You need to know how to configure Secure Sockets Layer (SSL) to work with Symantec Endpoint Protection reporting that is installed on Windows Server 2003.

Symptoms
You may be encountering difficulties when following other directions to enable SSL.

For example, the Symantec Endpoint Protection Manager service, semsrv, will not start if the IIS "Require SSL" setting is turned on.
See the knowledge base article: Service "semsrv" can not start if "Require secure channels (SSL)" is checked

 

For compatibility with a SEPM installation, follow instructions in the solution below.

Before you begin:

• This document describes a procedure that is unsupported. These instructions are provided for your convenience only. Due to the nature of this procedure, Symantec Technical Support cannot provide support for this procedure.
• This document describes the procedures for enabling SSL on Windows Server 2003. If you are using Windows 2000, read the document Configuring Secure Sockets Layer (SSL) to work with the Symantec Endpoint Protection reporting functions in Windows 2000.

By default, the Symantec Endpoint Protection Manager communicates with Endpoint Protection clients using the HTTP communication protocol. You can change this communication protocol to HTTPS, which uses SSL. SSL uses certificates that you must create and install manually. After you configure HTTPS communications, you can toggle between HTTPS and HTTP communications.

You can use these procedures for configuring SSL communications with Windows 2003 Server operating systems. These procedures assume that Internet Information Services (IIS) and the Symantec Endpoint Protection Manager (SEPM) are already installed on the same computer and that you are configuring SSL communications on that computer.

Configuring SSL communications involves the following steps:

1. Installing the Microsoft Certificate Services
2. Creating a certificate request
3. Submitting a certificate request
4. Installing the CA certification path
5. Issuing the certificate
6. Retrieving the certificate
7. Installing the certificate
8. Configuring the reporting Web site to use SSL
9. Configuring the Management Server List to use SSL
10. Manual editing the conf.properties file
11. Configuring the Symantec Endpoint Protection Manager and agents to use SSL

Installing Microsoft Certificate Services

By default, Microsoft Certificate Services are not installed on a Windows 2003 Server operating systems. If the services are installed, skip this procedure. On Windows 2003 server, during the certificate services installation process, you must click yes to accepting the usage of Active Server Pages (ASC) when prompted.

To Install Microsoft Certificate Services follow the below steps:

1. Insert your server installation CD. The Certificate Services installer requires a file named sertsrv.msc from the CD.
2. Click Start > Settings > Control Panel > Add/Remove Programs.
3. In the Add/Remove Programs window, click Add/Remove Windows Components.
4. In the Windows Components dialog box, check Certificate Services, and then click Next.
5. In the Certificate Authority Type dialog box, click Stand-alone root CA, and then click Next.
6. In the CA Identifying Information dialog box, in all boxes, type identifying information, and then click Next.
7. In the Data Storage Location dialog box, in all boxes, accept or change the default locations for directories and log files, and then click Next.
8. When the installation completes, click Finish.

Creating a certificate request

To create a certificate request do the following:

1. Click Start > Settings > Control Panel > Administrative Tools > Internet Information Services (IIS) Manager.
2. In the left pane, expand the local computer , click on the web Sites folder, and then on the right hand side, right-click Symantec Web Server (prior to MR2 used Default Web Site), and select Properties.
3. In the Symantec Web Server (prior to MR2 used Default Web Site) Properties dialog box, on the Directory Security tab, under Secure Communications, click Server Certificate.
4. In the Certificate Wizard dialog box, click Next.
5. In the Server Certificate dialog box, click Create a new certificate, and then click Next.
6. In the Delay or Immediate Request dialog box, click Prepare the request now, but send later, and then click Next.
7. In the Name and Security Settings dialog box, in the Name box, type a name for your certificate.
8. In the Bit length drop-down box, select the encryption key length, and then click Next
9. In the Organization Information dialog box, in the Organization and Organizational unit boxes, type your values, and then click Next.
10. In the Your Site's Common Name dialog box, in the Common name box, type your value, and then click Next.
11. In the Geographical Information dialog box, in all boxes, type your values, and then click Next.
12. In the Certificate Request File Name dialog box, in the File name box, type the file name for the certificate quest, and then click Next.
13. In the Request File Summary dialog box, click Next.
14. In the Completed dialog box, click Finish.
15. In the Symantec Web Server (prior to MR2 used Default Web Site) Properties dialog box, click OK.

Submitting a certificate request
You must submit a certificate request.

To submit the certificate request do the following:

1. Start Internet Explorer if it is not started.
2. In the Address box, type:
   
   http://<Reporting_Host_Computer>/certsrv
   
   (Note that if you have the Enhanced Security Configuration for Internet Explorer installed, which is on by default, it is best to add the above certsrv site to your trusted sites when first prompted.)
   
    
3. In the Welcome page, click Request a Certificate, and then click Next.
4. In the Choose Request Type page, click Advanced Request, and then click Next.
5. In the Advance Certificates Request page, click Submit a certificate request using a PKCS #10 file, and then click Next.
6. With Notepad, open the certificate request file that you created.
7. Click Edit> Select All> Edit> Copy. Verify that a blank line does not appear at the last line. The last line must be “----END NEW CERTIFICATE REQUEST----“without the quotes.
8. In the Submit a Saved Request page, in the Saved Request box, click the mouse, and then click Edit > Paste.
9. Click Submit.
10. Close all browser windows

Installing the CA certification path
You must install the CA certification path.

To install the CA certification path do the following:

1. Start Internet Explorer if it is not started.
2. Browse to http://<Reporting_Host_Computer>/certsrv.
3. In the Welcome page, click Download a CA certificate, certificate chain or CRL, and then click Next.
4. In the Retrieve the CA Certificate page, at the top, click Install this CA certification path.

Issuing the certificate
You must issue the certificate.

To issue the certificate do the following:

1. Click Start > Programs > Administrative Tools > Certification Authority. You must have administrative privileges.
2. In the Certification Authority page, expand your CA, and then click Pending Requests.
3. In the right pane, right-click the request, and then click All Tasks > Issue.

Retrieving the certificate
You must retrieve the certificate.

To retrieve the certificate do the following:

1. Start Internet Explorer if it is not started.
2. Browse to http://<Reporting_Host_Computer>/certsrv.
3. In the Welcome page, click Check on a pending certificate, and then click Next.
4. In the Check On A Pending Certificate Request page, select the certificate, and then click Next.
5. In the Certificate Issued page, click DER Encoded, and then click Download CA certificate.
6. In the File Download dialog box, click Save this file to disk, and then click OK.
7. Complete the download.

Installing the certificate
You must install the certificate.

To install the certificate do the following:

1. If the IIS Manager is not started, click Start > Settings > Control Panel > Administrative Tools > IIS Manager.
2. In the Internet Information Services window, expand the host node, right-click Symantec Web Server (prior to MR2 used Default Web Site), and then select Properties.
3. In the Symantec Web Server (prior to MR2 used Default Web Site) Properties window, on the Directory Security tab, under Secure Communications, click Server Certificate.
4. In the Certificate Wizard dialog box, click Next.
5. In the Pending Certificate Request dialog box, click Process the pending request and install the certificate, and then click Next.
6. In the Process a Pending Request dialog box, browse to and select the certificate .cer file that you saved.
7. Click Next, leave the default SSL port at 443 and click next again
8. In the Certificate Summary dialog box, click Next.
9. In the Completed dialog box, click Finish.
10. In the Symantec Web Server (prior to MR2 used Default Web Site) Properties window, on the Web Site tab, under Web Site Identification, click Advanced.
11. In the Advanced Multiple Web Site Configuration dialog box, Under Multiple SSL identities for this Web Site, verify that the port number is 443.
12. If the port number is not 443, change the number to 443.
13. Exit the Symantec Web Server (prior to MR2 used Default Web Site) Properties window, but do not exit the Internet Information Services window.

Configuring the reporting Web site to use SSL
You must configure the reporting Web site to use SSL.

To configure the reporting Web site to use SSL do the following:

1. In the Internet Information Services window, expand the host and Symantec Web Server (prior to MR2 used Default Web Site) nodes, right-click Reporting, and then select Properties.
2. In the Reporting Properties dialog box, on the Directory Security tab, under Secure Communications, click Edit.
3. In the Secure Communications dialog box, check Require secure channel (SSL).
4. Optionally check Require 128 bit encryption based your networking security policy.
5. Under Client certificates, check Ignore client certificates if it is not checked, and then click OK.
6. In the Reporting Properties dialog box, click OK.

Configuring Management Server console logon server

Change default server in SEPM logon console.

1. Edit C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin\sesm.bat with notepad.
2. Add a parameter before "-jar": -Dscm.server=<server hostname>
3. Save sesm.bat
4. Open the Symantec Endpoint Protection Manager Console.
5. The server variable should now default to server hostname:8443 instead of localhost:8443
   Note: If localhost is used when logging onto the SEPM the Home, Monitor & Reporting pages will show an endless loading window. This occurs because SSL needs to verify server's certificate by servername not localhost.

Manually Editing of conf.properties file

To manually edit the conf.properties file, do the following:

1. Open the file named conf.properties that by default is located at Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\etc.
2. Open this file up in Notepad or Wordpad.
3. Add the following two lines to the bottom of this file:
   • scm.use_https=1
   • scm.iis.https.port=443
     
      
4. Save your work
5. Restart the computer.

Configuring clients to use SSL
You must configure all clients to use SSL. The configuration involves installing the certificate and
Implementing SSL communications on the client computer.

To configure clients to use SSL (to be done on the client computer itself), do the following:

1. Start Internet Explorer, in the Address box, type https://<Reporting_Host_Name>/Reporting
2. In the Security Alert dialog box, click View Certificate.
3. In the Certificate Dialog box, click Install Certificate.
4. Complete the installation wizard and accept the defaults.
5. In the Security Alert dialog box, click Yes.
6. Log on to the reporting page.

Configuring the Management Server List

To toggle between HTTP and HTTPS communications do one of the following:

1. In the console, click Policies > Policy Components > Manager Server Lists > Edit the List… to pull up the Shared Management Server Lists window.
   • To configure the Management Server List to use HTTP communications, click on the Use HTTP Protocol box and then click OK.
   • To configure the Management Server List to use HTTPS communications, click on Use HTTPS protocol and if you want click on the Verify Certificate when using HTTPS Protocol box as well, and then click OK.
2. Wait a few minutes for the settings to propagate.

Configuring the Management Server List to use SSL
You must configure the Management Server List to use SSL.

To configure the Management Server List to use SSL, do the following:

1. If the IIS Manager is not started, click Start > Settings > Control Panel > Administrative Tools > IIS Manager.
2. Open the console, then click on Policies > Policy Components > Manager Server Lists > Add a Management Server List, then in the Shared Management Servers Lists window, at the top name the list and add a description if you like or use the defaults. Don’t forget to click on both the Use HTTPS protocol as well as the verify certificates using HTTPS protocol check boxes.
3. Then under Management Servers click on ADD > New Priority > ADD > New Server. In the Host Address Box. Under the server address you must use the computer name of the server, not the I.P. address, just use the same computer name used in the creation of the self signed certificates created earlier, and then click OK.
4. Finally, right click on the name of the new management server list that you created in steps 2 & 3 above, and click on Assign To…. Choose all servers and groups to be included and finally click Assign > Yes > OK.

References
This document is available in the following languages:

• Brazilian-Portuguese: http://service1.symantec.com/support/INTER/ent-securityintl.nsf/br_docid/20070904135420935
• French: http://service1.symantec.com/support/INTER/ent-securityintl.nsf/fr_docid/20070904135456935
• German: http://service1.symantec.com/support/INTER/ent-securityintl.nsf/de_docid/20070904135547935
• Italian: http://service1.symantec.com/support/INTER/ent-securityintl.nsf/it_docid/20070904135618935
• Spanish: http://service1.symantec.com/support/INTER/ent-securityintl.nsf/es_docid/20070904135646935

Applies To

This article applies only to Symantec Endpoint Protection 11.x.

The Symantec Endpoint Protection Manager in Endpoint Protection 12.1 and newer use Apache web server rather than IIS, and its configuration is documented elsewhere. See "SEP 12.1.x: Configuring SSL between Symantec Endpoint Protection Manager and clients": http://www.symantec.com/docs/TECH162326