After creating controller connections from the Symantec Endpoint Detection and Response (SEDR) on-premise console to one or more Symantec Endpoint Protection Managers (SEPMs), the Enrollment Statistics of SEDR on-prem console shows all or some SEP clients as Authentication Pending. In some instances, the clients may appear to register, but do not appear to send Data Recorder events. This may also be observed as a lack of events arriving to downstream log databases, such as splunk or ICDx.
SEP clients remain in an Authentication Pending state due to one of the following circumstances:
A mismatch between the certificate and the name or IP configured within SEDR SEP Policies for the SEPM Controller connection. If the SEPM server.crt certificate is created with Fully Qualified Domain Name, the name of the SEPM Controller connection within the ATP settings must match. If the SEPM server.crt certificate is created with the IP address, the name of the SEPM Controller connection within the ATP settings must also match.
ATP 3.x inadvertently overwrote the Proxy setting on the Proxy tab within the External Communications Policy for one or more client groups within SEPM.
SEPM has failed to push the External Communications Policy and certificate to the SEP client
Communications from a SEP client passes through intervening network devices, such as an HTTPS proxy server, before arriving to SEDR appliance. One or more of those devices interferes with the communication
Navigate to ATP UI using the fully qualified domain name (FQDN). Does the browser accept the certificate?
Navigate to ATP UI using IP address. Does the browser accept the certificate?
If the browser accepts the certificate for the ATP UI when using the UI or only when using the FQDN, check the URL within ATP UI (Settings> Global > (SEPM Controller connection) > SEP Policies)
Navigate to the SEPM web interface using the fully qualified domain name. Does the browser accept the certificate?
Navigate to the SEPM web interface using the IP address. Does the browser accept the certificate?
If the browser accepts the certificate for the SEPM Web UI only when using either the FQDN or IP address, change the name of the SEPM Controller connection within the ATP Settings> Global page to match the contents of the server.crt of the SEPM instance.
In the SEPM, select the Clients tab, then navigate to a client group that contains one of the clients that failed to register with ATP.
Click External Communication Policy.
Select the Insight Proxy tab. Is the list of Insight proxies includes the IP address of ATP appliance?
Select the Proxy tab. Is a proxy is listed?
If a proxy is listed on the Proxy tab, place the test client into a new client group with same settings, but omit the Proxy from the Proxy tab. Update the policy on the SEP client, then click the Try Now button on the ATP Communications Status. If the SEP client status for ATP connection changes to Connected, further troubleshooting should focus around the configuration of the HTTPS Proxy between the SEP client and SEDR.
*Enabling additional columns on the Entities tab of the Search page within ATP 3.2:
Navigate to Search> Database> Entities.
Locate the columns headings Name, IP Address, Path, User, First Seen, and Enrollment.
Click the down ˅ symbol and select Customize Columns.
Locate the Customize Columns dialog box, then select and enable each of these options: - Last EDR Contact - Last SEPM Contact - SEP Group Note: Options are enabled by sliding the toggle to right-hand position (green=on). Disabled options are in the left-hand position (grey=off).
Subscribing will provide email updates when this Article is updated. Login is required.