Follow the steps in this article to enable HTTPS communications between Symantec Endpoint Protection (SEP) clients and their managers.
Note: HTTPS communications is enabled on new installations of Symantec Endpoint Protection Manager (SEPM) 14. Migrations from 12.1 will use the HTTP/HTTPS communications settings from the previous version.
SEP clients communicate with their Symantec Endpoint Protection Manager (SEPM) through the SEPM Apache server. By default, the Apache server listens on port 8014 for unencrypted HTTP connections. Clients communicate with the SEPM Apache server by sending action codes, uploading logs and Operational State (OpState) data and downloading policy and content files. All policies and delta content updates downloaded by clients are digitally signed and/or encrypted by the manager. If you require a higher level of security, the SEPM Apache server can be configured to accept Transport Layer Security (TLS) and/or Secure Sockets Layer (SSL) encrypted HTTPS connections. This ensures that both the content of SEP communications is encrypted as well as the tunnel the communications are sent through.
Note: As of 12.1.6, the SEPM only accepts TLS connections. Clients on Windows versions that do not support TLS natively cannot communicate with a 12.1.6 or newer SEPM over HTTPS.
For more information on how Symantec Endpoint Protection uses encryption and certificates, see How Symantec Endpoint Protection uses encryption and certificates.
Enable HTTPS in Apache
- Open C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\httpd.conf in a text editor.
- Remove the # from the beginning of the following line:
- Restart the Symantec Endpoint Protection Manager Webserver service.
Confirm HTTPS is enabled
- Browse to the following URL in an SSL-enabled Web browser: https://<SEPM address>:<SSL Port>/secars/secars.dll?hello,secars
- The word OK should display on an otherwise blank page if the configuration was successful.
Note: If you have not updated the manager with a Certificate Authority (CA) signed certificate and private key pair, the Web browser will present a warning that the certificate is not trusted. The same warning is presented when you attempt to access the Web site from a URL that is different than the subject name on the manager certificate. This is expected behavior.
Clients choose their manager based on the entries in their Management Server List (MSL). Create a new MSL, or edit an existing MSL to point clients to their manager(s) over SSL.
Create/Edit the Management Server List
- Log in to the SEPM console and click Admin>Policies.
- Expand Policy Components, and click Management Server Lists.
- Click Add a Management Server List, or select a pre-existing MSL and click Edit the List.
- Select Use HTTPS Protocol.
Note: Do not check Verify certificate when using HTTPS protocol unless you have updated your manager with a CA signed certificate and private key pair. For more information on this process, see How to update Symantec Endpoint Protection Manager certificates without breaking server/client communication.
- Click Add>New Server or select an existing Manager from the Management Servers list and click Edit.
- Add the server address if required, Check Customize HTTPS port, and confirm the correct HTTPS port is listed, click OK.
- Ensure this policy is assigned to the group(s) and location(s) you wish to communicate with the SEPM over HTTPS.
Confirm client>server communications
The SEP client will download the updated MSL from the SEPM during its next heartbeat after the changes were made. During its next heartbeat, it will evaluate the new MSL to determine which manager to communicate with, and over which protocol to communicate. It can take up to three heartbeat intervals for clients to receive and apply the new communications settings policy.
- Open the SEP client interface and click Help>Troubleshooting>Connection Status.
- Confirm the Last Attempted Connection and Last Successful Connection both show the new URL and port number configured above.
- This change can take up to 3 heartbeat intervals. To force the update, click Connect Now.