How to enable Symantec Endpoint Protection (SEP) clients to communicate with their managers over an HTTPS connection?
SEP clients communicate with their Symantec Endpoint Protection Manager (SEPM) through the SEPM Apache server. By default, the Apache server listens on port 8014 for unencrypted HTTP connections. Clients communicate with the SEPM Apache server by sending action codes, uploading logs and Operational State (OpState) data and downloading policy and content files. All policies and delta content updates downloaded by clients are digitally signed and/or encrypted by the manager. If you require a higher level of security, the SEPM Apache server can be configured to accept Transport Layer Security (TLS) and/or Secure Sockets Layer (SSL) encrypted HTTPS connections. This ensures that both the content of SEP communications is encrypted as well as the tunnel the communications are sent through.
Note: As of 12.1.6, the SEPM only accepts TLS connections. Clients on Windows versions that do not support TLS natively cannot communicate with a 12.1.6 or newer SEPM over HTTPS.
For more information on how Symantec Endpoint Protection uses encryption and certificates, see How Symantec Endpoint Protection uses encryption and certificates.
Configuring the Manager
Determining which port to use for HTTPS traffic
The assigned port for HTTPS traffic is 443. If your manager hosts other HTTPS Web sites, port 443 may already be assigned to one of these. Use the the following steps to confirm port 443 is available on the manager computer, and if necessary, change the HTTPS port used by the SEPM Apache server.
- Open a command prompt and enter the following:
netstat -an | find ":443" | find "LISTENING"
If this command returns a result, you will need to modify the existing application to use a non-standard HTTPS port, or configure the Apache server to use a non-standard HTTPS port.
Changing the default HTTPS port (If needed)
- Open the following text file for editing: <Symantec Endpoint Protection Manager Installation folder>\apache\conf\ssl\sslForClients.conf.
- Change the following lines to list the specified alternate port instead of the default of 443:
Listen 443 <VirtualHost_default_:443>
- Save the file and close the text editor.
Enabling HTTPS in Apache
- Open the following text file for editing: <Symantec Endpoint Protection Manager Installation folder>\apache\conf\httpd.conf.
- Remove the # from the beginning of the following line:
- Restart the Symantec Endpoint Protection Manager Webserver service.
Confirm HTTPS is enabled
- Browse to the following URL in an SSL-enabled Web browser: https://<SEPM address>:<SSL Port>/secars/secars.dll?hello,secars
- The word OK should display on an otherwise blank page if the configuration was successful.
Note: If you have not updated the manager with a Certificate Authority (CA) signed certificate and private key pair, the the Web browser will present a warning that the certificate is not trusted. The same warning is presented when you attempt to access the Web site from a URL that is different than the subject name on the manager certificate. This is expected behavior.
Configuring the Clients
Clients choose their manager based on the entries in their Management Server List (MSL). Create a new MSL, or edit an existing MSL to point clients to their manager(s) over SSL.
Creating/Editing the Management Server List
- Log in to the SEPM console and click Admin>Policies.
- Expand Policy Components, and click Management Server Lists.
- Click Add a Management Server List, or select a pre-existing MSL and click Edit the List.
- Select Use HTTPS Protocol.
Note: Do not check Verify certificate when using HTTPS protocol unless you have updated your manager with a CA signed certificate and private key pair. For more information on this process, see How to update Symantec Endpoint Protection Manager certificates without breaking server/client communication.
- Click Add>New Server or select an existing Manager from the Management Servers list and click Edit.
- Add the server address if required, Check Customize HTTPS port, and confirm the correct HTTPS port is listed, click OK.
- Ensure this policy is assigned to the group(s) and location(s) you wish to communicate with the SEPM over HTTPS.
Confirm client>server communications
The SEP client will download the updated MSL from the SEPM during its next heartbeat after the changes were made. During its next heartbeat, it will evaluate the new MSL to determine which manager to communicate with, and over which protocol to communicate. It can take up to three heartbeat intervals for clients to receive and apply the new communications settings policy.
- Open the SEP client interface and click Help>Troubleshooting>Connection Status.
- Confirm the Last Attempted Connection and Last Successful Connection both show the new URL and port number configured above.
- This change can take up to 3 heartbeat intervals. To force the update, click Connect Now.