Endpoint Protection

I have SEPM installed on a server.  Also, I have SEP installed on that same server and three other workstation computers.  The workstation computers are communicating fine (with green dot).  I cannot get SEP on the server to communicate with SEPM (no green dot).  I have fought with this for a while now.  I have scoured the forums and tried every suggestion without success.  Since all other SEP clients are communicating, I have pretty much ruled out IIS.  I think it must be an issue with the server's SEP.  Can anyone help?

Hi,

what about the secars  test?
Open the browser in your server and open this URL:
http://localhost:8014 (the port for the communication with the clients)/secars/secars.dll?hello,secars
test again with the IP address and the hostname.
What are the results?

Regards,

localhost works
ip address asks for username and password (but works if I put in admin password)
hostname works

Well, if your SEP is trying to connect to your SEPM via the IP, it cannot do it because it does not know the credentials but it should be able to connect via the hostname... maybe the hostname is not in your Management Servers List or you changed it, therefore it is not the sylink.xml file. Search for this file and check the servers list inside. If it is not good, don't fix the file but the servers list in the SEPM.

Regards,

no ip address in sylink.xml, just hostname

Hello KCS,

If you tried all the steps,sylink.xml wil always have ip address and host name with port number in it..

i'm sure you would have tried replacing the sylink file too ( from the one which is communicating fine)

I came across issues like these before ,the final thing would be to reset the password of you IIS

seems the client is not able to get in with those anonymous credentials.

check this log

C:\Windows\System32\LogFiles\W3SVC1

and look for your server IP, might have some 403 error

Reset IIS password i'm sure that it would work


hope you tried this doc

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/d947c52b7da1384a652574e30049221e?OpenDocument

http://support.microsoft.com/kb/332167

let me know if this was helpful

This theory does not explain why the other clients are able to connect to the server. I think it is better to have a look at the sylink.log.
http://service1.symantec.com/support/ent-security.nsf/docid/2008041812561948

If your client has only Hostname in Sylink.xml that can cause problems in case the client is not able to resolve name to ip..

Better add a new Management Server List and add IP: 8014 and Hostname:8014  and assign it to all the groups.

One thing you can check in IIS...Symantec Webserver -Properties-- Directory security- IP address and Domain name restrictions and see if everything isallowed or localhost is denied..i have seen localhost denied in few cases..

Seems like you might have edited your host file

is this what you have in host file 127.0.0.1 localhost
or you have ip address added

This is the first time i have seen a sylink file without ip address..:) 

Hi Giuseppe.axe,

i'm working about anonymous access coz, secars is the test used for communication, as i mentioned earlier, its not between manager or client
but between browser and IIS secars virutal direcory
(remember clients use settings configued in browser for communication, its HTTP right)

when you try secars, its asking for ID and Pass ( that means your anonymous is not working , am i wrong ?)

similarly the client is making the same request in the background and its been asked for authentication..

if the user is okay, put admin account in iis, the client will communicate.

P.S : putting admin id and pass in IIS is very very bad security practice, just to narrow down the issue, u might try

I was with SEP support in Symantec this is my understanding, please correrct me if i'm wrong

Rafeeq,

the client and the server are on the same machine, so i hope it can resolve its own name to ip.

here's my sylink log.  i had turned debugging on and the log file just kept growing and growing.  I tried to tell what was getting repeated and only copied the first section.  let me know if this is not enough.

07/22 16:31:11 [804] ~~~Sylink log started. (SEP Product Version in registry: 11.0.4202.75, Sylink File Version: 11.0.4202.51)
07/22 16:31:11 [804] Stored HostGUID=¡‚|x; outlen=0
07/22 16:31:11 [804] <RestoreSettings>Stored UserGuid=0; outlen=2
07/22 16:31:11 [804] <mfn_DecodeSSN>Sygate-SSN=8
07/22 16:31:11 [804] <mfn_DecodeSSN>Read CSN=9
07/22 16:31:11 [804] <mfn_DecodeSSN>Sygate-SSN=102
07/22 16:31:11 [804] <mfn_DecodeSSN>Read CSN=103
07/22 16:31:11 [804] Product Type=2,Major Ver=5,Minor Ver=2,Platform ID=2,OSType=33882626
07/22 16:31:11 [804] OS=Windows Server 2003 family Standard Edition; number=5.2.3790
07/22 16:31:11 [804] SyLinkCreateInstance => Instance created: 01C28D68 Registry path: SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK
07/22 16:31:11 [804] <GetOnlineNicInfo>:Netport Count=1
07/22 16:31:11 [804] <GetOnlineNicInfo>:NicInfo<SSANICs><SSANIC Ip="10.1.6.2" Mac="00-c0-9f-38-11-cb" Gateway="10.1.6.1" SubnetMask="0.0.0.0"/></SSANICs>
07/22 16:31:11 [804] SyLinkCreateConfig => Created instance: 01C26058
07/22 16:31:11 [804] UseNewConfig => Created m_hNewConfig: 01C26058
07/22 16:31:11 [804] Importing ConfigObject: 01C071B8 into: 01C26058
07/22 16:31:11 [804] Importing ConfigObject: 01C071B8 into: 01C09468
07/22 16:31:11 [804] <PostEvent>stopping...ignore event ID=EVENT_SYLINK_CONFIG_SETTING_CHANGED
07/22 16:31:11 [804] SSA packageType is set as 105
07/22 16:31:11 [804] SyLinkDeleteConfig => Deleting instance: 01C071B8
07/22 16:31:11 [804] SyLinkCreateConfig => Created instance: 01C27300
07/22 16:31:11 [804] Importing ConfigObject: 010C8D30 into: 01C27300
07/22 16:31:11 [804] SyLinkCreateConfig => Created instance: 01C0C008
07/22 16:31:11 [804] Importing ConfigObject: 010CA358 into: 01C0C008
07/22 16:31:11 [804] SyLinkCreateConfig => Created instance: 01C0D2B0
07/22 16:31:11 [804] Importing ConfigObject: 010CBA38 into: 01C0D2B0
07/22 16:31:11 [804] SyLinkCreateConfig => Created instance: 01C0E558
07/22 16:31:11 [804] Importing ConfigObject: 010CD158 into: 01C0E558
07/22 16:31:11 [804] SyLinkCreateConfig => Created instance: 01C0F800
07/22 16:31:11 [804] Importing ConfigObject: 010CE878 into: 01C0F800
07/22 16:31:11 [804] SyLinkCreateConfig => Created instance: 01C10AA8
07/22 16:31:11 [804] Importing ConfigObject: 010CFF98 into: 01C10AA8
07/22 16:31:11 [804] SyLinkCreateConfig => Created instance: 01C11E88
07/22 16:31:11 [804] Importing ConfigObject: 010D1678 into: 01C11E88
07/22 16:31:11 [804] SyLinkCreateConfig => Created instance: 01C13130
07/22 16:31:11 [804] Importing ConfigObject: 010D2D98 into: 01C13130
07/22 16:31:11 [804] SyLinkCreateConfig => Created instance: 01C143D8
07/22 16:31:11 [804] Importing ConfigObject: 010D44B8 into: 01C143D8
07/22 16:31:11 [804] SyLinkCreateConfig => Created instance: 01C15680
07/22 16:31:11 [804] Importing ConfigObject: 010D60F8 into: 01C15680
07/22 16:31:11 [804] <SetHiStatus>HI status is changed to=3; reason=0; rule=Host Integrity check is disabled.
Host Integrity policy has been disabled by the administrator.
07/22 16:31:12 [804] SyLinkCreateConfig => Created instance: 0277A520
07/22 16:31:12 [804] Importing ConfigObject: 010C8D30 into: 0277A520
07/22 16:31:12 [804] SyLinkCreateConfig => Created instance: 0277BAA8
07/22 16:31:12 [804] Importing ConfigObject: 010CA358 into: 0277BAA8
07/22 16:31:12 [804] SyLinkCreateConfig => Created instance: 0277D030
07/22 16:31:12 [804] Importing ConfigObject: 010CBA38 into: 0277D030
07/22 16:31:12 [804] SyLinkCreateConfig => Created instance: 0277E5B8
07/22 16:31:12 [804] Importing ConfigObject: 010CD158 into: 0277E5B8
07/22 16:31:12 [804] SyLinkCreateConfig => Created instance: 0277FB20
07/22 16:31:12 [804] Importing ConfigObject: 010CE878 into: 0277FB20
07/22 16:31:12 [804] SyLinkCreateConfig => Created instance: 027810A8
07/22 16:31:12 [804] Importing ConfigObject: 010CFF98 into: 027810A8
07/22 16:31:12 [804] SyLinkCreateConfig => Created instance: 02782630
07/22 16:31:12 [804] Importing ConfigObject: 010D1678 into: 02782630
07/22 16:31:12 [804] SyLinkCreateConfig => Created instance: 02783BB8
07/22 16:31:12 [804] Importing ConfigObject: 010D2D98 into: 02783BB8
07/22 16:31:12 [804] SyLinkCreateConfig => Created instance: 02785140
07/22 16:31:12 [804] Importing ConfigObject: 010D44B8 into: 02785140
07/22 16:31:12 [804] SyLinkCreateConfig => Created instance: 02786870
07/22 16:31:12 [804] Importing ConfigObject: 010D60F8 into: 02786870
07/22 16:31:12 [804] SyLinkCreateConfig => Created instance: 0286D248
07/22 16:31:12 [804] Importing ConfigObject: 027810A8 into: 0286D248
07/22 16:31:12 [804] Exporting to sylink.xml
07/22 16:31:12 [804] SyLinkCreateConfig => Created instance: 02891F68
07/22 16:31:12 [804] UseNewLocationConfig => Created m_hNewLocationConfig: 02891F68
07/22 16:31:12 [804] Importing ConfigObject: 0286D248 into: 02891F68
07/22 16:31:12 [804] Importing ConfigObject: 0286D248 into: 01C26058
07/22 16:31:12 [804] Importing ConfigObject: 0286D248 into: 01C09468
07/22 16:31:12 [804] <PostEvent>stopping...ignore event ID=EVENT_SYLINK_CONFIG_SETTING_CHANGED
07/22 16:31:12 [804] Set current location=0210E1F30A010102014F7541B9693B74
07/22 16:31:12 [804] Exporting to sylink.xml
07/22 16:31:12 [804] Exporting to sylink.xml
07/22 16:31:12 [804] Exporting to sylink.xml
07/22 16:31:12 [804] Exporting to sylink.xml
07/22 16:31:12 [804] Exporting to sylink.xml
07/22 16:31:12 [804] Exporting to sylink.xml
07/22 16:31:12 [804] Exporting to sylink.xml
07/22 16:31:12 [804] Exporting to sylink.xml
07/22 16:31:12 [804] Exporting to sylink.xml
07/22 16:31:12 [804] Exporting to sylink.xml
07/22 16:31:13 [804] Exporting to sylink.xml
07/22 16:31:13 [804] Exporting to sylink.xml
07/22 16:31:13 [804] Exporting to sylink.xml
07/22 16:31:13 [804] Exporting to sylink.xml
07/22 16:31:13 [804] Exporting to sylink.xml
07/22 16:31:13 [804] Exporting to sylink.xml
07/22 16:31:13 [804] Exporting to sylink.xml
07/22 16:31:13 [804] Exporting to sylink.xml
07/22 16:31:13 [804] Exporting to sylink.xml
07/22 16:31:13 [804] Exporting to sylink.xml
07/22 16:31:13 [804] Exporting to sylink.xml
07/22 16:31:13 [804] Exporting to sylink.xml
07/22 16:31:13 [804] Exporting to sylink.xml
07/22 16:31:13 [804] Exporting to sylink.xml
07/22 16:31:13 [804] Exporting to sylink.xml
07/22 16:31:13 [804] Exporting to sylink.xml
07/22 16:31:13 [804] Exporting to sylink.xml
07/22 16:31:13 [804] Exporting to sylink.xml
07/22 16:31:13 [804] Exporting to sylink.xml
07/22 16:31:13 [804] Exporting to sylink.xml
07/22 16:31:13 [804] SyLinkDeleteConfig => Deleting instance: 0286D248
07/22 16:31:13 [808] <ScheduleNextUpdate>Manually assigned heartbeat=1 seconds
07/22 16:31:13 [1216] SyLinkDeleteConfig => Deleting instance: 01AFEBB0
07/22 16:31:13 [1216] SyLinkDeleteConfig => Deleting instance: 01B00138
07/22 16:31:13 [1216] SyLinkDeleteConfig => Deleting instance: 01B016C0
07/22 16:31:13 [1216] SyLinkDeleteConfig => Deleting instance: 01B02C48
07/22 16:31:13 [1216] SyLinkDeleteConfig => Deleting instance: 01B041D0
07/22 16:31:13 [1216] SyLinkDeleteConfig => Deleting instance: 01B05758
07/22 16:31:13 [1216] SyLinkDeleteConfig => Deleting instance: 01B06CE0
07/22 16:31:13 [1216] SyLinkDeleteConfig => Deleting instance: 01B08268
07/22 16:31:13 [1216] SyLinkDeleteConfig => Deleting instance: 01B097F0
07/22 16:31:13 [1216] SyLinkDeleteConfig => Deleting instance: 01B0AF20
07/22 16:31:13 [1216] <ScheduleNextUpdate>Manually assigned heartbeat=1 seconds
07/22 16:31:13 [804] <CSyLink::Start()>
07/22 16:31:13 [804] <CSyLink::ImportConfigFile()>
07/22 16:31:13 [804] </CSyLink::ImportConfigFile()>
07/22 16:31:37 [804] <GetDomainHostName>msz_DomainName is taken from wszDomainName
07/22 16:31:37 [804] <GetDomainHostName>DomainName (Final)=kcsc.local
07/22 16:31:37 [804] *********Netport Count=1
07/22 16:31:37 [804] Physical: Local Area Connection::00-c0-9f-38-11-cb::intel(r) pro/1000 mt network connection
07/22 16:31:37 [804] MAC=00-c0-9f-38-11-cb# Wireless=
07/22 16:31:37 [804] Hardwire String=00-c0-9f-38-11-cb#
07/22 16:31:37 [804] <Start>Unable to create Session with 'User Proxy' settings - Proxy Server: Error Code: 87
07/22 16:31:37 [804] <Start>Unable to create Session with 'No Proxies' settings - Error Code: 87
07/22 16:31:37 [2840] <HeartbeatThreadProc:>Thread is about to begin..
07/22 16:31:37 [2836] Successfully created the heartbeat thread
07/22 16:31:37 [804] <Start>Started, contact SMS every 300 seconds
07/22 16:31:37 [804] <PostEvent>going to post event=EVENT_SYLINK_CONFIG_SETTING_CHANGED
07/22 16:31:37 [804] <PostEvent>done post event=EVENT_SYLINK_CONFIG_SETTING_CHANGED, return=0
07/22 16:31:37 [2844] <CExpBackoff::CExpBackoff()>
07/22 16:31:37 [2844] </CExpBackoff::CExpBackoff()>
07/22 16:31:37 [804] </CSyLink::Start()>
07/22 16:31:37 [804] Exporting to sylink.xml
07/22 16:31:37 [804] Exporting to sylink.xml
07/22 16:31:37 [804] Exporting to sylink.xml
07/22 16:31:37 [804] Exporting to sylink.xml
07/22 16:31:37 [804] Exporting to sylink.xml
07/22 16:31:37 [804] Exporting to sylink.xml
07/22 16:31:37 [804] Exporting to sylink.xml
07/22 16:31:37 [804] Exporting to sylink.xml
07/22 16:31:37 [804] Exporting to sylink.xml
07/22 16:31:37 [804] Exporting to sylink.xml
07/22 16:31:38 [2840] <CheckHeartbeatTimer>====== Heartbeat loop starts at 16:31:38 ======
07/22 16:31:38 [2840] <GetOnlineNicInfo>:Netport Count=1
07/22 16:31:38 [2840] <GetOnlineNicInfo>:NicInfo<SSANICs><SSANIC Ip="10.1.6.2" Mac="00-c0-9f-38-11-cb" Gateway="10.1.6.1" SubnetMask="0.0.0.0"/></SSANICs>
07/22 16:31:39 [808] SyLinkCreateConfig => Created instance: 0286D248
07/22 16:31:39 [808] Importing ConfigObject: 01C09468 into: 0286D248
07/22 16:31:39 [808] SyLinkDeleteConfig => Deleting instance: 0286D248
07/22 16:32:21 [804] <SetClientAuth>Received new User/Domain from SMC.. User: admin User Domain: KCSC
07/22 16:32:21 [804] <SetClientAuth>Getting RDNS Domain Name (user domain in AD setup)..
07/22 16:32:21 [804] <GetLoginRdnsDomain>DNS domain=KCSC.LOCAL
07/22 16:32:21 [804] <SetClientAuth>Setting the User Domain to RDNS Domain ..
07/22 16:32:21 [804] <SetClientAuth>Logged in user info set to: KCSC.LOCAL/admin
07/22 16:32:21 [804] <SetClientAuth>Marking User Change Notify to redo registration..
07/22 16:32:23 [2840] <CalcAgentHashKey>:CH=EC7EAF810A010102019EF8A0148E0F1D1ob_srvrkcsc.local00A170FC1C32E8CEDCD10BE104F58579
07/22 16:32:23 [2840] <CalcAgentHashKey>:CHKey=3BAF7FC02D51CCF37B8C00C3054ABCBE
07/22 16:32:23 [2840] <CalcAgentHashKey>:C=EC7EAF810A010102019EF8A0148E0F1D1ob_srvrkcsc.local
07/22 16:32:23 [2840] <CalcAgentHashKey>:CKey=0EF67E615803FEDC188D06348BF9D95A
07/22 16:32:23 [2840] <CalcAgentHashKey>:UCH=EC7EAF810A010102019EF8A0148E0F1D0adminKCSC.LOCALob_srvrkcsc.local00A170FC1C32E8CEDCD10BE104F58579
07/22 16:32:23 [2840] <CalcAgentHashKey>:UCHKey=F611713DF19D73215D7EFFF849827E01
07/22 16:32:23 [2840] <CalcAgentHashKey>:UC=EC7EAF810A010102019EF8A0148E0F1D0adminKCSC.LOCALob_srvrkcsc.local
07/22 16:32:23 [2840] <CalcAgentHashKey>:UCKey=53E4C4B214F051C592E5A142527F846E
07/22 16:32:23 [2840] <DoHeartbeat>HardwareID=00A170FC1C32E8CEDCD10BE104F58579
07/22 16:32:23 [2840] <DoHeartbeat>CHKey=3BAF7FC02D51CCF37B8C00C3054ABCBE
07/22 16:32:23 [2840] <DoHeartbeat>CKey=0EF67E615803FEDC188D06348BF9D95A
07/22 16:32:23 [2840] <DoHeartbeat>UCHKey=F611713DF19D73215D7EFFF849827E01
07/22 16:32:23 [2840] <DoHeartbeat>UCKey=53E4C4B214F051C592E5A142527F846E
07/22 16:32:23 [2840] <DoHeartbeat> Set heartbeat event
07/22 16:32:23 [2840] Use new Location Communication Setting
07/22 16:32:23 [2840] Importing ConfigObject: 02891F68 into: 01C09468
07/22 16:32:23 [2840] <ScheduleNextUpdate>Manually assigned heartbeat=1 seconds
07/22 16:32:23 [2840] <PostEvent>going to post event=EVENT_SYLINK_CONFIG_SETTING_CHANGED
07/22 16:32:23 [2840] <PostEvent>done post event=EVENT_SYLINK_CONFIG_SETTING_CHANGED, return=0
07/22 16:32:23 [2840] <RegHeartbeatProc>====== Reg Heartbeat loop starts at 16:32:23 ======
07/22 16:32:24 [2840] HEARTBEAT: Check Point 1
07/22 16:32:24 [2840] <GetFirstSEMServer> Selecting a random server
07/22 16:32:24 [2840] <GetFirstServer> Using server 'ob_srvr'
07/22 16:32:24 [2840] HEARTBEAT: Check Point 2
07/22 16:32:24 [2840] <PostEvent>going to post event=EVENT_SERVER_CONNECTING
07/22 16:32:24 [2840] <PostEvent>done post event=EVENT_SERVER_CONNECTING, return=0
07/22 16:32:24 [2840] HEARTBEAT: Check Point 3
07/22 16:32:24 [2840] <RegHeartbeatProc>Setting the session timeout on Profile Session (Registration) to 30000
07/22 16:32:24 [2840] HEARTBEAT: Check Point 4
07/22 16:32:24 [2840] <RegHeartbeatProc>===Registration STAGE===
07/22 16:32:24 [2840] <MakeRegisterData:>logon id (domain/user)=KCSC.LOCAL/admin
07/22 16:32:24 [2840] <MakeRegisterData:>XML data: <?xml version="1.0" encoding="UTF-8" ?><SSARegData NameSpace="rpc"><AgentInfo DomainID="EC7EAF810A010102019EF8A0148E0F1D" AgentType="105" UserDomain="KCSC.LOCAL" LoginUser="admin" ComputerDomain="kcsc.local" ComputerName="ob_srvr" PreferredGroup="C%3a%5cProgram%20Files%5cSymantec%5cSymantec%20Endpoint%20Protection%20Manager%5cdata%5coutbox%5cagent%5c2F3552D80A01010200C418A890610136" PreferredMode="1" HardwareKey="00A170FC1C32E8CEDCD10BE104F58579" SiteDomainName=""/>
<SSAHostInfo><NetworkIdentity UserDomain="KCSC.LOCAL" LogonUser="admin" HostDomain="kcsc.local" HostName="ob_srvr" HostDesc="" />
<SSAProduct Version="11.0.4202.75" />
<SSAOS Version="5.2.3790" Desc="Windows%20Server%202003%20family%20Standard%20Edition" Type="33882626" ServicePack="Service%20Pack%202"/>
<Processor ProcessorType="x86%20Family%2015%20Model%202%20Stepping%209" ProcessorClock="3056" ProcessorNum="2"/>
<Memory Size="4227219456"/>
<BIOS Version="DELL%20%20%20-%201"/>
<TpmDevice Id="0"/>
<SSAProfile Version="5.0.0" SerialNumber="2F35-07%2f20%2f2009%2005%3a06%3a48%20046"/>
<SSAIDS Version="" SerialNumber=""/>
<SSAUTC Bias="360" />
<DNSs><DNS Address="10.1.6.2"/></DNSs>
<SSANICs><SSANIC Ip="10.1.6.2" Mac="00-c0-9f-38-11-cb" Gateway="10.1.6.1" SubnetMask="0.0.0.0"/></SSANICs>
</SSAHostInfo>
</SSARegData>
07/22 16:32:24 [2840] <SyLink>[MakeRegisterData] registration Hardware Key=00A170FC1C32E8CEDCD10BE104F58579
07/22 16:32:24 [2840] ************Reg CSN=104
07/22 16:32:24 [2840] <mfn_GenPostData (for Registration):>Request is: s_origin_length: 1308
s_session_id: 00A170FC1C32E8CEDCD10BE104F58579
Sygate-SSN: 104
<?xml version="1.0" encoding="UTF-8" ?><SSARegData NameSpace="rpc"><AgentInfo DomainID="EC7EAF810A010102019EF8A0148E0F1D" AgentType="105" UserDomain="KCSC.LOCAL" LoginUser="admin" ComputerDomain="kcsc.local" ComputerName="ob_srvr" PreferredGroup="C%3a%5cProgram%20Files%5cSymantec%5cSymantec%20Endpoint%20Protection%20Manager%5cdata%5coutbox%5cagent%5c2F3552D80A01010200C418A890610136" PreferredMode="1" HardwareKey="00A170FC1C32E8CEDCD10BE104F58579" SiteDomainName=""/>
<SSAHostInfo><NetworkIdentity UserDomain="KCSC.LOCAL" LogonUser="admin" HostDomain="kcsc.local" HostName="ob_srvr" HostDesc="" />
<SSAProduct Version="11.0.4202.75" />
<SSAOS Version="5.2.3790" Desc="Windows%20Server%202003%20family%20Standard%20Edition" Type="33882626" ServicePack="Service%20Pack%202"/>
<Processor ProcessorType="x86%20Family%2015%20Model%202%20Stepping%209" ProcessorClock="3056" ProcessorNum="2"/>
<Memory Size="4227219456"/>
<BIOS Version="DELL%20%20%20-%201"/>
<TpmDevice Id="0"/>
<SSAProfile Version="5.0.0" SerialNumber="2F35-07%2f20%2f2009%2005%3a06%3a48%20046"/>
<SSAIDS Version="" SerialNumber=""/>
<SSAUTC Bias="360" />
<DNSs><DNS Address="10.1.6.2"/></DNSs>
<SSANICs><SSANIC Ip="10.1.6.2" Mac="00-c0-9f-38-11-cb" Gateway="10.1.6.1" SubnetMask="0.0.0.0"/></SSANICs>
</SSAHostInfo>
</SSARegData>
07/22 16:32:24 [2840] <SendRegistrationRequest:>http://ob_srvr:8014 [encrypted data]
07/22 16:32:24 [2840] 16:32:24=>Send HTTP REQUEST
07/22 16:32:28 [2840] 16:32:28=>HTTP REQUEST sent
07/22 16:32:28 [2840] 16:32:28=>QUERY return code
07/22 16:32:28 [2840] 16:32:28=>QUERY return code completed
07/22 16:32:28 [2840] <SendRegistrationRequest:>SMS return=401
07/22 16:32:28 [2840] <ParseHTTPStatusCode:>401=>Uninterpreted Status
07/22 16:32:28 [2840] <SendRegistrationRequest:>Content Lenght => 1539
07/22 16:32:28 [2840] HTTP returns status code=401
07/22 16:32:28 [2840] <SendRegistrationRequest:>RECEIVE STAGE COMPLETED
07/22 16:32:28 [2840] <SendRegistrationRequest:>COMPLETED, returned 5
07/22 16:32:28 [2840] HEARTBEAT: Check Point 5.1
07/22 16:32:28 [2840] <ScheduleNextUpdate>new scheduled heartbeat=32 seconds
07/22 16:32:28 [2840] HEARTBEAT: Check Point 8
07/22 16:32:28 [2840] <PostEvent>going to post event=EVENT_SERVER_DISCONNECTED
07/22 16:32:28 [2840] <PostEvent>done post event=EVENT_SERVER_DISCONNECTED, return=0
07/22 16:32:28 [2840] <RegHeartbeatProc>====== Registration Procedure stops at 16:32:28 ======
07/22 16:32:28 [2840] HEARTBEAT: Check Point 10
07/22 16:32:28 [2840] HEARTBEAT: Check Point Complete
07/22 16:32:28 [2840] <RegHeartbeatProc>Done, Heartbeat=32seconds
07/22 16:32:28 [2840] HeartbeatProcFailed to get profile with proxy setting 1
07/22 16:32:28 [2840] <CheckHeartbeatTimer>====== Heartbeat loop stops at 16:32:28 ======
07/22 16:32:39 [2836] <CSyLink::mfn_DownloadNow()>
07/22 16:32:39 [2836] </CSyLink::mfn_DownloadNow()>

As per logs it looks you are getting HTTP 401 error.Please the article given below to resolve your issue..


 Clients stop communicating with Symantec Endpoint Protection Manager (SEPM) with HTTP 401 error in Sylink log and HTTP 401.1 error in IIS log

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008032702341648

Check    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008032702341648    if this helps you.

followed that article's instructions...........no change

here's another piece i might have missed from my sylink log.  it shows an error that's not in the first part

07/22 16:33:01 [2840] <CheckHeartbeatTimer>====== Heartbeat loop starts at 16:33:01 ======
07/22 16:33:02 [2840] <GetOnlineNicInfo>:Netport Count=1
07/22 16:33:02 [2840] <GetOnlineNicInfo>:NicInfo<SSANICs><SSANIC Ip="10.1.6.2" Mac="00-c0-9f-38-11-cb" Gateway="10.1.6.1" SubnetMask="0.0.0.0"/></SSANICs>
07/22 16:33:02 [2840] <CalcAgentHashKey>:CH=EC7EAF810A010102019EF8A0148E0F1D1ob_srvrkcsc.local00A170FC1C32E8CEDCD10BE104F58579
07/22 16:33:02 [2840] <CalcAgentHashKey>:CHKey=3BAF7FC02D51CCF37B8C00C3054ABCBE
07/22 16:33:02 [2840] <CalcAgentHashKey>:C=EC7EAF810A010102019EF8A0148E0F1D1ob_srvrkcsc.local
07/22 16:33:02 [2840] <CalcAgentHashKey>:CKey=0EF67E615803FEDC188D06348BF9D95A
07/22 16:33:02 [2840] <CalcAgentHashKey>:UCH=EC7EAF810A010102019EF8A0148E0F1D0adminKCSC.LOCALob_srvrkcsc.local00A170FC1C32E8CEDCD10BE104F58579
07/22 16:33:02 [2840] <CalcAgentHashKey>:UCHKey=F611713DF19D73215D7EFFF849827E01
07/22 16:33:02 [2840] <CalcAgentHashKey>:UC=EC7EAF810A010102019EF8A0148E0F1D0adminKCSC.LOCALob_srvrkcsc.local
07/22 16:33:02 [2840] <CalcAgentHashKey>:UCKey=53E4C4B214F051C592E5A142527F846E
07/22 16:33:02 [2840] <DoHeartbeat>HardwareID=00A170FC1C32E8CEDCD10BE104F58579
07/22 16:33:02 [2840] <DoHeartbeat>CHKey=3BAF7FC02D51CCF37B8C00C3054ABCBE
07/22 16:33:02 [2840] <DoHeartbeat>CKey=0EF67E615803FEDC188D06348BF9D95A
07/22 16:33:02 [2840] <DoHeartbeat>UCHKey=F611713DF19D73215D7EFFF849827E01
07/22 16:33:02 [2840] <DoHeartbeat>UCKey=53E4C4B214F051C592E5A142527F846E
07/22 16:33:02 [2840] <DoHeartbeat> Set heartbeat event
07/22 16:33:02 [2840] Use new Location Communication Setting
07/22 16:33:02 [2840] <RegHeartbeatProc>====== Reg Heartbeat loop starts at 16:33:02 ======
07/22 16:33:02 [2840] HEARTBEAT: Check Point 1
07/22 16:33:02 [2840] <GetFirstSEMServer> Selecting a random server
07/22 16:33:02 [2840] <GetFirstServer> Using server 'ob_srvr'
07/22 16:33:02 [2840] HEARTBEAT: Check Point 2
07/22 16:33:02 [2840] <PostEvent>going to post event=EVENT_SERVER_CONNECTING
07/22 16:33:02 [2840] <PostEvent>done post event=EVENT_SERVER_CONNECTING, return=0
07/22 16:33:02 [2840] HEARTBEAT: Check Point 3
07/22 16:33:02 [2840] mfn_CreateInetSession: Session is NULL for users's proxy setting .. Communication id bound to FAIL..
07/22 16:33:02 [2840] Throw Internet Exception, Error Code=2;AH: failed to open internet.
07/22 16:33:02 [2840] CInternetException: <RegHeartbeatProc>: The system cannot find the file specified.

I think we need the sub error code, for exaple 401 1 or 401 2.... etc.
To obtain it you have to enable and post the IIS logging for the virtual folder Secars:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007100820002048

With the sub code, here we go:
http://support.microsoft.com/kb/318380

Regards,

Hi,

Just wondering if you have tried resetting the IUSR password, seems to be an interesting issue.

Rafeeq

i did reset the iuser password, no luck.  here's my iis log.

#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2009-07-22 16:22:28
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2009-07-22 16:22:28 W3SVC1 10.1.6.2 GET / - 80 - 10.1.6.2 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 401 1 0
2009-07-22 16:22:28 W3SVC1 10.1.6.2 GET /favicon.ico - 80 - 10.1.6.2 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.2;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 401 1 0
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2009-07-22 18:13:05
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2009-07-22 18:13:05 W3SVC1 10.1.6.2 GET / - 80 - 10.1.6.2 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 401 1 0
2009-07-22 18:13:05 W3SVC1 10.1.6.2 GET /favicon.ico - 80 - 10.1.6.2 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.2;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 401 1 0
2009-07-22 18:13:11 W3SVC1 10.1.6.2 GET /reporting - 80 - 10.1.6.2 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 401 1 0
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2009-07-22 19:37:18
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2009-07-22 19:37:18 W3SVC1 10.1.6.2 GET /secars/secars hello,secars 80 - 10.1.6.2 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 401 1 0
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2009-07-22 20:03:07
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2009-07-22 20:03:07 W3SVC1 10.1.6.2 GET / - 80 - 10.1.6.2 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 401 1 0
2009-07-22 20:03:11 W3SVC1 10.1.6.2 GET /reporting - 80 - 10.1.6.2 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 401 1 0
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2009-07-22 21:03:34
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2009-07-22 21:03:34 W3SVC1 10.1.6.2 GET /secars/secars.dll hello,secars 80 - 10.1.6.2 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.2;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 401 1 0
2009-07-22 21:03:34 W3SVC1 10.1.6.2 GET /favicon.ico - 80 - 10.1.6.2 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.2;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 401 1 0
2009-07-22 21:03:45 W3SVC1 127.0.0.1 GET /secars/secars.dll hello,secars 80 - 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.2;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 401 1 0
2009-07-22 21:03:45 W3SVC1 127.0.0.1 GET /favicon.ico - 80 - 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.2;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 401 1 0
2009-07-22 21:04:15 W3SVC1 10.1.6.2 GET /secars/secars.dll hello,secars 80 - 10.1.6.2 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 401 1 0

no proxy

Check this key and let us know if there any proxy information listed.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

if so, delete those after back up  , reboot the box and check if it communicates.

Rafeeq

I see that the client is trying to communicate with port 8014 and iis log has just port 80 info

if mulitple websites are host you might check the corresponding folder.

i did grab the wrong file, that was for the default site.  here's the one for symantec site

#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2009-07-23 18:01:56
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2009-07-23 18:01:56 W3SVC2 10.1.6.2 GET /favicon.ico - 8014 - 10.1.6.20 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 401 1 0
2009-07-23 18:01:56 W3SVC2 10.1.6.2 GET /favicon.ico - 8014 KCSC\support 10.1.6.20 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 404 0 2
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2009-07-23 18:22:27
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2009-07-23 18:22:27 W3SVC2 10.1.6.2 GET /favicon.ico - 8014 - 10.1.6.2 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.2;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 401 1 0
2009-07-23 18:28:12 W3SVC2 10.1.6.2 GET /favicon.ico - 8014 - 10.1.6.20 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 401 1 0

Have you checked integrated authentication in iis?

check this doc from microsoft..


http://support.microsoft.com/kb/907273


Rafeeq

i think this might be tied to my problem.  i have other SEPM servers that manage their clients fine without integrated authentication.  But on this server, i had to enable integrated authentication to log in to the SEPM console.

You can get the sylink.xml to the client that are connecting to sepm then upload it to the client that has no green dot and let see how it goes

no luck

dont take me wrong,

had a similar case when i was with symantec,
I had to put domain admin account and password, to get the client on the server to work.

after that we figured out where the problem was..

give it a try no harm, but dont keep domain account, test it and remove it immediately

after you have put domain acc and pass
do smc -stop
and smc -start

do you mean replacing the iusr account with admin in IIS?

did you try to reinstall the sep client?
can you ping the SEP Server just to check if the communication is good?

 HTTP 401.1: Denied by invalid user credentials

Your logs say its 401.1 sso it is definitely a issue with IUSR either not-synching with AD or some conflict with this user account..

If it is a AD.Add a new user to your AD.make it a member of guests and Domain users and use that account for IIS.

IF your SEPM website is on Custom website it won't affect the other websitejust add a new user for SEPM website.

When you reset the IUSR password did you give a very long and complex password ?

sorry for the time lapse in response, i've been out. 

i set directory security to use admin credentials. it worked.  why doesn't iusr?

Hello KCS,

As i mentioned earlier, it was IUSR account lacking permissions.

what you mentioned earlier holds the answer
for SEPM get to work you checked Integrated windows authentication ( you never did the same on other boxes)
Checking second worked means first option IUSR account did not work.

So we need to run SEPM without that,

Add authenticated users ( IUSR should be part of this group) to SEPM folder
after replacing permissions, by going to advanced options.
after resetting IUSR password from AD
Put the IUSR in IIS
with  password
do IIS reset
Try to start SEPM and check if client communicates

Hope

others agree now to my theory

i think we are on the right track, but now the SEP on the server and the clients is not communicating.  something still wrong with iusr?

Able to log in after adding the authenticated user account to SEPM folder?

While integrated remained unchecked?

create  a new user in AD
make him member of domain users
put him in IIS
with passs
do smc-stop
and smc -start
check if that helps to get all the clients back to sepm


Rafeeq

i had reset the iusr password, no luck.

this time i created a test user, made him a domain user, put him in IIS, restarted everything.  no luck

also, since i unchecked integrated authentication, i can open the sepm console

Double Check if the credentials are saved in IIS directory security.
Did you add this user to "Guests" and "Domain Users" 

If still it doesn't work..
Give permission for this user in C:\doc & set\all user\application data\symantec\symantec endpoint..manager and  \program files\symantec\symantec endpoint protection manager\intetpub

read,write,execute should be fine.

I am also having the same problem. today only i had logged a case with Symnatec support.

I will check the solution provided by Vikram.


Regards...
Ramji Iyyer

everything is completely working now, but I'm not sure what happened.  here's what i did

-my test user was in "Domain Users", but not "Guests", so I added him to "Guests"
-I gave my test user read & execute permissions on C:\program files\symantec\symantec endpoint protection manager
-I gave my test user read & execute permissions on C:\documents & settings\all users\application data\symantec\symantec endpoint protetion manager

at this point i still didn't have a green dot. i tried to log in to the SEPM console.  i could log in, but was immediately logged out.

-then i changed the directory security in the IIS symantec site back to IUSR from my test user, restarted IIS and everything is okay now

is there a way to get replies to this post sent to me via email?  that way, if anyone replies to me, i don't have to keep checking this site.

it seems like it was a permissions issue. in the end, the only things that changed were:

-i reset the iusr password
-removed integrated windows authentication

everything else that i changed just got changed back

On the bottom..expand subscription and check this post.

Most of the times Guest users will be disabled
so your test use will be memeber of guests and guests are disabled
and he is a member of no one.
IUSR is a limited user by default its a member of domain users
its authentication issue mentioned earlier
We all are happy that its working now.
We all learned a lot during this troubleshooting. good day !

i can't tell you guys how much i appreciate you all coming together to help me out.  i wasted DAYS on this issue.  thanks!

Its good that issue is resolved
we learn when things are complicated.
next time when something like these come up,I'm sure you will resolve it in 5 mins :)
Good Day KCS :)

Hi everyone,
I think the key here is that the remote clients can connect, but not the local client.

The reason for this is that the Sylink file contains only the host name of the SEPM Server. All the remote machines resolve the hostname to some external IP address such as 192.168.0.1. But for the client that is installed locally something else happens.
Since the hostname is the name of the local machine, the hostname is resolved to the IP address of 127.0.0.1, which is Localhost. The Localhost address is not permitted by the SEPM server. The clients >MUST< connect using an IP address other than localhost.

So, to solve the issue, update your Server Management list to include an IP address, or some full domain name that resolves to a non-localhost address. It's okay to have the server name in the list, just so there is another address that resolves to a non-localhost address.

So first fix the Management server list, and then let's fix the client on the server.
Now in the current state the client on the Server isn't connected. There is a fail-safe feature that helps the client re-connect. Right click on the cliens sheild icon and select "Update Policy" at least 6 times.  If the green light comes on, Great! If not, stop the client and manually update it's Sylink.xml file. You can use  tool called the SylinkDrop which is included on CD 2 to replace the Sylink.xml file.