Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Port
Port
Initiated by
Number Type
Listening
Process
svchost.exe
80, 8014 TCP SEP Clients
(IIS)
443
1433
Description
Communication between the SEPM manager
and SEP clients and Enforcers. (8014 in MR3
and later builds, 80 in older).
TCP
SEPM
manager
sqlservr.exe
1812
UDP
Enforcer
w3wp.exe
2638
TCP
SEPM
manager
dbsrv9.exe
8014,
8443
9090
8005
TCP
SEPM
manager
39999
UDP
2967
SemSvc.exe
Enforcer
Smc.exe
2 | Page
The Symantec Endpoint Protection Manager (SEPM) uses two web servers: Internet
Information Services (IIS) and Tomcat. IIS uses port 80 (or 8014) and 443. Tomcat uses
port(s) 9090 and 8443. The communication between IIS and Tomcat uses the HTTP protocol.
IIS uses port 9090 to talk to Tomcat, Tomcat uses port 80 to talk to IIS.
Client-Server Communication:
For IIS SEP uses HTTP or HTTPS between the clients or Enforcers and the server. For the
client server communication it uses port 80 (or 8014) and 443 by default. In addition, the
Enforcers use RADIUS to communicate in real-time with the manager console for clients
authentication. This is done on UDP port 1812.
Remote Console:
9090 is used by the remote console to download .jar files and display the help pages.
8443 is used by the remote console to communicate with SEPM and the Replication Partners
to replicate data.
Web Console:
8443 is used by the web console to communicate with the SEPM.
8014 is used by the web console to communicate with SEPM Reporting component.
Client-Enforcer Authentication:
The clients communicate with the Enforcer using a proprietary communication protocol. This
communication uses a challenge-response to authenticate the clients. The default port for this
is UDP 39,999.
Troubleshooting the Group Update Provider (GUP) in Symantec Endpoint
Protection (SEP)
Problem
How do I use debug logs to troubleshoot a GUP?
Solution
How does the GUP get defined?
o A setting will be added to the LiveUpdate (LU) policy specifying one member
of the client group as a content proxy. This machine will be the Group Update
Provider (GUP)
o Every SEP client contains mini-HTTP server code that allows it to potentially
become the GUP.
3 | Page
o The LU Policy will specify a hostname/IP and port of the GUP HTTP server
machine that will default to port 2967, but can be reconfigured to an alternate
port. The administrator can specify either the host name of the machine or the
IP. (The reason for using port 2967 is that Symantec customers already have
routing and firewalls set up for this. Symantec AntiVirus (SAV) Corporate
Edition 8/9/10 and SEP 11.0 will not coexist on the same machine, and in the
case of a SAV environment, will not have the same parents. In most instances,
it is known that there are no conflicts with port 2967, or those conflicts were
already sorted out by the administrators. Port 80 is a collision prone port.)
o The file transfer will be over HTTP and contained within the HTTP Response
payload. This is exactly the same as the existing transport. The protocol will
be the SyLink protocol.
o HTTPS will NOT be supported for the SEP 11.0 release.
o Content delivered by Symantec Endpoint Protection Manager (SEPM) will be
cached.
o The GUP will NOT initially support the patch and update channel. It was
considered to be out-of-scope for SEP 11.0. There are no plans to address this
yet.
When a client becomes the GUP
o The mini-HTTP server code will be a DLL extension to the SMC Agent. The
design has the GUP running independently of the internal content handling.
GUP is loaded by the SMC Agent when configured. When it starts up it begins
listening on the configured port. It continues listening until it is shut down.
o All the clients in the group receive the same proxy policy configuration. The
one that matches the proxy address/hostname is the proxy and loads the micro
web server..
o The machine that is designated as the GUP will create a directory, if it doesnt
already exist, at the following location:
(Client install location)\SharedUpdates
Default location: C:\Program Files\Symantec\Symantec Endpoint
Protection\SharedUpdates
This SharedUpdates folder will cache all proxied files. For the first round of
implementation this will only be managed LU content. No other
4 | Page
5 | Page
To enable debugging for the GUP, you can either enable it through the SEP user
interface - SEP UI -> Help and Support button -> Troubleshooting -> Debug
Logs -> Client Management section -> Edit Debug Log Settings button -> check
the Debug On box -> Debug level: 0 -> Log level: 0 - Debug -> Log file size (KB):
10000 -> OK -> Close, or modify the following registry keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint
Protection\SMC]
"smc_debuglog_on = dword:00000001"
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint
Protection\SMC\Log]
"debug_log_filesize = dword:0x00002710 (10000)"
The SMC process (the executable for the "Symantec Management Client" service) must be
stopped and restarted for changes in debug logging to take effect:
From a Run line type in the following:
smc -stop
Once the SEP shield icon disappears from the System Tray, then type:
smc -start
You also should be able to telnet to Port 2967 on the GUP and see the connection in the
GUP logs.
Below is an example of a GUP receiving a connection from another machine and the
connection working but the data in the connection
is bad and the GUP rejecting the connection:
03/21 23:00:59 [2628:1908] GUProxy: thread [1908] accepted on socket 2228
03/21 23:01:03 [2628:1908] GUPROXY - GUProxy HTTP in - H
03/21 23:01:03 [2628:1908] GUPROXY - malformed or misdirected request
03/21 23:01:03 [2628:1908] GUProxy - closing accepted socket
Successful Connection and update from a client:
6 | Page
7 | Page
8 | Page
event=EVENT_LU_DOWNLOAD_COMPLETED
03/24 14:29:25 [2224] <CSyLink::mfn_DownloadNow()>
03/24 14:29:25 [2224] </CSyLink::mfn_DownloadNow()>
03/24 14:29:30 [2232] <PostEvent>done post
event=EVENT_LU_DOWNLOAD_COMPLETED, return=0
Below is what you will see in the Sylink if the GUP is off line:
03/25 00:38:01 [2232] <LUThreadProc>Setting the session timeout on LUSession to
2 min.
03/25 00:38:01 [2232] <mfn_MakeGetLUFileIISUrl:>Requested Content Path is:
/content/{812CD25E-1049-4086-9DDDA4FAE649FBDF}/80324040/delta80321051.dax
03/25 00:38:01 [2232] <GetLUFileRequest:>IIS URL: /content/{812CD25E-10494086-9DDD-A4FAE649FBDF}/80324040/delta80321051.dax
03/25 00:38:01 [2232]
<GetLUFileRequest:>http://192.168.2.5:2967/content/{812CD25E-1049-40869DDD-A4FAE649FBDF}/80324040/delta80321051.dax
03/25 00:38:01 [2232] <GetLUFileRequest:>NEW download: C:\Program
Files\Symantec\Symantec Endpoint
Protection\LiveUpdate\LUF140D.tmp
03/25 00:38:01 [2232] <UpdateLUFileList:>Updating existing Download File List
with : {812CD25E-1049-4086-9DDD-A4FAE649FBDF}80324040
03/25 00:38:01 [2232] <UpdateLUFileList:>Updating existing Download File List
Temp file name from: to C:\Program Files\Symantec\Symantec Endpoint
Protection\LiveUpdate\LUF140D.tmp
03/25 00:38:01 [2232] 0:38:1=>Sending HTTP REQUEST to download LU file
03/25 00:38:24 [2224] <CSyLink::mfn_DownloadNow()>
03/25 00:38:24 [2224] </CSyLink::mfn_DownloadNow()>
03/25 00:38:24 [2232] 0:38:24=>HTTP REQUEST sent
03/25 00:38:24 [2232] <GetLUFileRequest:>Send Request failed.. Error Code =
12029
03/25 00:38:24 [2232] <ParseErrorCode:>12029=>The attempt to connect to the
server failed.
03/25 00:38:24 [2232] <GetLUFileRequest:>IIS return=0
03/25 00:38:24 [2232] <ParseErrorCode:>12029=>The attempt to connect to the
server failed.
03/25 00:38:24 [2232] <GetLUFileRequest:>COMPLETED
03/25 00:38:24 [2232] <LUThreadProc> - GETLUFILE_CONNECTION_ERROR
getting content moniker:
{812CD25E-1049-4086-9DDD-A4FAE649FBDF}; revision: 80324040 from server:
192.168.2.5
03/25 00:38:24 [2232] LU file download failed due to HTTP error:0
9 | Page
10 | P a g e
Client is not showing a green dot in the Symantec Endpoint Protection Manager
console.
Solution
About communication problems
Check network connectivity before you call Symantec Technical Support. Once that
has been verified, check the communication between the client and the server. For
example, the client may not be receiving Policy updates or it may not be receiving
Content updates. It is important to gather as much information as possible about
which communications are working and which are not.
About checking the communication between the client and the management server
If you have trouble with the client and the server communication, you should first
check to make sure that there are no network problems. You can test the
communication between the client and the management server in several ways.
Table 2-1 describes the steps that you can take to check the communication
between the client computer and the management server.
11 | P a g e
12 | P a g e
13 | P a g e
The serial number should match the serial number of the policy that the management
server pushes to the client.
14 | P a g e
About performing a manual policy update to check the policy serial number
You can perform a manual policy update to check whether or not the client receives
the latest policy update. If the client does not receive the update, there might be a
problem with the client and server communication.
You can try a manual policy update by doing any of the following actions:
For the clients that are configured for pull mode, the management
server downloads policies to the client at regular intervals (heartbeat).
You can change the heartbeat interval so that policies are downloaded
to the client group more quickly. After the heartbeat interval, you can
check to see if the policy serial
numbers match. (For the clients that are configured for push mode, the
clients receive any policy updates immediately.)
After you run a manual policy update, make sure that the policy serial number that
appears in the client matches the serial number that appears in the management
console.
Using the ping command to test the connectivity to the management server
You can try to ping the management server from the client computer to test
connectivity.
To use the ping command to test the connectivity to the management server
1. On the client, open a command prompt.
2. Type the ping command. For example:
ping name
Where name is the computer name of the management server. You can use the
server IP address in place of the computer name. In either case, the command
should return the server's correct IP address.
If the ping command does not return the correct address, verify the DNS service for
the client and check its routing path.
Using a browser to test the connectivity to the management server
15 | P a g e
You can use a Web browser to test the connectivity to the management server.
To use a browser to test the connectivity to the management server:
1. On the client computer open a Web browser, such as Internet Explorer.
2. In the browser command line, type a command that is similar to either of the
following commands:
o http://<management server IP address>:<port used by the SEPM
website>/reporting/index.php
If the reporting log-on Web page appears, the client can communicate
with the management server.
o http://<management server name>:9090
If the Symantec Endpoint Protection Manager Console page appears,
the client can communicate with the management server.
3. If a Web page does not appear, check for any network problems. Verify the
DNS service for the client and check its routing path.
16 | P a g e
If the Telnet connection fails, verify the client's DNS service and check its routing
path.
Verify the Windows Firewall is not enabled on the management server (SEPM) or the
client.
17 | P a g e
1. Click Start button , Control Panel, Choose Security (System and Security in
Windows 7), and then click Windows Firewall.
2. Click Turn Windows Firewall on or off. If you are prompted for an administrator
password or confirmation, type the password or provide confirmation.
3. Click Off, and then click OK.