search cancel

After upgrading to Symantec Endpoint Encryption 11.1, new clients cannot communicate while existing 11.0.1 and previous clients continue to check-in (TLS 1.2 required)

book

Article ID: 163433

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

In some situations, Symantec Endpoint Encryption (SEE) clients version 11.1.0 and above may be unable to communicate with Symantec Endpoint Management Server (SEEMS), while SEE 11.0.1 or earlier are able to successfully report into the server as expected.

Resolution

One possible scenario for communication failures after update is the network does not allow TLS 1.2, either on the Symantec Encryption Management Server, network gateway, load balancer, proxy, or other network appliance which intercepts traffic between the client and server.

In this situation it is critical to verify that the appliance, intermediary server, or SEEMS is configured to accept and/or pass through encrypted communications requiring TLS 1.2. SEE 11.0.1 and older clients do not force TLS 1.2 so which would continue to allow communication to SEEMS using TLS 1.1 and would not be affected.

Web browser connections from a SEE 11.1 client may connect normally, as it is likely to be using a TLS 1.0 or 1.1 connection, as opposed to the SEE client which requires TLS 1.2.

Depending on the device, various appliances and management servers (vary by OS) will have information on how to enable or disable each version of SSL/TLS, so please refer to your manufacturer's documentation on this.

In order to correct this situation, enable TLS 1.2 on the affected device or server on the network, and communication will be restored.