Clients do not connect after restoring the Symantec Endpoint Protection Manager (SEPM) database to a new server
Last Updated December 09, 2015
You build a new server and move the Symantec Endpoint Protection Manager database using the Database Back Up and Restore Wizard. However, the clients do not display a green dot on the notification shield icon after the move.
The new server has a different machine name but the same IP address.
Clients show a green dot in the Symantec Endpoint Protection Manager.
The clients' Sylink logs include the following message: "Signature verification failed for index file content."
Sylink.xml appears to be correct but the server name in the certificate is wrong.
The server certificate is invalid or failed to update.
To verify the issue:
Log on to the Symantec Endpoint Protection Manager, then click on Clients.
Select a group with clients, or a parent group if policies are inherited.
Click the Policies tab and then click General Settings.
On the Security Settings tab, uncheck Enable secure communications between the management server and clients by using digital certificates for authentication.
Click OK to save the change.
Right-click the group name, and then click Export Communications Settings.
Save the file to a convenient location (such as the desktop) as Sylink.xml.
Using SylinkDrop, update the communications settings on a client machine.
Once the services, restart you should see a green dot on the client shield.
To resolve the issue:
I. Run the Management Server Configuration Wizard
Exit the Symantec Endpoint Protection Manager and stop the Symantec Endpoint Protection Manager service.
Reconfigure the management server and ensure the correct server name is listed.
Select the appropriate database type and provide the database password (or admin if unspecified).
Complete the wizard and log on to the Symantec Endpoint Protection Manager. Note: If there is an error applying ACLs to the data folder, please verify that the folder %programfiles%\Symantec\Symantec Endpoint Protection Manager\data has full control for everyone on it and all sub folders. You may need to stop the World Wide Web Publishing service to apply the changes.
II. Back up existing certificate
In Symantec Endpoint Protection Manager, click Admin > Servers, and then click on the name of the server under Servers > Local Site.
Click Manage Server Certificate under Tasks, and then select Back up the server certificate.
Follow the steps to back up the existing certificate to a new location.
III. Update the server certificate
While still in Admin > Servers, click Manage Server Certificate under Tasks again. This time, select Update the server certificate.
Select the JKS keystore type and then click Next.
Click Browse, then navigate to %programfiles%\Symantec\Symantec Endpoint Protection Manager\Server Private Key Backup, then choose the keystore that matches the date and time you reinstalled the Symantec Endpoint Protection Manager. The file should have the fomat of ServerCertBackup_timestamp.zip. Older Endpoint Protection versions may have files with a .jks file type.
If Keystore password and Key password do not automatically populate, locate the required value:
In a separate Windows Explorer window, navigate to the same file location as in the previous step.
Double-click the server-timestamp.xml file that matches the timestamp of the keystore you chose. Note: This file may be inside the .zip file. If so, double-click on the .zip file to open it.
Locate the value for keystorePass= and copy the data between the quotes.
Paste this data in both Keystore password and Key password fields. Note: The only supported paste mechanism is Ctrl + V.
Click Next to finish the update process, exit the Symantec Endpoint Protection Manager and restart the Symantec Endpoint Protection Manager service.
IV. Update the clients with the new Sylink.xml file
Log back on to the Symantec Endpoint Protection Manager.
Perform one of the following tasks:
Use the Client Deployment Wizard to push out the new sylink.xml to all of the clients. On the Home tab, next to Common Tasks, click Install protection client to to computers, and then choose the Communication Update Package Deployment option. Follow the steps to complete the wizard.
Export the communications settings from a client group as you did to verify the issue, then use SylinkDrop to push the file to them.
After the Sylink file updates, the clients should then begin to display the green dot.
You can find the SylinkDrop tool in the Tools directory of the downloaded installation disk that you get from FileConnect.
Running the Management Server Configuration Wizard updates the server name in the database with the correct name.
Applying the server certificate from the new install forces a clean certificate to be loaded with the new server name.
Imported Document ID: TECH123416
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe