search cancel

HTTPS communications fail to Endpoint Protection clients installed on Windows XP / Server 2003

book

Article ID: 164071

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

When using Symantec Endpoint Protection (SEP) 12.1.x clients on computers that run Windows XP or Windows Server 2003, HTTPS communications with newer SEP Managers (SEPM versions 14.x) may fail.

Error logged in sylink debugging at SEP client:

<ParseErrorCode:>12157=>The application experienced an internal error loading the SSL libraries.

Cause

This failure occurs due to a cipher mismatch.

Resolution

This issue is resolved with 12.1.6 MP7.

For earlier versions, if you have configured your SEPM and enviroment to use only TLS 1.2 communications, SEP HTTPS comms will fail with XP/2003 systems because they allow only TLS 1.0. See Configuring TLS v1.2 communications between SEPM and clients for more information.

If your SEPM and environment do allow TLS 1.0, the following additional SSLCipherSuite changes will be necessary:

  1. Navigate to drive:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl\sslForClients.conf, and open it with a text editor, such as Notepad.
  2. Locate the following text:
    SSLCipherSuite HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:3DES:!RC4
  3. Replace this text with the following:
    SSLCipherSuite HIGH:-MEDIUM:!LOW:!aNULL:!eNULL:3DES:!RC4:DES-CBC3-SHA
  4. Save the changes and close the file.
  5. Restart the Symantec Endpoint Protection Manager services:
    • Symantec Embedded Database
    • Symantec Endpoint Protection Launcher
    • Symantec Endpoint Protection Manager
    • Symantec Endpoint Protection Manager Webserver

Warning: This configuration uses a lower-strength cipher that is compatible with Windows XP / Server 2003. Therefore, the configuration lowers the security profile of the Symantec Endpoint Protection Manager compared to one that is not configured to accommodate these operating systems.