Endpoint Protection

In this article I will be covering the compatibility issues we faced when trying to use Symantec Endpoint Protection version 14 with Microsoft's Cloud Platform - Microsoft Azure.

There are two sections to the article, if you're interested in the detail then continue reading, otherwise there is a conclusion at the bottom of the article with the answer. The purpose of this is to hopefully answer any questions around using SEP 14 in Microsoft Azure and potentially save others the time/pain we had from trying to do so.


Detailed Explanation
Reviewing the SEP 14 Installation and Administration guide (link), it has a section based around supported virtual installations (pg. 80) and Windows Azure is listed as a supported platform (MS changed the name of this platform to Microsoft Azure in 2014).

Although this only mentions that the SEP Manager console is supported, there is no mention of SQL Azure being supported further up in the document (pg. 70). Correctly or incorrectly, it was assumed that because the document mentioned that Microsoft Azure was supported that SQL Azure would be also, this is not the case. 
SQL Azure works on an entirely different version number system and does not compare to any version that we would commonly know it by (e.g 2008 R2, 2012, 2014). The latest version at the time of writing this article is SQL Azure V12. 

Below is the list of supported SQL server database versions, also taken from the Installation and Administration guide that was mentioned earlier:

I did try using SQL Azure V12 out of curiosity and can confirm that is does not work with SEPM. I experienced issues around granting the correct permissions to allow SEPM to install into an already existing blank database that I had created through the Azure portal.

The issue specifically was around granting the ALTER ANY LOGIN permission to a SQL user account that for example you would use for allowing SEPM to connect to SQL. It was not possible to add the LoginManager or DBManager roles to the SQL user account.
There was also a lot of confusion around the fact that Azure SQL does not allow for SSMS (SQL Server Management Studio) to use the GUI (Graphical User Interface) as you would normally expect - Right click, create new user was not an available option. Creating and managing users and permissions all had to be done through T-SQL code which adds extra complexity to an already difficult platform.

I had spoken to the Enterprise Symantec Support team around this and had asked for clarification on if SQL Azure was supported for SEPM and they had confirmed that it wasn't. I had also requested that the Installation and Administration guide was updated to reflect that SQL Azure was specifically not supported, however they probably didn't have time to update an already existing document, that then lead to the creation of this article. 

The solution to this is to simply create another Microsoft Azure server and install your own version of SQL onto this and managing this as you would any normal SQL server installation. This is not exactly an ideal situation as the benefits for using SQL Azure looked appealing - no management of another server, lower running cost, more resilience. 


Conclusion
Symantec Endpoint Protection Manager is not fully supported with the Microsoft Azure cloud platform due to SQL Azure not supporting the installation of the SEPM database. This is easily worked around by creating another virtual server in Azure and installing your own version of SQL, however this method is unfortunately inconvenient and you no longer get to utilise the real benefits from using Microsoft Azure.

Thanks for your time!