Endpoint Protection

Hi! My organization recently lost the server running our Endpoint Protection Manager (11.0.5). We have database backups, but no certificate or keystore.

I provisioned a new machine, giving it the same IP as the old one. After restoring the database, all my clients show up in Manager, but none of the clients will talk to the new installation because of the missing keystore/cert. I've exported the communications settings on the server, creating a new sylink.xml file which I have pushed out to several clients both manually and using the SylinkReplacer tool. After restartign the SMC service, these clients show the green dot on the shield indiciating connectivitiy, but then the icon goes away after about six seconds with no error message or anything.

What is going on, and what can I do to restore connectivity with these clients?

Thanks so much!

Hi,

Is the new machine name same as the old one? PLease run sylinkmonitor and gather the logs.

You can search for fail or error in the log file and post a snippet of the log.

Best,
Aniket

Try this

Troubleshooting Client Communication

http://www.symantec.com/connect/articles/troubleshooting-client-commuincation

also check any error message is present in scm-server-0.log file which is present in Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\logs

 

One more thing is if you go to inetmgr and website properties in web site tab in IP address selection" all assigned" should be present. You can also go to directory security under authentication and access control

edit and check if anonymous access is enabled(it should be) and reenter the iuser password.

 

Hi, guys, thank you very much for your attention.I don't believe network communication between the clients is an issue, as they can talk to each other via other services. The server does have the same name it did pre-reinstall. Here's a clip from the SylinkMonitor log: The Endpoint server is named Beagle, with the ip 192.168.122.5.

-----------------------------

10/08 09:23:38 [172] <mfn_MakeGetIndexUrl:>Request is: action=12&hostid=14D14784C0A87A0501B5EBA4EC6A002F&chk=ECB899B6298CF3938EEFE23B6B79FD53&ck=FA8411D7D5904E413C7EB3F256507744&uchk=92F3BC899AF2FBB19CB8F34DF97B151C&uck=968E2C85E210519375E0E816C3E3BE97&hid=BB693268A0606DE0CC2858FB44A0553C&groupid=401160D1C0A87A0501E59F7C53417FAA&mode=0&hbt=300&as=126&cn=[hex]6462656E6E657474&lun=[hex]6462656E6E657474&udn=[hex]42414C49484F4F2E4C4F43414C
10/08 09:23:38 [172] <GetIndexFileRequest:>http://beagle:8014/secars/secars.dll?h=0D41D3ED89B5A6F53087B5BB03552C580447DACE5F4F8EB570C5C3BD1ED031B3D05CA469000264E0DE1F9CA3F5396C26E37545B5CD0F3C4B7DA02B0B9BE95571A62B4FD5F04524D307625382E5ED9E14556F5DB3BA5235F82D0834E449AA3FEC779D037974DC2CBC093F4D6389A4F732BE12D8E8DEA0F332EE4C01D4310C250D54A9BEED75B84F63FEF41CC23CC6426EBE171734C95E9814CAD52B7622E8C08729148E604FB30C73E0905B0797565B82E3799EA4DF5226A9227F2BDA03DB5650C6A1A34B560592BB0A74CDB8CC83EAFC5B06BE25B0A69CDC6CCC982FED28A77680B2A8D861B933BE70A9706E6982431673ED9808DE8AD25BE3CE14A9225D394587104097336CDFDF28382FA8EAC35F0772A1AB893313FC2C3007A32BB9EFC3F63D7465CD87FF57A7092E8361661FBA397DF18ECEE57439513514D494A3D1B7AA92B0C7D99A085E5ABDB18DD577CAB8691928952D1DA31EDF3B92D784E1AD8DADCEEF0E425D7AB49FED635E2677BDD4489F069315446D9295C2C12E597FD39FD6DD6A92317971BE8691643EFB8521679B
10/08 09:23:38 [172] <GetIndexFileRequest:>SMS return=200
10/08 09:23:38 [172] <ParseHTTPStatusCode:>200=>200 OK
10/08 09:23:38 [172] <FindHeader>Sem-HashKey:=>ECB899B6298CF3938EEFE23B6B79FD53
10/08 09:23:38 [172] <FindHeader>Sem-LANSensor:=>0
10/08 09:23:38 [172] <FindHeader>Sem-Signatue:=>633E41E3A07D9A8CBEBA513F78FA76982ED7EB64BD134F69499C644B485C9963A2BA5A92705E074FE0D9A8D1F57CB4B698185A2874CCF02EC0F08C18DFFD86B8C12705117F53A3C0B539719ABA31AFAC1FDBD24045F0D01DD21877C0ABAE7572411D0C3FBD94973E85EA1A5A263D59EC3EF566F5D55AC4C5262026E61F5A3C5E
10/08 09:23:38 [172] <mfn_DoGetIndexFile200>Content Lenght => 1253
10/08 09:23:38 [172] <mfn_DoGetIndexFile200>Signature verification FAILED for Index File Content..
10/08 09:23:38 [172] <GetIndexFileRequest:>RECEIVE STAGE COMPLETED
10/08 09:23:38 [172] <GetIndexFileRequest:>COMPLETED
10/08 09:23:38 [172] <IndexHeartbeatProc>GetIndexFile handling status: 101
10/08 09:23:38 [172] <IndexHeartbeatProc>Switch Server flag=0
10/08 09:23:38 [172] HEARTBEAT: Check Point 5.1
10/08 09:23:38 [172] <ScheduleNextUpdate>new scheduled heartbeat=32 seconds
10/08 09:23:38 [172] HEARTBEAT: Check Point 8
10/08 09:23:38 [172] Notify Server down!
10/08 09:23:38 [172] <PostEvent>going to post event=EVENT_SERVER_DISCONNECTED
10/08 09:23:38 [172] <PostEvent>done post event=EVENT_SERVER_DISCONNECTED, return=0
10/08 09:23:38 [172] Get Next Server!
10/08 09:23:38 [172] <IndexHeartbeatProc>switch to another server
10/08 09:23:38 [172] HEARTBEAT: Check Point 1
10/08 09:23:38 [172] HEARTBEAT: Check Point 2
10/08 09:23:38 [172] <PostEvent>going to post event=EVENT_SERVER_CONNECTING
10/08 09:23:38 [172] <PostEvent>done post event=EVENT_SERVER_CONNECTING, return=0
10/08 09:23:38 [172] HEARTBEAT: Check Point 3
10/08 09:23:38 [172] <IndexHeartbeatProc>Setting the session timeout on Profile Session to 30000
10/08 09:23:38 [172] HEARTBEAT: Check Point 4
10/08 09:23:38 [172] <IndexHeartbeatProc>===Get Index STAGE===
10/08 09:23:38 [172] ************CSN=127
10/08 09:23:38 [172] <mfn_MakeGetIndexUrl:>Request is: action=12&hostid=14D14784C0A87A0501B5EBA4EC6A002F&chk=ECB899B6298CF3938EEFE23B6B79FD53&ck=FA8411D7D5904E413C7EB3F256507744&uchk=92F3BC899AF2FBB19CB8F34DF97B151C&uck=968E2C85E210519375E0E816C3E3BE97&hid=BB693268A0606DE0CC2858FB44A0553C&groupid=401160D1C0A87A0501E59F7C53417FAA&mode=0&hbt=300&as=127&cn=[hex]6462656E6E657474&lun=[hex]6462656E6E657474&udn=[hex]42414C49484F4F2E4C4F43414C
10/08 09:23:38 [172] <GetIndexFileRequest:>http://192.168.122.5:8014/secars/secars.dll?h=0D41D3ED89B5A6F53087B5BB03552C580447DACE5F4F8EB570C5C3BD1ED031B3D05CA469000264E0DE1F9CA3F5396C26E37545B5CD0F3C4B7DA02B0B9BE95571A62B4FD5F04524D307625382E5ED9E14556F5DB3BA5235F82D0834E449AA3FEC779D037974DC2CBC093F4D6389A4F732BE12D8E8DEA0F332EE4C01D4310C250D54A9BEED75B84F63FEF41CC23CC6426EBE171734C95E9814CAD52B7622E8C08729148E604FB30C73E0905B0797565B82E3799EA4DF5226A9227F2BDA03DB5650C6A1A34B560592BB0A74CDB8CC83EAFC5B06BE25B0A69CDC6CCC982FED28A77680B2A8D861B933BE70A9706E6982431673ED9808DE8AD25BE3CE14A9225D394587104097336CDFDF28382FA8EAC35F0772A1AB893313FC2C3007A32BB9EFC3F6E2D6FAB191A478BD73CB803C79B71FB17DF18ECEE57439513514D494A3D1B7AA92B0C7D99A085E5ABDB18DD577CAB8691928952D1DA31EDF3B92D784E1AD8DADCEEF0E425D7AB49FED635E2677BDD4489F069315446D9295C2C12E597FD39FD6DD6A92317971BE8691643EFB8521679B
10/08 09:23:38 [172] <GetIndexFileRequest:>SMS return=200
10/08 09:23:38 [172] <ParseHTTPStatusCode:>200=>200 OK
10/08 09:23:38 [172] <FindHeader>Sem-HashKey:=>ECB899B6298CF3938EEFE23B6B79FD53
10/08 09:23:38 [172] <FindHeader>Sem-LANSensor:=>0
10/08 09:23:38 [172] <FindHeader>Sem-Signatue:=>633E41E3A07D9A8CBEBA513F78FA76982ED7EB64BD134F69499C644B485C9963A2BA5A92705E074FE0D9A8D1F57CB4B698185A2874CCF02EC0F08C18DFFD86B8C12705117F53A3C0B539719ABA31AFAC1FDBD24045F0D01DD21877C0ABAE7572411D0C3FBD94973E85EA1A5A263D59EC3EF566F5D55AC4C5262026E61F5A3C5E
10/08 09:23:38 [172] <mfn_DoGetIndexFile200>Content Lenght => 1253
10/08 09:23:38 [172] <mfn_DoGetIndexFile200>Signature verification FAILED for Index File Content..
10/08 09:23:38 [172] <GetIndexFileRequest:>RECEIVE STAGE COMPLETED
10/08 09:23:38 [172] <GetIndexFileRequest:>COMPLETED
10/08 09:23:38 [172] <IndexHeartbeatProc>GetIndexFile handling status: 101
10/08 09:23:38 [172] <IndexHeartbeatProc>Switch Server flag=0
10/08 09:23:38 [172] HEARTBEAT: Check Point 5.1
10/08 09:23:38 [172] <ScheduleNextUpdate>new scheduled heartbeat=64 seconds
10/08 09:23:38 [172] HEARTBEAT: Check Point 8
10/08 09:23:38 [172] Get Next Server!
10/08 09:23:38 [172] <IndexHeartbeatProc>switch to another server
10/08 09:23:38 [172] <DecrementScheduleTime:>New scheduled heartbeat=32 seconds
10/08 09:23:39 [172] HEARTBEAT: Check Point 1
10/08 09:23:39 [172] HEARTBEAT: Check Point 2
10/08 09:23:39 [172] <PostEvent>going to post event=EVENT_SERVER_CONNECTING
10/08 09:23:39 [172] <PostEvent>done post event=EVENT_SERVER_CONNECTING, return=0

---------------------------------------------

The signature verification failed lines are obviously relevent. I followed the steps here: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007111311223900 . Our clients list is synced up against Active Directory, so I couldn't delete the clients, so I removed that link and created groups for them manually, but I get the same behavior and the same messages. Any ideas?

Can u try by resetting the iuser password and give the same in the iss manager.

 

Thanks for the Sylink log. This tells us that you are NOT having an IIS or iuser problem.
From what you described, it sounds like your database and server have mis-matched certificates. When this happens the Sylink file will contain one certificate, but they are actually signed with a different certificate. SEPM signs the certificates using the private certificate stored in Tomcat. But it published the public certificate from the database. There are suppose to match, but if the don't, you get this type of situation.

What you need to do is get the database and the SEPM server to agree on the same certificate.

Try to re-import your certificate. This should trigger a database update of your current certificate. After that the Sylink file should be updated and you can drop it onto the client computers.

Steps:

1. Copy your certificate and certifcate password to a safe location.
   The certificate is located under %SEPM Install Dir%\tomcat\etc\keystore.jks.
   The password is located under %SEPM Install Dir%\tomcat\config\server.xml.
   Copy both files to a safe location.
2. Log into SEPM and re-import your certificate using Admin --> Servers --> (Select your server) --> Tasks --> Manage Server Certificate
3. Select Update Certificate and point to the copy you made of keystore.jks. The password (for both fields) is located in the server.xml under the value "keystorePass".
4. Restart your SEPM server so the certificate change takes affect.

Now if you open an old Sylink file from the clients and compare it to the new sylink files on the server, you should see that the certificate entries are different. Put the new Sylink file on the client and see if they connect.

try to export the sylink.xml from the newly installed SEPM server, then replace the old one to SEP client, look how it goes