Endpoint Protection

When enabling authentication for the Shared Insight Cache service, where is the username and password defined on the SIC?  The username and password is defined in the AV policy in the SEPM, but no documentation exists where to define the same username and password on the SIC server.

Hello,

By default, Shared Insight cache is set up with no authentication and no SSL. It can be changed to Basic authentication with SSL, no authentication with SSL, or Basic Authentication with no SSL.

Symantec Endpoint Protection Shared Insight Cache User Guide 12.1

http://www.symantec.com/docs/DOC4334

Configuring your clients to communicate with Shared Insight Cache

http://www.symantec.com/docs/HOWTO55321

For Documentation: 

Symantec Endpoint Protection Shared Insight Cache User Guide 12.1

Again, there is zero documentation describing where to define a username and password on the SIC server in the noted documentation links above.

Hello Rowdyman,

The SIC uses Windows authentication for the username/password, so use the username and password of a Windows account that can logon to the SIC computer. (I tested this a few minutes ago using local Windows credentials, but I imagine domain credentials work as well.)

Please note that the SIC will need to be configured to expect authentication before this will work. Page 15 in the PDF document in the following KB document explains how to do this.

Hi Rowdyman,

Any update on this for us?

Regards,

James

I'm in the process of requesting a resoruce ID in AD for use with the SIC server and will test once provisioned. 

James, thank you for providing the information that the credential utilizes AD authentication.  However, I'd like to point out that no where in the SIC User Guide documentation does it state that SIC authentication uses Active Directory.  This is very critical information that should be included in the document.

Hi Rowdyman,

Thanks for getting back to me on this.

I agree that this is critical information which should be included in the SIC documentation. I will see if it will be possible to get this added.

Regards,

James

Hello,

We Appreciate you highlighting this to us.

We are working on this - "Work in Progress".

I too am now facing this challange with setting up SSL for both SIC and SEPM to use with Clients.

Symantec has GOT to get on the ball with better, or even some, SSL documentation for SEP12.

for a company that purchased an ECA, this seems like a simple thing to do.

Has this documentation been completed? There are no Revs or date stamps on the SIC documentation so unless you know what to look for...

Also, can you please paste a sample SIC CacheService EXE config file if we want to use SSL with NO Authentication...again the documentation and actual files are not entirely easy on the eyes.

Anyone....:)

After escallating a separate case multiple times regarding SIC/SSL that was open for TWO MONTHS!!! - not kidding here, Symantec Support finally replied that they have successfully validated that SIC/SSL works just peachy using a self-signed IIS cert with the SIC. 

I have had no success using SIC/SSL and haven't had a chance to modify my .config to the one they provided just a week ago (pasted below).

I'd be curious if someone can get SIC/SSL with no authentication to work, and if so, also try SIC/SSL with authentication, preferably on a Windows 2008 Server OS from my perspective.

- Rowdyman

From Symantec Support -> SharedInsightCacheService.exe.config (.zip attached)

Attachment(s)

SharedInsightCacheService.exe_.zip   1 KB 1 version

110% agree..

Symantec needs to get on the ball here with respect to Certificate Validation....you know entrust is a lot more responsive here gang...;) with Certs.

So, anyone from syamntec, can you please chime in here, shed some light on our questions, and provide answers on using SIC with SSL. I also opened a thread on using Clien to Server SSL communication, and thats pretty much a dead discussion as of yesterday..Sending a link to a document is great, but if your document says, DONT IMPLEMENT SSL, it sort of defeats the purpose...

Symantec- Please help and provide some in depth information on SSL with the SIC and how to setup both the config file on the SIC machine, and what to alter in the AV policy...

At least my Goal, is to test SIC/SSL with no authentication..

But shouldnt these documents be telling us

A) ensure the issuing ROOT is on the client node

B) This is how to set it up using a NON SELF SIGNED cert on your SIC

ITs good to go over using a self signed cert, but in reality, if you want to ensure things work AHEAD of time, using a ECA that gets updated and pushed down through Windows Update, ensures you have no requirement to use a GPO to get a issuing root on the box ahead of time...I see absolutely nothing in the documentation

Symantec! Please read this forum discussion and provide us with a COMPLETE documentation about Shared Insight Cache as requested in many different forum discussions here.

Just another example, which was never solved: https://www-secure.symantec.com/connect/forums/shared-insight-cache-server-working

Please! Can you providing as with a new Documentation about your product?

Thanks.

Just want to add my two cents here... I have a working config of SIC/SSL/auth and SIC/SSL/noauth.

With Basic auth I can see a lot of stress for the Windows Local Security Authority Process (lsass.exe). I have up to 80% CPU usage with up to 5 clients scanning at my test SIC server. I guess every cache request from a client makes an auth.

Here's what I did:

• Requested a cert at our own CA and deployed it to the SIC servers machine cert store
• Bound the SSL cert to port 9005 as documented
• Added an AD user for use with SIC
• Set user with pass and "require ssl" at SEPM policy
• Setup SharedInsightCacheService.exe.config:
  https instead of http @ "CacheServer.CacheServer" and Transport @ "CacheServerBinding" as more or less documented

Setting transport clientCredentialType="None" @ "CacheServerBinding" (just below security mode="Transport") deactivates the authentication and frees CPU ressources with the "disadvantage" of less security.

So my sticking point was the default setting of basic auth for the security mode that does not take affect if set to none!

Here's a simple way to test if it works: use a browser and point it to: https://<server>:9005/1. Instead of <server> use the server name accordingly your SSL cert and policy config.
You should see a blue banner named "Service" and below "Endpoint not found.". The browser should show the use of SSL (and a warning before if you use a self signed certificate or wrong server name).
If you get an "not found" - 404 error or don't see anything at all then something is wrong (e. g. usename or password). Have in mind wrong pass with basic auth gives a blank browser window not a request of username/password!

Tip: If you want to see what SIC is doing set the logging settings (line 103) to "DEBUG" and e. g. the maximumFileSize value="10485760" (10 MB). This shows the current entries in the memory database, memory usage and if an item is already in the dictionary when a client asks and some more things.

We finally got SIC with Auth and SSL running on Port 443 using http://www.symantec.com/docs/TECH170551