Either by Symantec recommendations or for other environmental reasons, there is a need to change the Symantec Endpoint Protection Manager (SEPM) management port to a port other than 80, 8014 or 443 for https.
Possible communication issues between SEPM and its clients.
Before Symantec Endpoint Protection (SEP) 11.0.3000.2224 (MR3), the default communication port for SEPM and SEP clients was 80. Because this port could be already assigned to other services, Since SEP MR3, the default port was set to 8014. In case of conflict with other software on those ports or for other reasons, it could be required to set SEP to use a different port after it was installed. Migration to newer SEP release does not modify these settings. Repairing the SEPM installation could roll back them to the values set during the first installation. This article explains the details involved in making that change.
SEPM uses IIS to communicate with the SEP clients, so this port change is configurable in IIS. However, because Tomcat sits between IIS and the SEPM database, it is also necessary to change the IIS HTTP port value in Tomcat, so that Tomcat knows what port to use to communicate with IIS.
Note: to properly apply the procedure below, it is recommended to have a full working communication between clients and SEPM's, therefore it could be required to temporarily shut down the other application that is in conflict with the SEPM to use the current communication port.
Changing the management port for SEPM requires the following steps:
- Create a Management Server List (MSL) with the new port information.
- Update the clients with the new management port information.
- Monitor that clients are getting the new MSL.
- On SEPM, change the port in IIS
- On SEPM, change the IIS HTTP port in Tomcat
NOTE: It is important that the clients are updated with the new management port information BEFORE changing the port on SEPM otherwise they will miss the new communication details required.
Create a new Management Server List
To change the port that clients use to communicate with the Manager, it is required to modify the MSL's, to avoid spelling mistakes Support recommends to duplicate them instead of creating them manually:
- In the SEPM console, click Policies
- Under View Policies, click Policy Components
- In the list that appears, click Management server lists
- For each listed MSL, under Tasks, click Copy the list, right click on a white space and Paste the list.
- For each new MSL, double click on it to edit its content.
- For each server listed in the MSL, duplicate each entry by using the Add button and modify the field customize HTTP (or HTTPS) port for each duplicated entry according to your needs (the target of doing it, is to have in each MSL's, all servers listed twice with the old and the new port, in this way the clients will get both settings for fail over until the port change is not completed for the whole environment).
- Do other modifications on your MSL's now if required (like names, descriptions, etc.)
Updating new SEP Clients with the Port Change
There are multiple options for applying the Management Server List to the SEP Clients:
- Assign the MSL to existing groups to update the clients that belong to them (write down time and date of this activity, it will be useful during the next step)
- Assign the MSL to a new or existing groups, and build a new client installation package with settings from that group that has to used for further SEP deployments
- Assign the MSL to new or existing groups, export the communication settings in a file called sylink.xml and replace it in the clients (required for clients which are having issues to connect to the SEPM): http://www.symantec.com/business/support/index?page=content&id=TECH106288&locale=en_US
NOTE: The clients will get the change on their next check-in or once they process the new Sylink.xml. They should still be able to connect to the SEPM if the new communications settings still have the details of the old port.
To monitor that all clients got the new communication settings:
assuming that your clients are able to check-in to the SEPM's, they will automatically get the new policies including the new MSL. You can use Reports and Monitors in the SEPM console to monitor the status of your clients and verify that they checked-in to the SEPM after you assigned the new MSL or if the expected policy serial number is in place. Once it is confirmed that all clients were able to get the new MSL, it is possible to move to the next step.
To change the SEPM communications port in IIS 6 (Windows Server 2003):
- Stop IIS Admin service
- Open the Internet Information Services Manager
- Right-click on the web site (either the Default Web Site, the Symantec Web Server or another custom Web Site) corresponding to the Symantec Endpoint Protection Manager and choose Properties.
- Under the Web Site tab in the section Web Site Identification enter the desired port in the "TCP port:" box.
- Do not restart the IIS Admin service yet - please go on to the next section.
To change the SEPM communications port in IIS 7 (Windows Server 2008):
- Open the Server Manager, open Roles --> Web Server (IIS) --> Internet Information Services.
- Click on the web site (either the Default Web Site, the Symantec Web Server or another custom Web Site) corresponding to the Symantec Endpoint Protection Manager..
- On the right side, under Manage Web Site, click Stop
- Under Edit Site, click Bindings.
- In the Site Binding window, click the entry for http and choose Edit on the right.
- In the "Port:" box, enter the desired new port. Click OK to save the change.
- Do not restart the Web Site yet - please go on to the next section.
To change the port that Tomcat uses to communicate with IIS:
- Close and Exit the Symantec Endpoint Protection Manager
- Stop the Symantec Endpoint Protection Manager service
- Navigate to C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\etc
- Open the file conf.properties file.
- Look for the line: scm.iis.http.port=
- Edit the value in the line: scm.iis.http.port= so that it is equal to the value set in IIS.
Start the Services
- Start the IIS Admin service
- Start the Symantec Endpoint Protection Manager service.
SEPM will now be communicating on the new port configured. The clients will start checking in on their check in cycle.
To verify clients communication:
To verify clients communication, check for the green dot status on the client, or use a packet capture utility on the client and filter for tcp.port == 8014. You should see "POST /secreg/secreg.dll" calls occurring during the check in intervals on the configured port.
Secars test could be also used to verify that the SEPM is properly listening on the new port, to run it, open your browser and type the following URL:
OK is the expected positive result.
After clients communication is confirmed:
After it is verified that clients are able to communicate with SEPM's via the new port, it is possible to come back to the MSL's to remove the duplicated entries of servers which are still referred to the old port.
This article refers to Symantec Endpoint Protection 11.x.
For newer versions, see Symantec Endpoint Protection 12.1: How to Change the ports used for communication between the Manager and clients