How to fix a misconfiguration that set the DLP agents to communicate on port 8100.

book

Article ID: 169930

calendar_today

Updated On:

Products

Data Loss Prevention

Issue/Introduction

A misconfiguration was sent down to all DLP agents to connect to the Endpoint server on port 8100. Port 8100 by default is what the Endpoint server uses to communicate with the Enforce server. This causes a major conflict in that the Endpoint server cannot communicate with the DLP agents because the server is still listening for clients on port 10443 and the agents want to communicate on 8100. Sending down a change configuration from Enforce for the Endpoint server to switch from 10443 to 8100 will cause the error "failed to bind address 0.0.0.0:8100".

 

n/a

Cause

A change server task went down to agents and set them to communicate on port 8100.

Environment

14.x
15.x

Resolution

There are two main methods to fix this issue. The first is to use a script to make changes on the affected agents. The second is to temporarily change the communication ports to allow the clients to communicate to the Endpoint server on port 8100 then change them back over to port 10443.

Method 1: Fixing the Agent communication port with a script
To use the update_configuration.exe go to KB TECH249545 and follow the steps under the section "Method 2: Changing the endpoint server through script". Using this KB you can configure the Endpoint server and the communication port for the DLP Agent. This is the best method to use if there are a small number of agents affected or to clean up single agents after a large scale configuration change.

Method 2: Temporarily modify the communication ports of the Endpoint Server
Follow these steps to change the ports for the Endpoint <-> Enforce communication as well as the Endpoint <-> DLP Agent.

  1. Go to System > Servers and Detectors > Overview
  2. Click on the Endpoint server 
  3. Click on the configure button
  4. Set the port to 8200
  5. Save
  6. Access the file system on the Endpoint server and browse to \SymantecDLP\Protect\config. Modify the Communication.properties file
  7. Change listenPort = 8100 to listenPort = 8200
  8. Save the changes
  9. Reset the Vontu Update and Vontu Monitor services
  10. Open the Enforce Console and go to System > server and Detectors > Overview
  11. Click on the Endpoint server
    Within a couple minutes the Endpoint server should show up as connected and using port 8200
  12. Click Configure
  13. Set the port under Agent Listener to 8100. Note: Leave the bind address to 0.0.0.0
  14. Click save
  15. Click on the recycle button on the status line

    DLP Agents should now start connecting to the Endpoint Server
     
  16. Go to KB TECH249545 and follow the steps in "Method 1: Changing the Endpoint Server through the console" to set the DLP agents to connect to the endpoint server on port 10443.

    Note that after performing the Change Server task in step 16 that the DLP Agents may not report the change as a success even when they do successfully change. The agent reporting correctly will depend on how soon the following steps are performed. At this point determine how long you would like to leave the server in this state. If you are confident all or most of the DLP agents received the change then continue on. You may need to leave the server on this port for some time in order for the clients to connect and then get the configuration change. This period will largely depend on environmental factors like online vs offline agents, polling interval of clients, and agent connection retry settings.
  17. Repeat Steps 10 - 14 and set the DLP Agent Listener port to 10443
  18. Repeat Steps 1 - 9 and set the port to 8100

If there are any agents that did not get the server change configuration (step 16) with the new port then it is best to use method 1 and fix them with a script.

Attachments