Endpoint Protection

Hello,

I'm having issues with my Windows 7 clients maintaining an established connection to the management server (SEPM). I've white listed the SEP in the Windows Firewall and do not block any outbound connections from the client. The client does have a record in the console, but in the on-line mode (no green icon). When I keep force the client to update (a bunch of time), I can see it establish a connection back to the management server (from a netstat -a command) and would registry as active in the console.

Does anyone have any suggestions for me to trouble shoot the client to server connectivity ?

My configurations:

SEPM client communication policy is set for pull mode and 5 minute heartbeat intervals. I've also tested use push mode and the same result !!

Windows 7: Enterprise version, Windows Firewall enabled blocking all inbound connection and no restriction outbound. White listed both TCP port 8014 and the SEP application in the Windows Firewall.

Using SEP version 12.1.671 (both client and SEPM)

Thank you

RK

Get the sylink log from the client and upload it here, we can have a look

How to enable Sylink debugging for the Symantec Endpoint Protection 11.x and 12.1 client in the Windows Registry

http://www.symantec.com/business/support/index?page=content&id=TECH104758

Troubleshooting Client Communication with SEPM

http://www.symantec.com/business/support/index?page=content&id=TECH95789

Hello,

In your case, since you are carrying SEP 12.1, I would suggest you to check these Articles:

Symantec Endpoint Protection Manager 12.1 Communication Troubleshooting

http://www.symantec.com/docs/TECH160964

Troubleshooting communication problems between the management server and the client

http://www.symantec.com/docs/HOWTO55017

Again, have you installed SEP with Full Feature set (AV/AS, PTP and NTP) on the Windows 7 machine?

If yes, I believe, you should have a look at these Articles:

About Windows Firewall and Symantec Endpoint Protection's NTP

http://www.symantec.com/docs/TECH97986

Thank you for the debug tip.. I let the log compile for a few hours and the output is very large. Anything specific I should search for ?

Hello, Thank you for the links. Regarding the components installed, I've only installed the basic SEP components (AV/AS & PTP "no NTP" installed).

Thx

I believe your problem is more complex than you might think.

The basis of the problem lies within the Windows Firewall.  As a test, you can try to disable the Windows Firewall temporarily and see if this resolves your problem.  It should.

* * * * * * *

Now that we have determined that Without the Windows firewall our connection is establishing, we are faced with a dilemma... 

- You can turn back on the Windows firewall for testing purposes (some more).

* * * * * * * * *

Here is an example of a Netstat from a Symantec server.

TCP    192.8.xx.xx:8014     192.8.xx.xx:4749      ESTABLISHED     2084
TCP    192.8.xx.xx:8014     192.8.xx.xx:63336    ESTABLISHED     2084
TCP    192.8.xx.xx:8014     192.8.xx.xx:49755    ESTABLISHED     2084
TCP    192.8.xx.xx:8014     192.8.xx.xx:4882      TIME_WAIT       0
TCP    192.8.xx.xx:8014     192.8.xx.xx:64660    ESTABLISHED     2084
TCP    192.8.xx.xx:8014     192.8.xx.xx:53163    ESTABLISHED     2084
TCP    192.8.xx.xx:8014     192.8.xx.xx:53172    ESTABLISHED     2084
TCP    192.8.xx.xx:8014     192.8.xx.xx:1089     ESTABLISHED     2084
TCP    192.8.xx.xx:8014     192.8.xx.xx:3339     FIN_WAIT_2      2084
TCP    192.8.xx.xx:8014     192.8.xx.xx:50881    TIME_WAIT       0
TCP    192.8.xx.xx:8014     192.8.xx.xx:56004    ESTABLISHED     2084
TCP    192.8.xx.xx:8014     192.8.xx.xx:2150     ESTABLISHED     2084
TCP    192.8.xx.xx:8014     192.8.xx.xx:2913      ESTABLISHED     2084
TCP    192.8.xx.xx:8014     192.8.xx.xx:2947      FIN_WAIT_2      2084
TCP    192.8.xx.xx:8014     192.8.xx.xx:1231      ESTABLISHED     2084
TCP    192.8.xx.xx:8014     192.8.xx.xx:1251      FIN_WAIT_2      2084

* * * * * * *

From left to right:

Protocol, Server IP:Port Number, Client IP:Port Number, Connection information

See how the clients are using any random port...  That traffic needs to get back to the client. 

* * * * * * * *

As another and last test, we can do this.  (This should work and establish your connection)

From a command prompt (with elevated priviledges - if required) type the following:

NETSH firewall set service type = upnp mode = enable

This will allow connections established from the client to have that traffic returned on the same port. 

The error message about the command being deprecated can be ignored, or you can check out the KB article mentionned.

You can also more information here, on technet:

http://technet.microsoft.com/en-us/library/cc771046(v=ws.10).aspx

" Windows Firewall enabled blocking all inbound connection and no restriction outbound."

Check if you have set the push mode or pull mode for the liveupdate. If that is push mode,

you have blocked the inbound traffic, so for every hearbeat the server tries to communicate with the client however if the traffic is blocked, it cannot do so.

Hence enable the two way traffic and check. else, set the LU as pull mode and check  :)

ok thank you.. I'll disable the clients firewall and see if the console detects the client as active. If that stabilize the connection, I'll trouble shoot the firewall a bit more..

I'm testing with pull mode instead of push configuration.

Also these client machines are from an Gold Image, but we did follow Symantec's How to sysprep the client before imaging.