Friday, 21 March 2014

Troubleshooting Client/Server Connectivity in SEP 12

Understanding the concept

Symantec client to server connectivity issue can be caused because of many reasons and that occurs due to client server connectivity issue other than software damage. The symptoms that the clients are not communicating with the server is as below:

  1. Client is not receiving policy updates.
  1. Client is not showing a green dot in the Taskbar.
  2. Client is not showing a green dot in the Symantec Endpoint Protection Manager console.

Troubleshooting the clients

 1. Using 'SymHelp' tool

This is one of the powerful tool which is intended to check all the Symantec products, which will self diagnose the status of clients and provides you the suggestions to resolve the issues or proactively to ensure that your computer is ready to install the supported Symantec product. Hence kindly download it from the below link and check run it on client computers.


To check the communication issue manually follow these steps

2.  Check the client status in the management console

  1. In the management console, on the Clients page, under "View Clients", select the group in which the client belongs.
  2. Look on the Clients tab.

  1. The client name should appear in the list next to an icon that shows the client
          status as green indicates the communication is active.

 3. About the client status icon on the client

You can find the client status icon in the notification area of the taskbar on the client computer. The icon appears as a yellow shield icon with a green dot when the client can communicate with the management server.

 4. Viewing the policy serial number

You should check the 'policy serial number' on the client to see if it matches the serial number that appears in the management console. If the client communicates with the management server and receives regular policy updates, the serial numbers should match.

If the policy serial numbers do not match, you can try to manually update the policies on the client computer and check the troubleshooting logs.

To view the policy serial number in the management console

1. In the management console, click 'Clients'.
2. Under "View Clients", select the relevant group, and then select the 'Details' tab.


The 'policy serial number' and the 'policy date' appear at the bottom of the details list.


To view the policy serial number on the client

1.On the client computer, Open SEP client user interface, click on the 'Help and Support' button->select 'Troubleshooting'.
2.In the 'Management' section, look at the 'policy serial number'.

This policy serial number should match the serial number of the group that the client is allocated.



















Makes sure that you are comparing the 'Policy serial number'  of clients with the relevant 'computer groups' that it exists.

About performing a manual policy update to check the policy serial number

You can perform a manual policy update to check whether or not the client receives the latest policy update. If the client does not receive the update, there might be a problem with the client and server communication.

You can try a manual policy update by doing any of the following actions:

 a. In the client click on the 'Help and Support' button, click 'Troubleshooting'. Under Policy Profile, click 'Update'.
b. Else from the task menu right click the SEP client and select the option 'Update policy'.




















For the clients that are configured for pull mode, the management server downloads policies to the client at regular intervals (heartbeat). You can change the heartbeat interval so that policies are downloaded to the client group more quickly. After the heartbeat interval, you can check to see if the policy serial
numbers match. (For the clients that are configured for push mode, the clients receive any policy updates immediately.)

After you run a manual policy update, make sure that the policy serial number that appears in the client matches the serial number that appears in the management console.

5. Using the ping command to test the connectivity to the management server

  1. Open Command prompt
  1. Type 'Ping <server name>' ENTER and make sure that you are getting the proper reply from server
  2. If the ping fails to reach the server it indicates the there is communication issues. Make use of tracert to know the path and check where it is getting blocked.

6. Using a browser to test the connectivity to the management server

You can use a Web browser to test the connectivity to the management server by two methods.
To use a browser to test the connectivity to the management server:

Method 1
1.On the client computer open a Web browser, such as Internet Explorer.
2.In the browser command line, type a command that is similar to either of the following commands:

◦http://<management server IP address>:<port used by the SEPM website>/reporting/index.php

Note: Port 8014 is used by the web console to communicate with SEPM Reporting component.
























If the reporting log-on Web page appears, the client can communicate with the management server.

Method 2
On browser use the below URL

◦http://<management server name>:9090

For example: http://server-1:9090/



















This will redirect you to Symantec Endpoint Protection Manager Console web access page and if it appears it indicates that the client can communicate with the management server.

If a Web page does not appear, check for any network problems. Verify the DNS service for the client and check its routing path.

Checkout the below link to know more about the ports used in SEPM for different communications


7. Using Telnet to test the connectivity to the management server

You can use Telnet to test the connectivity to the IIS server on the management server. If the client can Telnet to the management server's HTTP or HTTPS port, the client and the server can communicate. The default HTTP port is 8014 (80 for the earlier builds of SEP); the default HTTPS port is 443.

Note: You might need to adjust your firewall rules so that the client computer can Telnet into the management server. You need to install 'telnet client' in windows 7 computers to do this operation(Make use of 'Turn windows features on or off' from 'Programs and features' to install this).

To use Telnet to test the connectivity to the management server

  1. On the client computer, make sure the Telnet service is enabled and started.
  1. Open a command prompt and enter the Telnet command. For example:

telnet <ip address> 8014

Where as <ip address> is the IP address of your SEPM server.

If the Telnet connection fails, verify the client's DNS service and check its routing path.

8. Verify the Windows Firewall is not enabled on the management server (SEPM) or the client.

In windows server 2003

Open command prompt and type 'netsh firewall set opmode mode = disable' which will off the firewall

In windows server 2008 and In Windows 7 computers

Open command prompt and type 'netsh advfirewall set <profile> state off ' where as <profile> is nothing but your active profiles. If SEPM and its associated processes (Tomcat, IIS, etc..) are the only applications on this server, we recommend using the "allprofiles" profile for the command line; otherwise choose the appropriate profile.

No comments:

Post a Comment