Endpoint Protection

hi,

I had the bug where the definitions were stuck @ 31 Dec. 2009.
I did a backup of the database, and tried updating SEPM to the newest version.
After the install, i got the bug where the migration wizard did not show up. I tried manually with the update.bat, nothing ...
The only way i was able to fix that was by uninstalling SEPM and reinstalling it.
I did a restore of the .zip file (created by the backup of the database). All the groups and clients show up in the SEPM, i was like "nice, it worked, all is good" ... not real.
Since then, clients seem to ignore the server. There is no green dot on the Symantec shield, they do not update, and they say server status is 'offline'.
By comparing the sylink.xml from a client with the server one, it showed up that there was 2 <certificate...> in the server one. I checked in admin --> servers and it had 2 servers, with the same name. One was the new server (version 11.0.5) where the other one was the old one (11.0.3...).
I did a export/import settings from the old one to the new one, and now, the 2 certificate in the .xml are the same --> No change



Ok, now, guys, what must i do to get my SEP client to resync with the server ?
Do I have to try a restore again ?
Do i have to delete one of the server ?

Thanks for the help.

did you restore the certificate as per this doc?
the jks file? only then the clinet will communicate.
Best Practices for Disaster Recovery with the Symantec Endpoint Protection Manager
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007082112135948

if you want to start fresh use sylink remote for the lcinets to get connected to the manager

Copy server.xml from \Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\conf and keystore.jks from \Program Files \Symantec\Symantec Endpoint Protection Manager\tomcat\etc from old backup to new server in same place and reconfigure your server 

I fear getting the old keystroke.jks and the old server.xml is not possible.
The only ones i find seem to be the new ones.

And of course, i do not have a backup of that (since there was a app for backuping, i though it would backup everything that was crucial to the reinstall ...)

I suppose there is no way to fix that without those files ? (and without being forced to send a new sylink.xml file to all client)

its not possible, the jks file holds the communication key, you have to use the sylink or use new push package resetting the communication whatever is comfortable for you

How to restore/retain client-server communication using custom installation settings without having to use the sylink drop tool

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008052008163148


http://www.symantec.com/connect/downloads/sylinkreplacer-tool-connecting-sep-clients-sepm

I am gonna investigate that pushing method.
Weird enough, the clients appear with a green dot in the SEPM, but the green dot doesnt appear on the symantec shield ont the clients ...
Logs says "client has reconnected with the management server" or "server received log succesfully" ... It makes me think the client recognize the server.

Mhmhmh,
Logs on client say it tries to connect and then get disconnected.
Changing the sylink.xml on a test client did not change a thing. even with the new sylink (updated with sylinkdrop), the pc does not get the green dot or the definition updates.
I tried to create a new package on the SEPM, but i got an error telling me there is a problem with the policy for the group.
I am more suspecting a problem of policies (directory SEPM\data\outbox\agent seems pretty empty to me compare to the number of groups we have).
Any ideas on that ?

dbvalidator.bat returns me "DB validation failed".

here is the log file (which is pretty clear ... ;)) :

2010-01-19 14:35:47.715 INFO: *********************************************
2010-01-19 14:35:47.806 INFO: Following ids are not present in the database.
2010-01-19 14:35:47.821 INFO: *********************************************
2010-01-19 14:35:47.821 INFO: Link is broken for [0] target ids :
2010-01-19 14:35:47.821 INFO: *********************************************
2010-01-19 14:35:47.821 INFO: Link is broken for [1] physical file ids :
2010-01-19 14:35:47.821 INFO: TargetId:[7640350E3F244FFBB791DB0664C6BF1D] TargetType:[LuDownloadedPackage] ObjectTypeName:[ObjReference] ParentObjectTypeName :[PhysicalFile] Parent's TopLevelObject's GUID:[1FC0FB7F2F77DB0BFD80AFF87294470A]
2010-01-19 14:35:47.836 INFO: <?xml version="1.0" encoding="UTF-8"?>
<PhysicalFile CreationTime="1262270452223" Description="SESM Virus Definitions Win32 v11:MicroDefsB.CurDefs:SymAllLanguages" FileChecksum="9A46E373A96DE6EC9A24EC17B57C2C80" FileLastModifiedTime="1262270452223" FileName="full.zip" FileSize="66779818" Id="1FC0FB7F2F77DB0BFD80AFF87294470A" Name="DownloadedContentFile" NameSpace="schema" _d="false" _i="61AD7EE804C064DCB496C4931DFD6464" _t="1262270452223" _v="13">
  <ObjReference Name="full.zip" TargetId="7640350E3F244FFBB791DB0664C6BF1D" TargetType="LuDownloadedPackage" _d="false" _i="37D4B07AC1AE219F1CAE4C2386BFB50D" _t="1262270452223" _v="6"/>
</PhysicalFile>

2010-01-19 14:35:47.851 INFO: *********************************************
2010-01-19 14:35:47.866 INFO: Database validation failed.
2010-01-19 14:35:47.882 INFO: Finished.

@ GregSMC

If all else fails, I would suggest using Sylink Replacer.

Download it here:
https://www-secure.symantec.com/connect/downloads/sylinkreplacer-tool-connecting-sep-clients-sepm

This tool searchs subnets for SEP clients and automaticly stops the SEP service and copies over the Sylink.xml file that you choose. Nice tool.

Mike

@ Greg SMC,

Try to export the sylink.xml file directly from the SEPM.
Right click on the group, click "Export Communications Settings". Rename the generated file to "sylink.xml", and try using sylinkdrop again with the new sylink.xml.

I tried sylink replacer, sylink drop and sylink remote. none worked.

Im more worried by that fact that the Group policies do not create new directory and by the fact that i cannot create new install package (error telling it cannot find the policies for the specified group). Those problems make me think there can be another source of problem :/

If you are do not have those two certificate files it is better to install SEPM newly,do not restore the database create groups,export sylink replace in the clients.. 

For the policy problem during package creation.. try this...

* Add "authenticated users" to SEPM directory and give permissions.... and oh, don't forget to uncheck inhertitance and replace permission on child objects...


And for the client communication.... This seems to me like a certificate problem... Try this on one of your test machine...

1. Stop the client service, i.e SMC -stop
2. Open Sylink.XML with a text editor (Wordpad, preferabbly)
3. Come down to a line where is says server name = and http port = and blah blah..
4. Now, change the host name of the server to FQDN of the server... and in the same line... the last parameter would read "Verify Signatures" ... change the value to 0 ...
5. Save the file and start the service... i.e SMC -start

Now, if by luck, that helped you... you can take the same edited Sylink.xml file from that client and drop it on others using sylink replacer.... And furthermore, you don't have to worry about the groups... the clients will remain in their respective groups and will also communicate.... (again, if and only if the above suggestion works.. :) )

Cheers,
Visu.

Ok, so,
I have reinstalled the server completely. Export the sylink.xml for each group (only two, servers and workstations).
Now, using sylinkdrop, sylinkreplacer or sylinkremote, up dating a server work fine.
It stops the service, the shield icon disappears, comes back again, then the green dot appears (and the pc is shown in the server manager console). Works great.

BUT ... (yeah, there is a but :)), on workstations (all WinXP SP2/SP3), the shield disappears, comes back but the green dot never shows. the pc does not appear in the manager console.
I tried all tools, i tried manually, i tried to reboot the client. The sylink.xml is replaced (when i edit it on the client, it is the one i sent).
I also tried to send the sylink.xml from the server group, same result ...

any idea why it doesn't work on the WinXP pc ?

Symantec Endpoint Protection: Troubleshooting Client/Server Connectivity 

None of these would help. And all of these "tests" (sorry, but doing a ping and a telnet is very far from being a reliable test ...) are working anyway.
There is no network problems between server and client (the sylink.xml is deploy from the server, no firewall, no ACL blocking traffic on routers or such).

Anyone has any idea (idea where you have to type words to help, not pasting an url :))

Thanks

We'd be interested to take a look at the logs... That'd helps us investigate.. :) .. Please run a Sylink monitor and paste the logs here.. Lets check :)

You get the tool here : http://service1.symantec.com/SUPPORT/ent-security.nsf/383ed085ad1ed2c6882571500069b34d/4be077e14183395388257348007a2472/$FILE/SylinkMonitor_6733.exe

And follow this :

* Set registry key: HKLM\Software\Symantec\Symantec Endpoint Protection\SMC - smc_debuglog_on = 1
* Run SylinkMonitor
* Stop SMC: START > RUN > smc –stop
* Start SMC: START > RUN > smc –start

Hi,

I tried the sylinkmonitor on a none working client.
It outputs a lot of data:

<?xml version="1.0" encoding="UTF-8" ?><SSARegData NameSpace="rpc"><AgentInfo DomainID="849F081D0AA001A001BA0281F5632359" AgentType="105" UserDomain="XXX.UK" LoginUser="Administrator" ComputerDomain="xxxx.uk" ComputerName="8710P" PreferredGroup="Myompany    Laptops    @Laptops            61581632llVersion" PreferredMode="1" HardwareKey="8A392BEC8BDECA6EF7CA6AD7448542D1" SiteDomainName=""/>

In this line, the weird part is that is still use the old DomainID and old PreferredGroup. Despite the fact that the sylink.xml in the SEP directory has been succesfully updated with the new one. It still gives that line after a "smc -stop/smc -start" and even after a reboot.
The client acts like it didn't care about the sylink.xml. I check the securities on the file, give full control for local users group (domain users are in this group). Still trying with the old DomainID.
I looked for another remaining .xml file containing that domainID. Found nothing on local drive :/

You need any other infos from that debug log ?

If you ould post the sylink log, that'd be great.. :) ... You can mask your prvate information, if thats a con cern... :) ... And, if you suspect that the clients are not reading the sylink file, that may be due to cached information...

* Stop SMC
* Delete Sylink.bak , SylinkEx.bak (if present) 
* Replace Sylink.xml
* Start SMC

There is a part in Sylink monitor which says SMC return = ... Which typically contains http return code... If the connectivity is fine, it should read 200... Check.. :)

hi again ;)

I tried deleting the sylink.bak (and all the silynk.00x files too) and smc stop/start, no luck :(

I got some "Http returns status code" in sylinkmonitor : 468-469-500

The log is pretty long, so i have uploaded it to a megaupload link, i don't know if this is allowed on this forum ... :)

www.megaupload.com/ (http://www.megaupload.com/?d=V2P09OH3)

There is no "status code 200" :(


Just to be sure, i deleted the sylink.xml, and tried to smc -start ... it refused to start without the .xml :)

I tried copying the %programfiles%/Symantec/Symantec Endpoint Protection/ directory from a working machine to a non-working machine, replacing the existing one.
smc -start ... give a lots of error (like "windows installer popup") but the sylink is able to connect to server, getting the policies and the green dot appears.
So, with sylink.xml, there is clearly another file in that directory that needs to be change.
I'll try to check file by file and see when it is working :/

Stop all symantec services
replace the sylink file
Take both SerDef.dat and SerState.dat files from a working PC ,delete the same with it's backup filews from problematic pc,copy the new once
Restart the computer and try.

Ah, nice !!

Replacing the sylink.xml, serdef.dat, serstate.dat and server.dat did the trick !
It is working on all the test pc (10PCs for the moment).
Im gonna make a script and push those files with a GPO on a larger scale.

NICE !!