Requirements
- The SEPM must be using a 3rd party certificate.
- The root certificate installed on each SEPM in the Trusted Root Certification Authorities.
Warning
Enabling HSTS will cause the following items to not function properly.
- Built-in Help pages in the SEPM. Clicking Help -> Help Topics within the SEPM will display a browser page indicating “This content cannot be displayed in a frame.”
- SEPM Web Console (port 8443) when using the SEPM IP address.
- Using the SEPM Hostname to access the Web Console remains unaffected.
- Java remote console is unaffected.
Steps to enable HSTS for semsrv service on port 8443
- Stop the SEPM services.
- Symantec Endpoint Protection Launcher
- Symantec Endpoint Protection Manager
- Symantec Endpoint Protection Manager API Service
- Symantec Endpoint Protection Manager Webserver
- Open …\<SEPM install directory>\tomcat\conf\web.xml with a text editor.
- Navigate to the section “Built in Filter Definitions”. The first filter is httpHeaderSecurity, it is commented out. On the next line below the closing comment (-->) copy and paste in the following filter configuration.
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
<async-supported>true</async-supported>
</filter>
- Navigate to the section “Built in Filter Mappings". The first filter is httpHeaderSecurity, it is commented out. On the next line below the closing comment (-->), copy and paste in the following filter-mapping configuration.
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<url-pattern>*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
- Start the SEPM services.
- Symantec Endpoint Protection Launcher
- Symantec Endpoint Protection Manager
- Symantec Endpoint Protection Manager API Service
- Symantec Endpoint Protection Manager Webserver
- Verify the Web Console is working by logging into https://<Hostname>:8443.
Steps to enable HSTS for semwebsrv service (httpd) on port 8445 and 443
- Stop the SEPM services.
- Symantec Endpoint Protection Launcher
- Symantec Endpoint Protection Manager
- Symantec Endpoint Protection Manager API Service
- Symantec Endpoint Protection Manager Webserver
- Open …\<SEPM install directory>\apache\conf\ssl
- In a text editor, open ssl.conf and add the following line at the bottom, then save the file.
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
- In a text editor, open sslforclients.conf and add the following line at the bottom, then save the file.
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
- Start the SEPM services.
- Symantec Endpoint Protection Launcher
- Symantec Endpoint Protection Manager
- Symantec Endpoint Protection Manager API Service
- Symantec Endpoint Protection Manager Webserver