In my last post I wrote about moving Symantec Endpoint Protection Manager to another server, one of the reasons I did so was because of the conflict between Windows Software Update Services and SEPM on port 80 of IIS.

However, instead of moving SEPM to another server it is also very much possible to keep SEPM on the same server by configuring its website to work with a custom port.

The installation process does ask us if we'd like to use the default website or create a separate site. However it does not give options to select a desired port for the website, so we’ll need to configure this after the installation.

There is a Symantec knowledge base article with detailed step by step instructions on how to configure SEPM to use a different port http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007111212591048. This solution is good if you don’t have clients already deployed.

However, if you do have a substantial number of clients already deployed, then problem with the method that the knowledge base article uses is that once we change the port of the IIS website the clients that are currently connected to it will no longer be able to communicate with the server.

This meant that after making the change to the ports, there is a manual process involved in getting each client computer to reconnect to the server. This is done my updating a file on the client computers; namely the symlink.xml file. It’s not a difficult thing to do; all you need is a small script to replace this file on all your client machines.  That solution didn't look clean enough. So here is how I would suggest in doing the change.

First of all you need to have the Symantec site installed on a custom website instead of using the Default Web Site on IIS, follow the instructions on the knowledge base article and get it done.

1) Install Symantec Endpoint Protection Manager on a custom Web site.
       i. Execute the Symantec Endpoint Protection Manager installer.
       ii. Select Create a custom Web site and proceed with the installation.
After the installation is complete, a site called "Symantec Web Server" exists in IIS.

2) Create another website with the exact same settings but with a custom port.
       i. Exporting the current configuration of the Symantec Web Server site to a file: Right click on the "Symantec Web Server" site,   Click All Tasks, Click Save Configuration to a File and save this file.
       ii. Importing it as a new website: Right click Web Site", click New, click Web Site (from file), select the file that you saved in the first step.

You will be asked if you want to overwrite the existing website or create a new one. Create a new one. The new site will also be named "Symantec Web Server" and in a  stopped state, rename the site so you don’t get the two mixed up, then go to new web site's properties and configure it to use a port number that you like, say 8080. Do the same with regard to the "Application Pools" and create your own "SymantecAppPool" from a copy of the "DefaultAppPool" and assign the new site to use it. Now Start the new site.

3) Create a new Management server list.
       i.   In Symantec Endpoint Protection Manager, click Policies, click Policy Components, click  Management Server Lists.
       ii.  Make a copy of the Default Management Servers list. Copy and Paste works here.
       iii. Edit the new server list.
             - Edit the existing servers under Priority 1 so that they will use your custom port
             - Add a new Priority, then add the same servers that are in Priority 1 to the it but without customizing the port. This is more of a backup plan, just in case clients are not able to connect to the custom port they can try the default.
       iv. Assign this new management server list to your groups and locations.
       v.  Update Contents on all clients so that this new policy is reflected for clients.

4) Edit Tomcat properties.
After all the clients have got updated, we can change the conf.properties file located under  the Symantec install directory, something like C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Tomcat\etc\conf.properties.  
       i.   Stop the Symantec Endpoint Protection Manager service.
       ii.  Open the conf.properties file in a notepad
       iii. Add the line   “scm.iis.http.port=8080” without the quotes to the end of the file ( or whatever port you want to use instead of 8080).

5) Restart Server.
Now stop the "Default Symantec Web Server" and restart the server that hosts Symantec Endpoint Protection Manager.
After the server boots up, confirm whether the custom port has been configured in the Default Management Server List.  You can do this by clicking Edit on the Default Management Servers list. Although the default list is not editable, you can view the changes and confirm whether or not the custom port has been configured correctly.

6) Clean up.
If all looks well, such as the port has been configured and the clients have connected to the server on the custom port, you can
       i.  Re-assign the Default Management Servers list back to your groups and also
       ii. Delete the custom Management Server list  created in step 3
       iii. Delete the “Symantec Web Server” web site on that uses port 80


That's all. If you find that by accident there is this client who has not got updated when step 3 was done, you can always manually that clients symlink.xml file.