Endpoint Protection

 View Only
  • 1.  SEPM - http vs https

    Posted May 07, 2018 09:05 AM

    Hello,

    I'm planning to replace self-sign certificate with CA cert and according to these steps https://support.symantec.com/en_US/article.HOWTO81059.html I need to switch communication over HTTP 8014. What if my servers don't have network traffic open via 8014 port towards SEPM but only 443? Is it possible to setup HTTP over 443 and HTTPS on 9443 for example? Should be possible since we can specify custom ports in httpd.conf and sslForClients.conf. 

    Any clue?

    Greets.



  • 2.  RE: SEPM - http vs https

    Posted May 07, 2018 09:20 AM

    Should be straightforward:

    http://www.symantec.com/docs/HOWTO81054



  • 3.  RE: SEPM - http vs https

    Posted May 07, 2018 02:08 PM

    Thanks Brian looks easy but I have one doubt. If I'm using only 443/HTTPS port how I should modify Management Server List in order to point clients to use the same SEPM but HTTP over 443. Clients need to update their policies with new MSL so should I switch to "Use HTTP protocol" then put SEPM_IP:443, stop Web Service and change listening ports httpd.conf with 443 and sslForClients.conf for let's say 9443 .. ?? 



  • 4.  RE: SEPM - http vs https

    Posted May 07, 2018 02:15 PM

    This issue you may run into by assigning HTTP to 443 is how will SEPM handle it. 443 is typically designated for HTTPS not HTTP. If the SEPM is hard-coded to equate HTTPS to 443 then it may not work. I can't say how it handles this so you may want to verify with support. EIther that or pick a different port for HTTP.



  • 5.  RE: SEPM - http vs https

    Posted May 07, 2018 02:37 PM

    Yeah ... I thought that might be an issue how SEPM will handle such thing. Anyways will test this out and see how it goes. 



  • 6.  RE: SEPM - http vs https

    Posted May 09, 2018 07:06 AM

    I've done some test regarding 8014/443 traffic.

    I have SEP client connected over 443 port ( HTTPS 443 in MSL is setup and Secure connection, in "General Settings" turned off) (Traffic over 8014 blocked).  Then I switched in MSL to HTTP 8014 port, policy update on client.... result: Client not able to connect.  OK :) 

    Then I've switched back in MSL to HTTPS 443 .. client policy update ... communication brought back over 443 :)) 

    So looks like there is way back even if the client does not have 8014 port open (or any other custom port used for HTTP) but has only HTTPS (443) available. 

    Of course, this will not apply if we replace SEPM certificate in between :) 



  • 7.  RE: SEPM - http vs https

    Posted May 09, 2018 07:41 AM

    Additionally looks like SEP Client eventually will use server from "Last Successful Connection" becuase without switching MSL back to 443 client is able to connect :) and sylink is not updated on client. It's still like HTTP only:

    <Server NameSpace="rpc" VerifySignatures="0" HttpsVerifyCA="0" HttpsPort="443" HttpPort="8014" Address="x.x.x.x"/>

    whereas MSL with 443 HTTS will look like this: 

    <Server NameSpace="rpc" VerifySignatures="0" HttpsVerifyCA="0" Protocol="HTTPS" HttpsPort="443" HttpPort="8014" Address="x.x.x.x"/>

    Brain can You confirm that SEP is acting like this ? (case of the same server)

    Another conclusion is that syLink will be not replaced if You import wrong one (to which client is not able to connect). I've checked trying to import sylink from different server with modified IP.. couple of tries on Wireshark .. sylink not replaced .. after few minutes communication brougth back to the right SEPM server :)

    Brain can You confirm that SEP is acting like this ? (case of sylink import with wrong server inside)

    Nevertheless communication must be happeing over HTTP (8014 i.e) if I want to consider certificate replacement :)