For Symantec Advanced Threat Protection (ATP) to communicate with your endpoints, you must configure a connection to the Symantec Endpoint Protection Manager management server. The following is important information that you should know about setting up this connection.
Topics in this section include the following:
Symantec recommends that all Symantec Endpoint Protection endpoint configuration settings use HTTPS and port 443 for communicating with ATP version 3.0 and later. For Symantec Endpoint Protection endpoints to communicate with ATP through this secure protocol, the endpoints must have a valid SSL certificate installed, allowing secure communication with ATP. The Symantec Endpoint Protection communication configuration dialog on ATP provides a mechanism to configure the Symantec Endpoint Protection port and protocol communication settings on Symantec Endpoint Protection Manager using Symantec Endpoint Protection's private APIs. In addition, when the Symantec Endpoint Protection communication settings are saved on ATP, ATP's SSL certificate is also pushed to the endpoints so that they can securely communicate with ATP over HTTPS. The certificate that is pushed down to endpoints through this mechanism uses a certificate that is configured on ATP at the time the settings are saved. This certificate is either the default built-in, self-signed ATP certificate or another trusted certificate that has been uploaded through ATP Manager. Only Symantec Endpoint Protection endpoints that run 14.0 RU 1 or later can take advantage of ATP's private APIs to automatically receive ATP's SSL certificate through this mechanism. If you have an environment with endpoints that run a previous version of Symantec Endpoint Protection, you must install ATP's SSL certificate separately so that the endpoints securely communicate with ATP.
Up to ten connections to Symantec Endpoint Protection Manager have been tested and are supported, but you can have any number of connections in your configuration.
If you have multiple connected Symantec Endpoint Protection Manager instances at a site (that is, the Symantec Endpoint Protection Manager instances share a database), create a connection to only one Symantec Endpoint Protection Manager per site in ATP Manager. If multiple Symantec Endpoint Protection Managers from the same site attempt to connect to the same ATP management platform, they compete for authentication credentials and might not operate properly.
With multiple connected Symantec Endpoint Protection Manager instances per site, commands from ATP are sent to the shared database by the SEPM instance that is connected to ATP. Therefore, all shared SEPM instances perform the command properly. But only the SEPM instance that executed the command may have the record of the command in the Symantec Endpoint Protection Manager console.
Click the following link to learn more about how to use replication between Symantec Endpoint Protection Manager instances.
For more information on how to set up sites and configure replication in Symantec Endpoint Protection Manager, see the following sections in the Symantec™ Endpoint Protection 14.0.1.x/14.1 Installation and Administration Guide: Configuring the management server and Managing sites and replication. You can find the guide here.
Consider carefully your deployment strategy of ATP when working with a complex Symantec Endpoint Protection environment. You can reduce the amount of time to propagate commands by not using replication in Symantec Endpoint Protection and having ATP individually connect to each Symantec Endpoint Protection Manager instance. However, that may not be compatible with your current Symantec Endpoint Protection strategy.
You must create a separate Symantec Endpoint Protection Manager connection for each configured domain. See the Symantec Endpoint Protection documentation for a complete description of the domains that Symantec Endpoint Protection defines.
If you don't create a Symantec Endpoint Protection Manager connection for a defined domain in your environment, the commands that are sent to Symantec Endpoint Protection Manager are not forwarded to resources in the domain.
You may see an error when sending a command to resources in domains without configured connections. Check the Logging > Actions page to determine which resources have not executed the command. Define a Symantec Endpoint Protection Manager connection for the domain that is associated with those resources to resolve the issue.
Symantec Endpoint Protection Manager and Symantec Endpoint Protection endpoints must be on separate computers for the EDR commands to function properly. Otherwise, when an endpoint is isolated (quarantined), there is no way to rejoin (unquarantine) it. The reason is that isolating the endpoint also isolates the Symantec Endpoint Protection Manager, so the connection between ATP and Symantec Endpoint Protection Manager is blocked.
Click the following link to begin the ATP / Symantec Endpoint Protection Manager integration workflow.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
This will clear the history and restart the chat.