From the number of hits I've been getting on the posts on How to move Symantec Endpoint Protection Manager to another server and on How to change Symantec Endpoint Protection Manager port its seems that a lot of you seem to be in need of information on this product. So I thought I'd share with you this as well.

If you're got your Symantec Endpoint Protection Manager "Symantec Web Server" website on a Windows Server 2003 SP2 (IIS 6.0); Install the FastCGI extension for IIS and configure the "Symantec Web Server" website to use it. Doing that should speed up your SEPM console. Well not all of it but mainly the Home, Monitors, and Reports pages will show the improvement.

You can find the documentation on how to do it in the installation CD's. Although I found this under the NoSupport directory Symantec_Endpoint_Protection_11_0_2000_MR2_AllWin_EN_CD2\TOOLS\NOSUPPORT\FASTCGI\FASTCGI_SETUP_README.PDF
. The instructions from Symantec state that "Symantec provides full support for the Symantec Endpoint Protection Manager with the successful installation of the FastCGI extension.” So go ahead and give it a try.

In my last post I wrote about moving Symantec Endpoint Protection Manager to another server, one of the reasons I did so was because of the conflict between Windows Software Update Services and SEPM on port 80 of IIS.

However, instead of moving SEPM to another server it is also very much possible to keep SEPM on the same server by configuring its website to work with a custom port.

The installation process does ask us if we'd like to use the default website or create a separate site. However it does not give options to select a desired port for the website, so we’ll need to configure this after the installation.

There is a Symantec knowledge base article with detailed step by step instructions on how to configure SEPM to use a different port http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007111212591048. This solution is good if you don’t have clients already deployed.

However, if you do have a substantial number of clients already deployed, then problem with the method that the knowledge base article uses is that once we change the port of the IIS website the clients that are currently connected to it will no longer be able to communicate with the server.

This meant that after making the change to the ports, there is a manual process involved in getting each client computer to reconnect to the server. This is done my updating a file on the client computers; namely the symlink.xml file. It’s not a difficult thing to do; all you need is a small script to replace this file on all your client machines.  That solution didn't look clean enough. So here is how I would suggest in doing the change.

First of all you need to have the Symantec site installed on a custom website instead of using the Default Web Site on IIS, follow the instructions on the knowledge base article and get it done.

1) Install Symantec Endpoint Protection Manager on a custom Web site.
       i. Execute the Symantec Endpoint Protection Manager installer.
       ii. Select Create a custom Web site and proceed with the installation.
After the installation is complete, a site called "Symantec Web Server" exists in IIS.

2) Create another website with the exact same settings but with a custom port.
       i. Exporting the current configuration of the Symantec Web Server site to a file: Right click on the "Symantec Web Server" site,   Click All Tasks, Click Save Configuration to a File and save this file.
       ii. Importing it as a new website: Right click Web Site", click New, click Web Site (from file), select the file that you saved in the first step.

You will be asked if you want to overwrite the existing website or create a new one. Create a new one. The new site will also be named "Symantec Web Server" and in a  stopped state, rename the site so you don’t get the two mixed up, then go to new web site's properties and configure it to use a port number that you like, say 8080. Do the same with regard to the "Application Pools" and create your own "SymantecAppPool" from a copy of the "DefaultAppPool" and assign the new site to use it. Now Start the new site.

3) Create a new Management server list.
       i.   In Symantec Endpoint Protection Manager, click Policies, click Policy Components, click  Management Server Lists.
       ii.  Make a copy of the Default Management Servers list. Copy and Paste works here.
       iii. Edit the new server list.
             - Edit the existing servers under Priority 1 so that they will use your custom port
             - Add a new Priority, then add the same servers that are in Priority 1 to the it but without customizing the port. This is more of a backup plan, just in case clients are not able to connect to the custom port they can try the default.
       iv. Assign this new management server list to your groups and locations.
       v.  Update Contents on all clients so that this new policy is reflected for clients.

4) Edit Tomcat properties.
After all the clients have got updated, we can change the conf.properties file located under  the Symantec install directory, something like C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Tomcat\etc\conf.properties.  
       i.   Stop the Symantec Endpoint Protection Manager service.
       ii.  Open the conf.properties file in a notepad
       iii. Add the line   “scm.iis.http.port=8080” without the quotes to the end of the file ( or whatever port you want to use instead of 8080).

5) Restart Server.
Now stop the "Default Symantec Web Server" and restart the server that hosts Symantec Endpoint Protection Manager.
After the server boots up, confirm whether the custom port has been configured in the Default Management Server List.  You can do this by clicking Edit on the Default Management Servers list. Although the default list is not editable, you can view the changes and confirm whether or not the custom port has been configured correctly.

6) Clean up.
If all looks well, such as the port has been configured and the clients have connected to the server on the custom port, you can
       i.  Re-assign the Default Management Servers list back to your groups and also
       ii. Delete the custom Management Server list  created in step 3
       iii. Delete the “Symantec Web Server” web site on that uses port 80


That's all. If you find that by accident there is this client who has not got updated when step 3 was done, you can always manually that clients symlink.xml file.

For various reasons you may need to move Symantec Endpoint Protection Manager from one server to another. Another server meaning one with a different IP address and Host name.

I needed to do this sometime back, one of the reasons being a conflict for port 80 on IIS. Windows Server Update Services (WSUS), Self Update service accesses the WSUS server on port 80 and Symantec Endpoint Protection Manager also installs its website on port 80. The event log showed an error "Self-update is not working" with Event Id 13042.

You're reasons for Moving Symantec Endpoint Protection Manager to another server may be different, but either way, here is how I did it.

Looking around the web you'd find that there 2 ways to getting around this.

1 Using Replication Method
2 Backup-Restore Method

Out of the two the replication method seemed to make more sense, and looked the easiest to get done.

In summary what we need to do is:

1. Install SEPM on a new server
2. Configure it for replication with the first site
3. Change the priorities of the management servers to reflect that this new server is of higher priority; or simply assigning all groups to this new server.
4. Uninstalling old SEPM

Here is now you do that, step-by-step:

1. First install Symantec Endpoint Protection Manager on a new server
2. When you get to the Management Server Configuration Wizard panel, go through with the Advanced Configuration type; Select how many computers will be managed by this server
3. Choose to Install an additional site. This is the only option that will install a Management Server and a database for replication.
4. In the Server Information panel, accept or change the default values and then click Next
5. In the Site Information panel, accept or change the name in the Site Name box and then click Next. The Site Name cannot be the same as what you have on your other SEPM.
6. In the Replication Information panel, type values in the following boxes:
      Replication Server Name (The Name or IP address of the old Symantec Endpoint Protection Manager)
      Replication Server Port (The default is 8443)
      Administrator Name (The Username used to log on to the old console)
      Password (The password used to log on to the old console.)
7. Click Next
8. In the Certificate Warning dialog box, click Yes
9. In the Database Server Choice panel select either the Embedded database or the Microsoft SQL Server irrespective of what you have on your old server and click Next to complete the installation.
10. Log in to the new Symantec Endpoint Protection Manager (SEPM) and ensure that all the clients and policies are Migrated successfully
11. Click Policies
12. Click Policy Components
13. Click Management Server Lists.
14. Select the Default Management Server List for 'NEW SEPM'
15. Click Assign the List
16. Select all the locations, groups and click Assign to replace the existing Management Server list with the old server with the new one.
17. Wait for all the clients to reflect this change and connect to the new server. We can go through logs entries or on the SEPM Clients tab of the new server, you'd see the computer icon with a green dot for the ones connected to it, and a computer icon with a red arrow showing the clients still connected to the other server.
    
    After the successful Migration. I let this configuration run for a few days before the following
    
    
18. Uninstall the old Symantec Endpoint Protection Manager (SEPM)
19. Log in to the new SEPM and delete the old SEPM server from the Replication partners list and the Remote Sites
20. Under the Management Server Lists Policy Component, Delete the Default Management Server List for 'OLD SEPM'

The original of the above steps can be found at: https://forums.symantec.com/syment/board/message?board.id=endpoint_protection11&message.id=5911 I've edited the above based on my experience to hopefully bring in a little bit of clarity.

This worked for me perfectly and I Hope this works for you too. However it's advisable to first read Best Practices for Disaster Recovery with Symantec Endpoint Protection and be prepared for the worst.

Recently a friend of mine complained that he was unable to login into his PC. Windows kept logging him out just after validating the user name and password.

In summary this is what happened (Windows XP Professional)
-Booted up the PC. The Windows login screen appears without any problem.
-Entered valid domain accounts/local accounts with and without administrative privileges
-Credentials got validated.
-Immediately after, Windows started logging out.

Booting up in "Last Known Good Configuration", "Safe Mode" and "Safe Mode with Command Prompt" or remotely connecting via "Remote Desktop" all had the same problem.

Since this PC was connected to a LAN, it was possible to remotely connect to the Windows "Event Viewer" to see what could be happening, but unfortunately it didn't reveal any secrets. Connecting remotely to the Windows "Registry" of the effected PC was however much more productive; after a little bit of looking around I found an empty value for the Userinit entry. Adding it back solved the problem. If this happened on a PC that is not connected to a network, there is another way to fix the missing entry by getting windows to add the missing "userinit.exe" entry while booting up.

---
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\Windows\\system32\\userinit.exe,"
---

This is what was happening: When a user presses CTRL+ALT+DEL and enters their username and password, the Windows Graphical Identification and Authentication component (GINA) will get an authentication package to verify the credentials and establish a session. Then GINA passes on the job of setting up the user environment to the programs specified in the WinLogon's registry key for "Userinit". Usually that would be "C:\WINDOWS\system32\userinit.exe,". So, with no program specified to do the setting up, you immediately get logged out again.

Some of us got blown away by twitter, some of us just got annoyed that it didnt work with Google Talk for Google Apps. But surely it should work right?

For GTalk to talk with Twitter you only need to add/invite twitter@twitter.com to your Google Talk contacts. It will instantly accept the invitation and you're only your way. It’s that simple. However that's only if you're signing in using a Gmail account (e.g. yourmailadd@gmail.com).

If you're a user of Google Apps and use Google Talk with that account, then simply adding/inviting twitter@twitter.com will get you nowhere. At least that’s where I got.

So, why didn’t it work?

When I checked the "Service Settings" for chat in the Google Apps Domain Control panel, it was obvious; to IM outside the Google network, you will need to edit your Service (SRV) records in domain settings. Ah, so that’s why!

The support document from Google said I'd need to enter the following DNS entries.

_xmpp-server._tcp.yourDomainName.com. IN SRV 5 0 5269 xmpp-server.l.google.com.
_xmpp-server._tcp.yourDomainName.com. IN SRV 20 0 5269 xmpp-server1.l.google.com.
_xmpp-server._tcp.yourDomainName.com. IN SRV 20 0 5269 xmpp-server2.l.google.com.
_xmpp-server._tcp.yourDomainName.com. IN SRV 20 0 5269 xmpp-server3.l.google.com.
_xmpp-server._tcp.yourDomainName.com. IN SRV 20 0 5269 xmpp-server4.l.google.com.

_jabber._tcp.yourDomainName.com. IN SRV 5 0 5269 xmpp-server.l.google.com.
_jabber._tcp.yourDomainName.com. IN SRV 20 0 5269 xmpp-server1.l.google.com.
_jabber._tcp.yourDomainName.com. IN SRV 20 0 5269 xmpp-server2.l.google.com.
_jabber._tcp.yourDomainName.com. IN SRV 20 0 5269 xmpp-server3.l.google.com.
_jabber._tcp.yourDomainName.com. IN SRV 20 0 5269 xmpp-server4.l.google.com.

Something was still not right; the invite to twitter@twitter.com was not getting accepted; even after leaving plenty of time for DNS entries to propagate.

It was time to try out another IM client. Google supports the jabber/XMPP protocol. This means I should be able to use any other IM client that supports the jabber/XMPP protocols.  

I choose Pidgin because it had a useful debug window! So I installed Pidgen and configured it to connect to Google Talk for my domain as instructed, and tried to sign in.

 

 

Now I'm getting somewhere! I was still missing some more DNS entries. _xmpp-client._tcp.kavinda.net could not be found. After a quick nslookup to see the entries for _xmpp-client._tcp.gmail.com

 

I added similar entries for my domain kavinda.net.

_xmpp-client._tcp.yourDomainName.com.  IN SRV  5 0 5222 talk.l.google.com.
_xmpp-client._tcp.yourDomainName.com.  IN SRV 20 0 5222 talk1.l.google.com.
_xmpp-client._tcp.yourDomainName.com.  IN SRV 20 0 5222 talk2.l.google.com.
_xmpp-client._tcp.yourDomainName.com.  IN SRV 20 0 5222 talk3.l.google.com.
_xmpp-client._tcp.yourDomainName.com.  IN SRV 20 0 5222 talk4.l.google.com.

In goDaddy domain control pannel you'd enter the record,
_xmpp-client._tcp.kavinda.net.  IN SRV  5 0 5222 talk.l.google.com.
like:

That did the trick, I was able to sign into Pidgen. Now Back to Google Talk; Signed in using my Google Apps account, added twitter@twitter.com and it was accepted instantly. I had arrived.