Symantec's next-generation endpoint protection product is one of the first solutions to be integrated with the Altiris Notification Server platform. This article discusses the integration points.
Symantec Endpoint Protection (SEP) is the next generation of malware protection aimed at corporate desktops. The product combines an anti-virus, spyware, and insert-dangerous-name-of-your-choice-ware detection engine, a firewall, and intrusion prevention into a single product. The product is based on a client server architecture where a java-based management console is installed on a server and client machines need an agent that receives configuration information from the server.
SEP is one of the first products that Symantec has begun to integrate with the Altiris Notification Server. The term integration should be used loosely. It is clear from the integration that the main goal of the integration was to provide enterprises with the ability to quickly rollout the SEP agent. There are a few other integration points, but in this initial release there is limited functionality available from the Notification Server.
The integration is accomplished by installing the SEP Integration Component on an Altiris Notification Server. Installation of this component is available from the Notification Server Solution Center. Long time Altiris administrators will recognize that the Integration Component uses Connector Solution to attach to the SEP database and the management console to pull information into the Altiris database on a scheduled basis. One advantage of using connector solution is that there is almost zero impact on the Notification Server to have this solution installed. One disadvantage is that with the current release there is a one-to-one relationship between a Notification Server and a SEP Management Console. The one-to-one relationship prevents administrators with one Notification Server and multiple SEP Management Consoles to be able to configure all of the SEP consoles to talk to the NS server.
After the SEP Integration component has been installed, it can be accessed from the Notification Server Configuration Tab > Solutions Settings > Connectors > Symantec Endpoint Protection. Clicking on the Configuration Option is the first step to establishing a connection. In the screenshot below, the SEP server has been configured based on the installation instructions that are provided with the SEP documentation. There are a couple of hard lessons learned from the SEP installation to keep in mind:
- Do not use a default instance of SQL for the SEP database. Create a new instance named SEPM.
- ODBC Connections on the server can cause the SEP Management Console to hang on startup. To avoid this problem, make sure the ODBC Connection on the SEP Server uses the format SERVERNAME\Instancename when making the connection.
The Basic Data Imports page requires the Schema information be provided. Typically the entry "dbo" is sufficient to make the connection.
Another tricky part of the configuration is the username and password requested on the Basic Data Imports page. The username and password requested does not refer to the Altiris Application Identity account, nor does it refer to the user account configured to access the SEP Server (be default that would be admin). Instead, it is asking for the SQL account that was configured when the SEP database was created. If the SEP Server installation created the SQL database, the default username in this case is SEM5. If problems arise locating this username and password, open SQL Management Studio, right-click on the SEM5 database, choose Properties, and choose Users.
After filling in all of the required information, click on the lightning bolt at the top of the screen in order to test the import. A success message should appear at the bottom of the screen once it has been configured. Trigger the import to run for the first time by clicking on the blue and white icon to the left of the lightning bolt.
The SEP integration component includes several Altiris Software Delivery jobs and policies to help rollout or uninstall the SEP clients. These packages are placed in the NSCAP share on the Notification Server under the \bin\win32\x86\ConnectSEP directory. It is important to understand that unlike all of the other Altiris solutions that come prepackaged and ready to deploy, the Setup.exe that exists in the ConnectSEP directory is a 0 byte file. In order to use the policy, a deployment package must be created. This is done directly from the SEP Management Server through a Wizard named the "Migration and Deployment Wizard."
The Migration and Deployment Wizard allows the SEP administrator to enable or disable the SEP client components that will be installed on each machine. Similar to Active Directory Organization Units (OUs), the SEP Management console allows administrators to organize their SEP deployment by installing machines to specific groups. The group membership is specified in the installation package. This makes naming conventions of paramount importance when there are multiple groups to be used. Keep in mind that the wizard will save the file with the name of "setup.exe" so this will need to be updated after the install. The screenshot below shows one of the most important configuration pages for Altiris integrated installations:
In the screenshot above make sure to answer "Yes" to the question "Do you want a single .EXE file for each client install package?" It is also important that the installation type be "Silent" and that the file be saved to the \\nscap\Bin\Win32\x86\ConnectSEP directory on the Notification Server. At the end of the Migration and Deployment Wizard, the last page asks about pushing the installation. At this time, there is no integration between the push this page is referring to and the NS server so choose the option "No, just create them and I'll deploy them later." After several minutes the package will be created successfully. The size of the package will vary based on configuration options but should average around 70MB or more.
When pushed from the Notification Server using the default packages, the SEP client installation is completed using a JavaScript that is also located in the ConnectSEP directory on the Notification Server. The script, named "install.js" will remove other antivirus software that might be installed on the client machines. Depending on the vendor, this script may require tweaking. Keep in mind that if the name of the SEP client package was modified from the default of "Setup.exe" lines, 47 - 62 will need to be adjusted with the new name.
Keep in mind that Altiris Package Servers might have already replicated the 0 byte setup.exe file that was created when the SEP Integration component was installed on the NS. With this in mind, it is a good idea to update the distribution points for the SEP packages after the changes have been made. This will ensure package servers have successfully replicated the full setup.exe file before client machines attempt to run the installation. After this is done, enable the policy to begin the rollout.
With SEP agents now rolled out, there are several additional features that are included with the SEP integration component. The assumption with the SEP integration component is that Altiris Task Server has been rolled out and is available for use. As Task Server requires the use of the Altiris Notification Server 6.5 Console, this should be the console of choice when attempting to use this product. While the rollout and configuration of Task Server is beyond the scope of this article, make sure that Task Server scoping is properly configured. This is done from the NS 6.5 Console by choosing Configure, Task Servers, and Task Server Management.
There are three Task Server Tasks and one Task Server Job that ship with the product. The difference between a Task Server Task and a Task Server Job is that a Task is a single action - for example one of the Tasks included with the SEP Integration Component is a Task to repair the Symantec EP Client. A Job is made up of multiple Tasks. An example of a Job included with the SEP Integration Component is to update the content of a client and then run a quick scan, as seen in the screenshot below. Tasks and Jobs can be run on individual computers in real-time making Task Server an effective tool to help manage a SEP environment.
To access these Task Server Tasks, from the Altiris 6.5 Notification Server console choose Manage > Jobs and expand Task Management, Tasks and Jobs, Client Tasks. Click on the individual Task or Job and choose Run Now to start these tasks.
The final integration point for SEP within Altiris is the Dashboard and Reporting capability. From the Notification Server 6.5 console, choose the Reports menu and choose All Reports. The purpose of Notification Server Dashboards is to provide a quick, visual overview of what is happening in the environment. As seen in the screenshot below, there have been zero infections and there are currently zero outdated virus definitions in the environment at this time.
The Quick Start menu that is listed provides a checklist that can be used to help configure the solution. SEP Integration component comes with seven basic reports that are focused mainly on client configuration details as well as general health of the SEP Client environment.
Overall the SEP Integration component allows Altiris administrators to quickly rollout the SEP agents and maintain pertinent information to ensure clients are protected. For existing Altiris users who are rolling out SEP this component is a welcome addition to the Notification Server. As Symantec is fond of saying, a well protected endpoint is a well managed endpoint and the SEP Integration Component is an easy way to keep it that way.