Endpoint Protection

I'm having some problems getting clients to pull an IP address after I installed SEP 11 with all the components.

Server is: Windows 2008R2, Domain Server, DNS, DHCP and SEP Manager 11.0.6200.754.

I know it's firewall related because I reinstalled SEP with only Antivirus and AntiSpyware and DHCP started working for clients.

I've already added a new rule for allowing both DHCP and DNS services in the firewall policy and put in at the top of the list and updated policy on the server....Still did not work.
I followed this link, with no luck: http://www.symantec.com/business/support/index?page=content&id=TECH102641&locale=en_US

I read somewhere that the fix is to do this:  "Our fix was to create a new EAPOL (0x888E) network service and allow it inbound and outbound on the firewall policy"

I have no clue how to do the above...any help?  Or what else do I need to try?

Make sure the policy you edited is being applied to the group the server is in. This may seem like a silly thing to say, but I have seen that happen surprisingly often.

In the Firewall policy you can click Add Blank Rule; under Service List click Add, choose Protocol: Ethernet; Protocol Type: click the [>>] button then choose EAPOL (0x888E); Direction: Both. (This is a wireless protocol.) You can then move it to the top.

Hope this helps.

sandra

In the Smart Traffic Filtering section of the Firewall policy, Uncheck 'Enable SmartDHCP' for the policy used by your DHCP server.

This feature only allows outbound DHCP requests and inbound DHCP replies. DHCP servers need the exact opposite, as they respond to inbound DHCP requests with outbound DHCP replies.

Note: Per the Help button: "If you disable this setting, to use DHCP you must create a firewall rule that allows UDP traffic on ports 67 (bootps) and 68 (bootpc)."

Ok, I'll give those a try.  Sounds like it should do the trick.

I was also wondering if there are any special firewall settings I need to apply for Active Directory to work properly on 2008R2?

Thanks for your replys!

I tried what Ryan suggested and no luck....My clients will not pull a DHCP address from my 2008R2 server.

I unchecked Smart DHCP, and added the Allow rule for DHCP and DNS..Moved it to the very top of the list and gave it a 0-Critical.

I have even disabled Network Threat Protection on the server and that still doesn't work.

Antivirus and Antispyware are the only options I can install and not have any negative impact.

Anyone have any other suggestions?  I'm starting to think I should give up on putting the Symantec firewall on my DC/DNS/DHCP server.

Yes I've tried this...

http://www.symantec.com/business/support/index?page=content&id=TECH102641&locale=en_US

Try adding an allow all rule to the top of the firewall rule list temporarily and test to see if the traffic is still blocked or not.  If it works, then you will just need to determine exactly what still needs to be allowed through the firewall for it to work properly.  If it still fails, then I would suggest calling in and opening a case to troubleshoot further.

If I am not wrong, have you installed sep client with NTP component. Then try to remove NTP and check once

Yes, I have installed SEP with the NTP component on my DHCP server.  It of course somehow blocks the DHCP going from the server to the clients...eventhough I have added the allow rule for DHCP to the top of the firewall policy...

If I reinstall with just Antivirus and no NTP...DHCP works fine..

Similar to Mahesh's suggestion above, I'd recommend disabling the firewall and IPS features of SEP.

In your situation, I'd recommend creating a new group purely for your server, and withdrawing the firewall and Intrusion prevention policies from this group.

This will disable the two network related features that make up Network Threat Protection.

On a general note, while IPS is recommended for servers, I would not normally enable the firewall on a server unless you are very clear on all applications and traffic this server is likely to see.