Video Screencast Help

Upgraded SEPMs to SEP 12 RU2 - How to find whether clients are communicating on port 80

Created: 03 Jan 2013 | 9 comments

I am re-asking this question now that I have upgraded the SEPMs (not the clients, only the SEPMs) to SEP 12 RU2


Is there a simple way to find out whether clients are communicating with SEPM on port 80, other than having to use wireshark?

Comments 9 CommentsJump to latest comment

_Brian's picture

If you open a client GUI and go to help >> troubleshooting and the connection tab, it should show what server it's connected to and the port.

Unless you want to know from the SEPM, than you need a sniffer on it.

There is no report in the SEPM you can run.


RSASKA's picture

ok then wireshark it is!!!

The Enemy's greatest fear is that you'll discover who you really are, what you're really worth, and where you're headed.


_Brian's picture

That is the easiest. Here is an article on Wireshark and SEP communication. You can modify the display filter to fit your needs though.

pete_4u2002's picture

clients always initiate the connection on random ports, the port(80/8014) that needs to be open is on SEPM end.

Mithun Sanghavi's picture


Did you try the Secars test??

Check this Article: 

Testing Communication from an Endpoint Protection client to the Endpoint Protection Manager

To Test the connectivity between the client and the management server -

You can perform several tasks to check the connectivity between the client and the management server.

Hope that helps!!

Mithun Sanghavi
Senior Consultant

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SMLatCST's picture

My statement from the old thread still stands, in that the easiest way to find which clients are is still trying to communicate with the SEPM on port 80 is to enable IIS logging.  This will give you the details on every client that makes a request on that port.

This is based on the assumption that your v11 SEPM was listening on port 80 and using the Default Website, and that the upgrade to 12.1 has taken the site within IIS and added a redirect to the port 8014 that the new apache server listens to by default (as per

Does this match your situation?  If not, can you provide more details?

RSASKA's picture

Just an update ...


It is better to download both Wireshark and Windump on the SEPM server.


Wireshark has bugs that make it run out of memory really quickly, and Wireshark workarounds are ineffective (in my humble opinion)angry


It is better to run Windump and type the following at the command prompt:


C:\>windump -w mynetworkcapture.pcap tcp port 80


Also, monitor the size of your output file, mynetworkcapture.pcap, and when you are done, double-click the .pcap file and it will open in Wireshark.

The Enemy's greatest fear is that you'll discover who you really are, what you're really worth, and where you're headed.


Ambesh_444's picture

Even you can check by telnet through run command.

Open run and then type cmd --> Enter -->type telnet and give space then sepm server ip and then port 80 and then -->Enter.    Example ...(telnet 80)


Thank& Regards,


"Your satisfaction is very important to us. If you find above information helpful or it has resolved your issue. Please don't forget to mark the thread as solved."