... So who's right?  

IPS has virtually little effect on network performance when working correctly..  Although there is that darn XP SP3 bug with IPS...  
In fact, the older SBS best practice guide said to enable NTP when installing the client on the SBS server.

That said, I have zero issue with most servers and it deployed to them.  I've yet to try it though on SQL or Exchange boxes, or other high network throughput servers.


There is an online portal, save yourself the long hold times. Create ticket online, then call in with ticket # in hand :-) http://mysupport.symantec.com "We backup data to restore, we don't backup data just to back it up."