Endpoint Protection

Tried to log into SEPM like normal.  I got a sluggish progress bar which we've seen after the 12.1.5337 upgrade.

Server is updated for Windows.  Java is 7, 79, updated.  Restarted several times.

But then there's a cert issue of some kind....

I bring up SEPM, type in my credentials.  I get a pop up box

Warning - Secuity

Server Certificate is not present in your trusted store.

Do you want to trust the certificate?

Along with details.

If I tell it to trust it anyway, it gives a "Unexplained server error" message and doesn't log in.

Certs on servers are not my area of expertise.  I understand the gist of them.

In the details for this warning I see old info -- The name of an old server, the first server SEPM was installed on.  And I see an older domain.  The older server is not active anymore, gone in 2013 I think.  The older domain is still active though.  I also see ipv6 info -- This server has ipv6 disabled.

Any ideas?  I wonder if this is an old cert.  Maybe a new cert was added later, but this old one is still there and is now messing something up.

I just noticed this today.  Sluggishness on the login is "normal" (but annoying) with the 12.1.5337 upgrade.  Eventually I would be able to log in.  Windows updates were applied to the server yesterday -- One Windows update was a .NET update which has caused issues on some servers.

SEPM is on a Server 2008r2 OS.

The .NET update installed yesterday is...

Security Udate for Microsoft .NET Framweork 4.5.1 and 4.5.2 on Windows 7, Vista, Server 2007, Server 2008 R2 (KB3037581)

And now that I'm thinking of it... I uninstalled SEP 12.1.4 and installed SEP 12.1.5337 on a machine today.  I didn't get any email notifications like I normally would.... 

... And my local computer's SEP status bubble is yellow instead of green.  A manual live update just worked, pulled one update.  I updated the policy from my local SEP.  Now the light is green...  And it's yellow again.  Update policy, second attempt... Stays yellow.  That's not good.

Something broken.  Windows update possibly or something with that cert.  I'm wondering why there's a cert with an old server name and old domain in there.  (And how I would remove that or update it with a new, current cert.)

Tried the web version of SEPM.  Same thing -- Cert warning, then "unexplained server error" when I try to proceed.

Looks like it pulls updates from Symantec itself, not through our SEPM server.  A manual update on a second machine worked.

I did the update policy on the second local machine -- Same result.  Green for a few seconds, then stays yellow even if I update policy again.

Maybe something with the SEPM server communicating after that .NET update....

Is the remote console or on the SEPM itself?

How to install the certificate for Symantec Endpoint Protection Manager or Protection Center for web console access

I get the cert error on SEPM on the Symantec server.

On the web version, the browser warns me about a cert issue in general (untrusted cert, beware!, do you really want to proceed?).  I proceed and then get the "unknown server error message" like the SEPM software gives.  Same behavior basically either way.

The "old" cert says it's good for many more years.  It looks like it's from when we first started with Symantec a few years ago.  I'm wondering why it's digging that up now though. 

I did see the web version lets me download a cert.  I downloaded one, but I'm not quite sure what to do with it, if it's for the local machine or the server itself.  I'm thinking it's old info in the cert though.  Manually installing it on local machines isn't that realistic of an option -- Possibly, but a royal pain, and some machines we won't see for months.

Went through the initial IE steps...

http://www.symantec.com/business/support/index?page=content&id=TECH123686&profileURL=https%3A%2F%2Fsymaccount-profile.symantec.com%2FSSO%2Findex.jsp%3FssoID%3D1429218017015qY3xM4pu7m5ws1fNMp56eJ11HiXw6ryirh1x9

The cert I download has the old, original server name and the old domain.  I see that in the cert I downloaded and in the webpage cert info.  Name and domain are wrong.

How do I get rid of that old cert and get a new, updated one in place?

Something along these lines maybe?

http://www.symantec.com/business/support/index?page=content&id=TECH217284

Two .NET updates on the server I see...

KB3037581

KB3037574

Still stuck.

Client machines appear to still get updates, at least when run manually, but there aren't any dire warnings on client machines.

I'd like to get rid of the old server name/old domain cert and get a new if possible.  That's something on the server end, right?  Except I can't get into SEPM now.  Would I download a new cert from somewhere else (log in with serial number to the site where we pull down upgrades?) and install or create a new cert on the server itself?  Then I'd be able to log into SEPM since the SEPM server has a new, current cert?

I found the cert snap in on Server 2008r2.

And it looks like the Symantec Management Server Configuration Wizard is working from the Programs menu...

I can't tell if this is an SEPM cert issue or a Server 2008r2 cert issue...

Is this cert something we create on our own or something we download from Symantec?

Maybe some success...  I did the Symantec Management Server Configuration Wizard and just walked through the default steps.  That processed something.  Still have the database apparently.  Started SEPM again, and now I'm able to log into SEPM.  Info looks correct and correct for user machines listed.

I'm still wondering about the old cert and getting a new cert though....

What's the situation with that?

And how do I get a new cert (or something) with the current server name, current domain?

The cert is just a self signed cert from Symantec. But it sounds like clients are communicating?

Most of the user machines are listed as offline.... 

The ones that are green/online have Security Virtual Appliance "not enabled."  Not sure what that is.

Trying a refresh and update content on user machines... Maybe this will clear up when the heartbeat functions next on SEPM...

How do we get that signed cert?  Is it in the website part where we download upgrades/installers?

https://fileconnect.symantec.com

The cert is built in so unless it was replaced it should be there

Clicked on the admin tab, SEPM froze up....

The info on the cert that I saw had the old server name, old domain.  The 10+ year period for it had a start date from a couple years ago when we got Symantec. 

Shouldn't we have a cert with the current server name, current domain?  Do we need to change that, or is the original info ok still?  Maybe wrong, outdated info, but still ok as a cert?

Grr... Restarted server.  Tried to log back into SEPM.  Getting the "Server Certificate is not present in your trusted store."  Warning again...  Back to where we started.

Maybe this is something with those .NET updates....

Is the cert for the remote/web console?

There are two separate certs here, web/remote console and clients. Trying to figure out which your looking at

.NET blocking something... Or maybe a service is off on the server...

"Is the cert for the remote/web console?"

I don't know.  I'm trying to log into SEPM on the Symantec server again.  That didn't work so I tried the web version yesterday.  Both give me cert errors.

I'm still looking at the SEPM security warning on the Symantec server now... 

We're on Java 7,79. 32-bit.   When I first noticed this issue (not being able to log into SEPM) yesterday we had Java 7,75 and Java 8,40 installed.  Not sure if that was 32 vs. 64 bit.  Maybe it needs 64 bit java....

We could uninstall SEPM, reinstall, and import the database I suppose...

http://www.symantec.com/connect/forums/server-certificate-not-present-your-trusted-store

But we've got...

Symantec Endpoint Protection 12.1.5337.5000

and

Symantec Endpoint Portection Manager 12.1.5337.5000

listed in the Symantec server's programs list.

Tried manually updating the SEP software on the Symantec server.  That pulled down two updates.  No change in login behavior for SEPM.

Did a policy update on SEP on the Symantec.  Same behavior as client machines.  SEP icon turns green for a few seconds.  Then stays yellow, even if I click 'update policy' again.

Maybe it needs a reboot, hover over the icon to see what it says. The main question is does the client show up in SEPM

Something with DNS maybe?  I pinged the old Symantec server name and that's getting an ip address pingback.  The current machine on that ip address is a regular user desktop though.  nslookup doesn't resolve the old server name, which makes sense.  The old Symantec server hasn't been in use for almost two years now.

"Maybe it needs a reboot, hover over the icon to see what it says. The main question is does the client show up in SEPM"

Rebooting the Symantec server again...  I can't log into SEPM again though. 

Is it significant that the cert info listed is for the old Symantec server name and the old domain?  Does it matter if that info is current?  If the cert just displays old, incorrect info, that might be info just for display.  It might actually just use a GUID or unique ID.  So the cert with incorrect info could be fine and just display the wrong name, domain.  Or, does the cert actually use the server name and domain listed?

Is the SEPM service started?

Didn't think that was going to work.

Rebooted the Symantec server.  I'm back in SEPM.  It still gives the cert warning, but I clicked always allow.  Looking around in SEPM....  I'm getting farther this time.  Last time I clicked on the admin tab and SEPM froze.  Now I can at least click on things in SEPM....

"Is the SEPM service started?"

How do I tell?  Under services.msc?

Yes, will be 3 services in there

Stepped away for a minute.  Back on SEPM again... And SEPM is frozen again.  I've got the SEPM window.  Nothing responds on it.... Or wasn't responding.  Even the X to close it out -- That would at least move as a button, but wouldn't close the program.

And while typing this  the tab I was on in SEPM actually changed.  It's like it's going super super slow possibly...  After the 12.1.5.3337 upgrade SEPM is occasional very very sluggish at the login screen.

CPU on the Symantec server looks good.  0-2% if that.

2.26GB RAM used.  Plenty of RAM left.

C and D drives have plenty of free space.  We did notice a few tens of GB's on the data drive disappeared with the 12.1.5337 upgrade.  But it still looked like everything was working.

services.msc....

Symantec Embedded Database -- Started, Automatic

Symantec Endpoint Protection -- Started, Automatic

Symantec Endpoint Protection Launcher -- Started, Automatic

Symantec Endpoint Protection Manager -- Started, Automatic

Symantec Endpoint Protection Manager Webserver -- Started, Automatic

Symantec Network Access Control -- Status is blank, Startup Type if Manual

Symantec Event Notification Service -- Started, Automatic

I'll try starting  Symantec Network Access Control

SEPM is still frozen again, even after it made that one change from clicking on it.

We also have Symantec Backup Exec Remote Agent for Windows ver 14.0.1798 installed on this Symantec server.  I'm not involved with backups, but I heard that was having issues (as in not really working the whole time we've had it).  That could be interfering with something too... But that's going to start involving more people to deal with Backup Exec issues.

Force killed SEPM.  That finally disappeared.  Started SEPM again.  I can log in.

Machines are green, most of them now....

My desktop icon is green.  Yeh.  The Symantec server desktop icon is green.

I got a notification about a SEP client change I deleted, so notifications are coming though.

I manually started this.

Symantec Network Access Control -- Status is blank, Startup Type if Manual

Didn't restart the server.  Had to force kill SEPM.  Restarted SEPM and got it.

Now I'm in SEPM again, but it's frozen up on me twice.  I'm looking for the cert info in SEPM...

I'm back in SEPM normally again.  User machines look green and normal.

One thing I noticed...

If a user machine is off, in the clients tab, "Security virtual appliance" shows "not applicable."

When the machine is on, that changes to "Not enabled."

There's one server that is on, but isn't showing as online in SEPM.

If this was a fix -- I manually started the service listed above in services.msc.

And the old info cert is still up in the air.  This is the same Server 2008r2 server that we initially installed SEP on, did about five upgrades, and the server has been renamed and put in a new domain.  The cert info I saw still listed the original server domain/domain.

Strange.  This morning, after SEPM has been working again normally, that cert warning came up again.  I was afraid I'd be locked out but it let me in on the second attempt.

The cert warning still shows the old server name and old domain.  I thought that was supposed to automatically update somehow...