Symantec Management Platform (Notification Server)

Expand all | Collapse all

Altiris and SEPM integration: Computers on Quarantine

  • 1.  Altiris and SEPM integration: Computers on Quarantine

    Posted 10-07-2020 06:40 AM
    Edited by Pablo Llorente 10-07-2020 06:49 AM
    Hello,

    We are trying to configure the Altiris and SEP integration in order to may put computers on quarantine whenever the computer does not have the CVEs that we consider should have.

    Everything has been configured, either in altiris and SEPM. In fact in SEPM we have launched the Host Integrity policy and it worked fine, but whenever we try to run the policy in Altiris, we are getting errors. According with Log Viewer the error is "Unauthorize".

    The computers are correctly setting up as "quarantine"  but when Altiris send the command to SEPM it fails:





    Exception occurred while processing quarantine/reverse quarantine device commands:

    An error occurred while sending quarantine/reverse quarantine device
    [Altiris.NS.Exceptions.AeXException @ Symantec.SEPHostIntegrityManagement]
    at Symantec.SEPHostIntegrityManagement.RestHandler.SEPMActionProvider.QuarantineUnquarantineDevices(String requestUrl, ISEPMRestClient restClient)
    at Symantec.SEPHostIntegrityManagement.Actions.QuarantineActionHelper.SendRequest(ISEPMActionProvider sepmActionProvider, IEnumerable`1 lstOfDevices, Int32 quarantine)

    An error occurred while calling the quarantine/reverse quarantine device api with HTTP code: Unauthorized
    [Altiris.NS.Exceptions.AeXException @ Symantec.SEPHostIntegrityManagement]
    at Symantec.SEPHostIntegrityManagement.RestHandler.SEPMActionProvider.QuarantineUnquarantineDevices(String requestUrl, ISEPMRestClient restClient)

    Exception logged from:
    at Symantec.SEPHostIntegrityManagement.Actions.QuarantineActionHelper.SendRequest(Symantec.SEPHostIntegrityManagement.RestHandler.ISEPMActionProvider, System.Collections.Generic.IEnumerable<Symantec.SEPHostIntegrityManagement.Action.ResourceGuidToComputerIdMapping>, Int32)
    at Symantec.SEPHostIntegrityManagement.Actions.QuarantineActionHelper.SendQuarantineCommand(Symantec.SEPHostIntegrityManagement.RestHandler.ISEPMActionProvider, System.Collections.Generic.List<Symantec.SEPHostIntegrityManagement.Action.ResourceGuidToComputerIdMapping>, Int32)
    at Symantec.SEPHostIntegrityManagement.Actions.QuarantineActionHelper.PerformAction(System.Collections.Generic.Dictionary<System.Guid,Symantec.SEPHostIntegrityManagement.Model.QuarantineDetails>, Boolean)
    at Symantec.SEPHostIntegrityManagement.Actions.QuarantineActionProcessor.TriggerComplianceEvaluationOnAssessmentResult(System.Guid)
    at Symantec.SEPHostIntegrityManagement.Messages.PatchDataclassChangeMessageSubscriber.OnNSMessage(Altiris.NS.Messaging.INSMessage)
    at Altiris.NS.Messaging.NSMessageQueue.NotifySubscriber(System.Guid, Altiris.NS.Messaging.INSMessage)
    at Altiris.NS.Messaging.NSMessageQueue.NotifySubscriberEntry(Object)
    at Altiris.Common.Threading.BalancedThreadPool.ExecuteWorkerRequest(Altiris.Common.Threading.BalancedThreadPoolWorkerState, Altiris.Common.Threading.BalancedThreadPoolWorkerRequest)
    at Altiris.NS.Threading.NsBalancedThreadPool.ExecuteWorkerRequest(Altiris.Common.Threading.BalancedThreadPoolWorkerState, Altiris.Common.Threading.BalancedThreadPoolWorkerRequest)
    at Altiris.Common.Threading.BalancedThreadPool.ThreadPoolProc(Object)
    at System.Threading.ThreadHelper.ThreadStart(Object)

    User [ALTIRIS-USER], Auth [ALTIRIS-USER], AppDomain [AeXSVC.exe]


    During the configuration on Altiris site we have used a user created in SEPM for this porpuse to make the integration with SEPM servers, but we are not sure if this user is the one used by Altiris to make the call to the API in SEPM.

    We cannot use the admin user of SEPM because internal control of our company.

    Could someone explain us better how the connectivity between Altiris and SEPM is done? what user is used by altiris? Should we create in SEPM console the service account used by Altiris: ALTIRIS-USER?

    Thanks a lot in advance.


  • 2.  RE: Altiris and SEPM integration: Computers on Quarantine

    Broadcom Employee
    Posted 10-07-2020 07:54 AM

    Hi Pablo Llorente!

    1. What version of ITMS 8.5.x you are using?
    2. What version of SEPM 14.x you are using?
    3. Previously it worked fine with same SEPM Server specified and account of SEPM Server but suddenly this error now appears?
    4. Make sure that current specified IP address & port of your SEPM server is correct
    (probably it is changed but full inventory task wasn't executed on SEPM server so IP address remains old/incorrect) or maybe NS Server machine resolves SEPM Server IP address incorrectly? https://help.symantec.com/cs/ITMS8.5/SMPlat/SEPMServerInfo/title?locale=EN_US

    5. You mentioned that you don't use admin role account of SEPM Server and seems like using low level account of SEPM Server?
    Did you make sure that this not admin account which is created/added on SEPM Server itself, has enough permission/privileges on SEPM Server? This account can successfully login to SEPM Server Console?

    Thanks,
    IP.


    ------------------------------
    Software QA Engineer
    Broadcom Inc.
    ------------------------------



  • 3.  RE: Altiris and SEPM integration: Computers on Quarantine

    Posted 10-07-2020 08:08 AM
    Hello Igor,

    Thanks a lot in advance for trying help.

    1. What version of ITMS 8.5.x you are using? --> 8.5 RU2
    2. What version of SEPM 14.x you are using? --> 14.3
    3. Previously it worked fine with same SEPM Server specified and account of SEPM Server but suddenly this error now appears? --> In fact we are starting with this integration right now, so it never was configured. We are trying to make it work.
    4. Make sure that current specified IP address & port of your SEPM server is correct
    (probably it is changed but full inventory task wasn't executed on SEPM server so IP address remains old/incorrect) or maybe NS Server machine resolves SEPM Server IP address incorrectly? help.symantec.com/cs/ITMS8.5/SMPlat/SEPMServerInfo/...  --> When we establish connectivity with SEPM servers using user and pwd, the cone activity apparently works fine.. The IP appears in the dropdown list so is not typed manually, and the user and pwd works because otherwise we get a credentials error.
    5. You mentioned that you don't use admin role account of SEPM Server and seems like using a low level account of SEPM Server?
    Did you make sure that this not admin account which is created/added on SEPM Server itself, has enough permission/privileges on SEPM Server? This account can successfully login to SEPM Server Console? --> With the user used to establish connectivity in ALtiris, we have launched the Host Integrity policy in SPEM and it worked perfectly. The problem is with connectivity between Altiris and SEPM 

    Saludos, Best Regards
    _____________________________________________________________


    Pablo Llorente Abad

    EMEA Workplace Services, Workplace Specialist

     


    LafargeHolcim EMEA Digital Center

    Albasanz 14, 28037 Madrid, Spain

    Mobile +34 672746460

    pablo.llorente@lafargeholcim.com

     

    More information at www.itemea.lafargeholcim.com

    Follow us on Facebook | Twitter | LinkedIn


    This e-mail is confidential and intended only for the use of the above named addressee. If you have received this e-mail in error, please delete it immediately and notify us by e-mail or telephone.


    To visit our Workplace Connect site click here 






  • 4.  RE: Altiris and SEPM integration: Computers on Quarantine

    Broadcom Employee
    Posted 10-07-2020 05:34 PM
    You need to use an account that has "System Administrator" role in SEPM Server 14.3


    ------------------------------
    Software QA Engineer
    Broadcom Inc.
    ------------------------------



  • 5.  RE: Altiris and SEPM integration: Computers on Quarantine

    Posted 10-08-2020 03:59 AM
    Hello Igor,

    Once again, thanks a lot for your valuable help. 

    I would like to double check your last mail because, according with another Broadcom employee, when we asked him initially in order to prepare the integration, he told us that the rights that the user should have should be "limited administrator" with rights for managing policies:

    image.png

    SO now we are a bit confused, because in case of needing global admin, we will be unable to carry on with this Integration..

    Additionally, do you know how we could capture further logs in SEPM console in order to get more details about the error? SHould we enable any debug log? I have checked all the logs and I cannot find anything on this regard...

    Thanks for your help!. 



    Saludos, Best Regards
    _____________________________________________________________


    Pablo Llorente Abad

    EMEA Workplace Services, Workplace Specialist

     


    LafargeHolcim EMEA Digital Center

    Albasanz 14, 28037 Madrid, Spain

    Mobile +34 672746460

    pablo.llorente@lafargeholcim.com

     

    More information at www.itemea.lafargeholcim.com

    Follow us on Facebook | Twitter | LinkedIn


    This e-mail is confidential and intended only for the use of the above named addressee. If you have received this e-mail in error, please delete it immediately and notify us by e-mail or telephone.


    To visit our Workplace Connect site click here 






  • 6.  RE: Altiris and SEPM integration: Computers on Quarantine

    Broadcom Employee
    Posted 10-08-2020 05:17 AM

    Hi Pablo!

    I would suggest to open a support case

    Best regards,
    IP.



    ------------------------------
    Software QA Engineer
    Broadcom Inc.
    ------------------------------



  • 7.  RE: Altiris and SEPM integration: Computers on Quarantine

    Broadcom Employee
    Posted 10-08-2020 01:18 PM
    Hi Pablo,

    please note that requirement of System Administrator for this integration is driven by SEPM API spec (not ITMS implementation): "You must have Symantec Endpoint Protection Manager System Administrator privileges to use REST API commands." (https://apidocs.symantec.com/home/saep#_required_command_components).
    I concur with Igor that escalation to support makes sense at this point as consultation from SEP (whether requirement in question could be worked around) seems to be required.

    Thanks,
    Dmitri.


  • 8.  RE: Altiris and SEPM integration: Computers on Quarantine

    Posted 10-09-2020 03:30 AM
    Thanks a lot both for your help.

    I will open a support case, and I will update here with conclusions. 

    Saludos, Best Regards
    _____________________________________________________________


    Pablo Llorente Abad

    EMEA Workplace Services, Workplace Specialist

     


    LafargeHolcim EMEA Digital Center

    Albasanz 14, 28037 Madrid, Spain

    Mobile +34 672746460

    pablo.llorente@lafargeholcim.com

     

    More information at www.itemea.lafargeholcim.com

    Follow us on Facebook | Twitter | LinkedIn


    This e-mail is confidential and intended only for the use of the above named addressee. If you have received this e-mail in error, please delete it immediately and notify us by e-mail or telephone.


    To visit our Workplace Connect site click here