Endpoint Protection

Our production SEPM is running RU7 MP1.

What report will show what port clients are communicating with the SEPM on?

We are trying to troubleshoot an issue to determine which clients are communicating with SEPM on port 80, rather than then recommended port of 8014.

the clients online on the SEPM will show the clients connecting the port the SEPm is hosted, rest other clients will be offline. you can run unmanaged detector.

There is no report in SEPM

You would need to check via something like Wireshark

HI,

You can't get any report in sepm .

Port No 8014 in MR3 and later builds Port 80 use older version.

Ok if that is the case, what is the registry key value that displays the port number that SEP client last communicated with SEPM console.

There are registry values, such as last SEPM communicated with, i.e.

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink

Registry Name: LastServerIP

Tell me the registry value of the port where client last communicated with SEPM on (at some point, Symantec recommended we configure settings such that client communicates on port 80) I can create a simple script and post it for Symantec community. :-)

Running Unmanaged Detector on SEP 11 is really user-unfriendly (you cannot copy and paste the results).

Check the CommunicationStatus key under

HKEY_LOCAL_MACHINE\software\symantec\symantec endpoint protection\SMC\SYLINK\SyLink

Should show [servername:port]

Check the CommunicationStatus key under

HKEY_LOCAL_MACHINE\software\symantec\symantec endpoint protection\SMC\SYLINK\SyLink

Should show [servername:port]

Brian I don't see it anywhere.

Do you see the CommunicationStatus key?

why not look into sylink.xml file?

and yes the "CommunicationStatus" shows serverip:port

I only see the CommunicationStatus key on test clients with SEP 12.

I cannot see CommunicationStatus key on production clients with SEP 11 RU7 MP1.

There must be some other registry key.

There are over 1000 SEP 11 RU7 clients that I must check - please help!!!!!!!

hmm...you may do simple check via "netstat -an"

Unfortunately, while a netstat will show you if the SEPM is listening on port 80, it will not specifically show you which clients are trying to use port 80 unless they happen to be connected at the time the netstat is run.

While wireshark will do the trick ("Thumbs Up" to Brian), you might have better luck just enabling logging within IIS on your SEPM (as you're using SEP11 anyway).  IIS Logs will show the client IP address and port used to communuicate, so you can see which clients are using which port.

SMLatCST says

... you might have better luck just enabling logging within IIS on your SEPM (as you're using SEP11 anyway)...

Ah ha!!!!!!

Now my question is, how do I enable logging? I am not familiar with IIS. Can you provide links to documentation.

Erm, it's different for Win2k3 amd 2k8 soooo:

http://support.microsoft.com/kb/324279

http://technet.microsoft.com/en-us/library/cc754631(v=ws.10).aspx

Ok SMLatCST I will check these links

Cool cool, it's worth noting that after installing the IIS logging feature in IIS7 (Win2k8) you then have to enable logging for the individual site(s) you want data for, so make sure you read through the "See Also" section of the second link.