search cancel

Endpoint Protection clients do not try entire Management Server List after connection failure

book

Article ID: 174055

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Symantec Endpoint Protection (SEP) clients may not try all servers in the MSL (Management Server List) if they encounter a connection failure. Specifically, if the certificate on a SEPM has been changed and certificate verification is enabled at clients, a verification failure will stop the process of cycling sequentially through servers in the MSL and the client will begin again with the first server in the list.

Environment

SEP 14.2 for Windows

Resolution

This will be fixed in SEP 14.2 RU1, so that clients will continue checking other servers in the MSL after a certification verification failure.

To prevent this issue from occurring, be sure to follow best practices before updating a SEPM certificate. Update the server certificate on the management server without breaking communications with the client - which includes ensuring clients get updated policy with the verification option disabled (uncheck "Enable secure communications between the management server and clients by using digital certificates for authentication"),

See also Setting UseLastServer=0 does not randomize management server choice in Endpoint Protection 14.2