Installing a Symantec Endpoint Protection (SEP) client on a Windows Server 2000/2003/2008/2012/2012/2016 R2/2019 cluster. In Windows Server 2000 and 2003, this clustering is referred to as "Windows Clustering" (as opposed to Network Load Balancing). In Windows Server 2008, this type of clustering has been renamed to High Availability/Failover Clustering. In Windows 2012, new and changed functionality in Failover Clustering supports increased scalability, easier management, faster failover, and more flexible architectures for failover clusters.

Installing to the cluster

To install the Symantec Endpoint Protection client to a cluster:

1. Put the node in passive mode during the install.
2. Install the Symantec Endpoint Protection client to the passive node.

 
Uninstalling from the cluster

To uninstall the Symantec Endpoint Protection client from the cluster:

1. Put the node in passive mode during the uninstall.
2. Uninstall the Symantec Endpoint Protection client from the passive node.

Repeat these steps for any additional nodes.

Notes:

• It's not necessary to break the cluster by bringing down one of the nodes for installation or un-installation. In the past, some administrators preferred to break the cluster to ensure that the cluster would not have resource or performance issues during the install;
• A default install of Symantec Endpoint Protection on a new system does not require a restart when only installing Virus and Spyware Protection. However, an installation of IPS (Intrusion Prevention System) requires a restart in order for the driver installation to the TCP/IP stack to complete;
• If the install is an upgrade from a previous version of Symantec Endpoint Protection, the upgrade may require a restart. This requirement can be due to other products and or applications on the system using shared files, such as run-time libraries. If files are in use at the time of installation and cannot be replaced, they're marked for replacement. They are replaced upon the next restart;
• If installing the Symantec Endpoint Protection firewall, create a new firewall rule to allow Clustered Server communications. In this rule, allow TCP and UDP traffic on ports 3343 for Cluster Service, TCP port 135 for RPC, UDP port 137 for Cluster Administration and randomly allocated high UDP port range 49152-65535. Do not specify a local port. Without this rule in place, no connection to the cluster is made. Additionally, recommended to check the current requirements for your particular OS - https://docs.microsoft.com/en-US/troubleshoot/windows-server/networking/service-overview-and-network-port-requirements;
• Do not install the Symantec Endpoint Protection client to the cluster's shared drives. When the server fails over, access to the Symantec Endpoint Protection software is lost;
• If installing remotely, install the Symantec Endpoint Protection client software using the local server names and not the shared cluster name.

Additional cluster guidance:

• Installing a Symantec Endpoint Protection Manager (SEPM) on a Windows 20xx Cluster is not supported.
• The Symantec Endpoint Protection client is not "cluster-aware". Do not configure it as a cluster. SEP should remain active and running to protect the local server, even when the local server is the "passive node" and is not in control of the shared resources.
• The Symantec Endpoint Protection client is supported in both Active/Active and Active/Passive clustering.
• In an Active/Passive cluster pair with Symantec Endpoint Protection, disable the policy component “Block all traffic until firewall starts and after the firewall stops” on the group or groups in which the cluster resides. This component can cause the cluster communications to fail and result in an undesired Active/Active scenario where both cluster partners attempt to manage the shared data. An alternate workaround is to set the cluster service to manual startup. Script launching the service once the computer has finished its boot process or a user logon event occurs. This arrangement ensures the cluster service starts after the smc service, and that the firewall service starts before the cluster service comes on online.
• High Availability for the Symantec Endpoint Protection Manager back-end (Microsoft SQL Server database) should be achieved by installing it into a Microsoft SQL cluster. High Availability for the Symantec Endpoint Protection Manager web front end should be achieved by installing more than one Symantec Endpoint Protection Manager connecting to the same Microsoft SQL Server database.
• Auto-Protect on the local Symantec Endpoint Protection client protects the local server resources. Auto-Protect on an active server node protects the shared resources.
• Each Symantec Endpoint Protection client installation is managed separately and provides protection in the event of a failover.
• If failover occurs while a manual scan runs on the shared drives, the scan does not automatically restart.
• If one Symantec Endpoint Protection client in the cluster is temporarily down, virus definitions on that node are not updated until the Symantec Endpoint Protection client successfully starts and updates itself from the designated management server.
• Event logging and alerting include the name of the local system and not the cluster name. The local system name better helps to identify which system encountered the event.