Hi All,

As we have installed Symantec end point protection 12.1 on windows server 2012 but we are facing some issue.

Symantec endpoint protection is blocking active directory replication where our company user is facing lock account issue so please any one can suggest how we can solve this issue.

Please provide better soloution whereby windows server 2012 active directory can be run easily and dont be replicate.

Thanks

Naivedya

What SEP feature do you have installed ?

If you have installed AV,PTP and NTP feature try to installed on AV feature only

Best Practices for Installing Symantec Endpoint Protection (SEP) on Windows Servers

Verifying SEP Exceptions for Windows Server 2008 and Windows Server 2003 Domain Controllers

You need to allow this thru the SEP fw.

See list of ports here:

http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspx

Hi brian,

I am not getting your point.

Can I solve through Symantec  client ?

Can I stop Symantec Firewall so that it won't be block Windows 2012 server AD Replication.

Hi james,

Could you please tell me, I am planning to disbale Network threat protection "Firewall" of Symantec client might be it won't be blocked Windows server 2012 Replication.

Thanks

Naivedya

You can remove NTP feature through SEPM console

How to add or remove features to existing Symantec Endpoint Protection (SEP) client installations

Why don't you just add the necessary rules to the SEP firewall to allow this traffic? If you disable NTP, you lose an important security function.

Hi Brian,

I have uninstalled NTP from Symantec client on windows server 2012 but you said right that I just add the necessary rules to the SEP firewall.

brian Please guide me how do I add some feature whereby they don't be block active directory replication and don't need to be uninstalled NTP.

I am thankful to you.

Thanks

Naivedya

Hi james

I have uninstalled NTP from Symantec client on windows server 2012 and this is working fine also and windows server 2012 active directory replication is working good.

but james please guide me how do I add some feature whereby they don't be block active directory replication and don't need to be uninstalled NTP.

I am thankful to you.

Thanks

Naivedya

You can Allow Port in SEPM firewall

https://www-secure.symantec.com/connect/videos/configuring-endpoint-protection-firewall-rule-wcaptions

Adding a new firewall rule

Ports required for Domain Joining and DC to ADC replication or vice versa

389 - LDAP
123 - Time
135 - RPC
443 - SMB
636 - LDAP over SSL
3268 - Global Catalog
88 - Kerberos
53 - DNS
 

Hi james,

Is this possible

Do i add my some computer in group and I want to network threat protection are being disable to automatically on theirs group computers.

Means

When I again move any machine on that group then it will be automatically remove network threat protection of that machine as he moves on that group.

I want to add a policy or firewall policy or etc. .. in that group where network threat protection will be disbaled by policy on that group.

Thanks

Naivedya

Yes you can assgin specify package that Group.

Hi james,

Please giude me in detail.

Thnaks for your support.

Thanks

Naivedya

To modify installed features for managed clients

1. In Symantec Endpoint Protection Manager (SEPM), click Admin.
2. Click Install Packages on the bottom.
3. Click Client Install Feature Set on the top.
4. If a feature set that meets the required needs does not exist, then choose Add Client Install Feature Set.
5. Give the feature set a unique name.
6. Select the features needed (Antivirus/Antispyware, Network Threat Protection, Proactive Threat Protection).
7. Choose OK.
8. On the left, click Clients.
9. Select the group with the SEP clients in it, and then click the Install Packages tab in the right pane.
10. Under Tasks, choose Add Client Install Package.
11. In that screen, select the correct package in the drop down menu for use with this group (32 bit or 64 bit base install files). Both packages can be separately assigned to the same group.
12. Uncheck Maintain existing client features when updating.
13. Below that, select the feature set needed from the dropdown menu.
14. If Upgrade Schedule is not selected, then clients will receive the instructions to change their installation when they check in with the manager. This launches MSIEXEC on the client.
15. After the installation completes, a restart is required if the change installs or uninstalls Network Threat Protection

http://www.symantec.com/business/support/index?page=content&id=TECH90936

Thanks You So much james

Hi james,

As pe the video.

'"The firewall runs only on desktop and laptop computers. It is not installed on servers that also run Endpoint Protection."

But here we are using windows server 2012 so how can i allow above ports on firewall.

"The firewall runs only on desktop and laptop computers. It is not installed on servers that also run Endpoint Protection."

You can create Firewall policies and assgin in server client group

If you have received your answer please update your thread (Mark A Solution).If multiple post help you please select the "Request split solution "Option

Follow this:

How to add or remove features to existing Symantec Endpoint Protection (SEP) client installations