For Symantec Endpoint Detection and Response to communicate with your endpoints, you must configure a connection to the SEPM management server. The following is important information that you should know about setting up this connection.
Symantec recommends that all SEP endpoint configuration settings use HTTPS and port 443 for communicating with Symantec EDR version 3.0 and later. For SEP endpoints to communicate with Symantec EDR through this secure protocol, the endpoints must have a valid SSL certificate installed, allowing secure communication with Symantec EDR. The SEP communication configuration dialog on Symantec EDR provides a mechanism to configure the SEP port and protocol communication settings on SEPM using SEP's private APIs. In addition, when the SEP communication settings are saved on Symantec EDR, Symantec EDR's SSL certificate is also pushed to the endpoints so that they can securely communicate with Symantec EDR over HTTPS. The certificate that is pushed down to endpoints through this mechanism uses a certificate that is configured on Symantec EDR at the time the settings are saved. This certificate is either the default built-in, self-signed Symantec EDR certificate or another trusted certificate that has been uploaded through the EDR appliance console. Only SEP endpoints that run 14.0 RU 1 or later can take advantage of Symantec EDR's private APIs to automatically receive Symantec EDR's SSL certificate through this mechanism. If you have an environment with endpoints that run a previous version of SEP, you must install Symantec EDR's SSL certificate separately so that the endpoints securely communicate with Symantec EDR.
Important considerations about connections to multiple SEPM instances
Up to ten connections to SEPM have been tested and are supported, but you can have any number of connections in your configuration.
If you have multiple connected SEPM instances at a site (that is, the SEPM instances share a database), create a connection to only one SEPM per site in the EDR appliance console. If multiple SEPMs from the same site attempt to connect to the same Symantec EDR management platform, they compete for authentication credentials and might not operate properly.
With multiple connected SEPM instances per site, commands from Symantec EDR are sent to the shared database by the SEPM instance that is connected to Symantec EDR. Therefore, all shared SEPM instances perform the command properly. But only the SEPM instance that executed the command may have the record of the command in the SEPM console.
Click the following link to learn more about how to use replication between SEPM instances.
For more information on how to set up sites and configure replication in SEPM, see the following sections in the Symantec™ Endpoint Protection 14.0.1.x/14.1 Installation and Administration Guide: Configuring the management server and Managing sites and replication. You can find the guide here.
Consider carefully your deployment strategy of Symantec EDR when working with a complex SEP environment. You can reduce the amount of time to propagate commands by not using replication in SEP and having Symantec EDR individually connect to each SEPM instance. However, that may not be compatible with your current SEP strategy.
Important considerations about multiple domains in your SEP management server
You must create a separate SEPM connection for each configured domain. See the Symantec Endpoint Protection documentation for a complete description of the domains that SEP defines.
If you don't create a SEPM connection for a defined domain in your environment, the commands that are sent to SEPM are not forwarded to resources in the domain.
You may see an error when sending a command to resources in domains without configured connections. Check the Logging > Actions page to determine which resources have not executed the command. Define a SEPM connection for the domain that is associated with those resources to resolve the issue.
Location of SEPM and SEP endpoints
SEPM and SEP endpoints must be on separate computers for the ECC commands to function properly. Otherwise, when an endpoint is isolated (quarantined), there is no way to rejoin (unquarantine) it. The reason is that isolating the endpoint also isolates the SEPM, so the connection between Symantec EDR and SEPM is blocked.
Click the following link to begin the Symantec EDR / SEPM integration workflow.