Endpoint Protection

I have Symantec EndPoint protection on my PDC. This PDC is also my DNS server. The trouble I'm having is that VPN connected clients are getting some blocked IP traffic, and I've narrowed it down to SEP's Network Threat Protection. When I disable the NTP, the VPN clients are no longer blocked. I figured that I would configure the NTP to allow the traffic as opposed to totally disabling NTP.

I figured to start with the least about of rules then add what I can. On the SEP Manager, I disabled the Firewall Policy for the group that the PDC is in. I also edited the client options for NTP: on the Firewall tab I only have the first three options checked (Enable Smart DHCP, DNS, and WINS). The Intrusion Prevention tab, nothing is checked. At this point, the traffic is still blocked - I looked at the logs:

Application C:\WIndows\system32\drivers\ipnat.sys  is being blocked by rule  GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-TCP

I see no where to configure this 'rule'.

Dont enable the FW policy on servers.  If you do, only enable a blank rule set with nothing selected or an any<->any traffic rule.  

The main thing is that you want IPS from NTP, not the FW.

In my SEP Manager, I go to the group that the server is in, I see Firewall Policy [shared], it is greyed out because I've unchecked the 'Enable this policy' box. So it is already disabled (in my mind). But the are Action - Blocked items in the log still.

 Try this, create a new or copy of a FW policy, except remove all the policies except for single blank rule.

Apply this to the server, rinse repeat and see what happens.

Symantec strongly recommends not to install NTP on server computer, as it may result in lot of performance and DoS issues.

You may uninstall the NTP feature from the control panel > Add/Remove Programs

BharRie is correct, Symantec recommends not to install NTP component if you are behind a corporate firewall. but if this is a requirement you need to enable IP protocol 47 (GRE) and TCP port 1723.

LOL, Symantec Product Management will say otherwise... So who's right?  

IPS has virtually little effect on network performance when working correctly..  Although there is that darn XP SP3 bug with IPS...  
In fact, the older SBS best practice guide said to enable NTP when installing the client on the SBS server.

That said, I have zero issue with most servers and it deployed to them.  I've yet to try it though on SQL or Exchange boxes, or other high network throughput servers.