When using Symantec Endpoint Protection (SEP) 12.1.5 or newer acting as a Group Update Provider (GUP) on Windows Server 2008 / 2012 with the Windows Firewall enabled, it fails to update the SEP clients.
The Windows Firewall on the GUP blocks ccSvcHst.exe from communicating with the SEP clients attempting to get updates. When SEP 12.1.5 or newer is installed to Windows Server 2008 / 2012 as a GUP, SEP auto-creates Windows Firewall rules for SMC.exe, but does not for ccSvcHst.exe.
This issue is fixed in Symantec Endpoint Protection 22.214.171.124 and newer. For information on how to obtain the latest build of Symantec Endpoint Protection, read
TECH 103088: Download the latest version of Symantec Endpoint Protection
To workaround the issue create two Inbound Rules in the Windows Firewall
1. Open Windows Firewall and click Advanced Settings.
2. Click Inbound Rules.
3. Click New Rule…
4. Select Custom, click Next.
5. Select This program path: and click Browse.
6. Browse and select ccSvcHst.exe, example path: (C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.6608.6300.105\Bin)
Note: Path may vary depending on where SEP was installed.
7. Click Open and click Next.
8. For Protocol type, click drop-down arrow and click TCP, click Next.
9. Click Next again (skipping local and remote IP addresses)
10. Select Allow the connection, click Next.
11. When does this rule apply? Specify the appropriate profiles for which rules are applied: Domain, Private, Public, click Next.
12. Name the rule, something like: ccSvcHst Service, click Finish.
13. Repeat the above steps 1-12 to create a second rule, when you get to step 8, click UDP instead of TCP.