Communication fails between clients and servers for Symantec Data Loss Prevention (DLP) or other Symantec products. Learn how to determine if a server is listening on a specific port in this scenario. This can also be used to troubleshoot when endpoint agent intermittent connectivity issues occur.
Determine if the port has a listener on the server you want to connect to. While on the Endpoint detection server (or any target server) run the following :
netstat -an | find "<port number>"
You should see an online TCP listener for 0.0.0.0 on port 10443; the IP can be 0.0.0.0 or any of the local IP addresses.
After you confirm that the server is listening on the port, go to a client and use one of the following methods to see if the port is open over the network.
This method is recommended because other application like telnet can have their specific type of communication blocked rather than just their port.
We will use the Test-NetConnection powershell command. The first parameter is the destination and then we specify the port by including the -port switch.
Test-NetConnection <Destination IP Address> -port 10443
This will ping the remote server <Destination IP Address> and then attempt a TCP connection on port 10443.
(Optional) If needed, go to the target machine and use the following PowerShell command to start a listener (only do this if a service is not already listening on the port, verify with 'netstat -an' command):
The following command can be used on the remote server to start listening on port 80
$Listener = [System.Net.Sockets.TcpListener]80;
Once the test is complete run the following command to stop the listener:
Using the telnet client can be used if PowerShell is not available or telnet is already enabled on the machine. The main drawback of using telnet is that you can get a false negative result because some routers can specifically block telnet traffic even if the port is open.
Follow these steps to test a TCP connection with telnet:
telnet <Destination IP Address> 10443
To enable the telnet client:
Also note: Source ports on client machines with DLP agent (and most other applications) are dynamic and may need to be factored in when it comes to firewall rules.