Configuring Endpoint Protection Manager to use HSTS
search cancel

Configuring Endpoint Protection Manager to use HSTS

book

Article ID: 175268

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

This document demonstrates how to enable HTTP Strict Transport Security (HSTS) in the Symantec Endpoint Protection Manager (SEPM).

Resolution

Requirements

  • The SEPM must be using a 3rd party certificate. 
  • The root certificate must be installed in the Trusted Root Certification Authorities on each server where the SEPM is installed.

Warning

Enabling HSTS will cause the following items to not function properly.

  • Built-in Help pages in the SEPM. 
    • Help Topics within the SEPM will display a browser page indicating “This content cannot be displayed in a frame.”
  • SEPM Web Console (port 8443) when using the SEPM IP address.
    • Using the SEPM Hostname to access the Web Console remains unaffected.
    • Java remote console is unaffected.

Steps to enable HSTS for semsrv service on port 8443

  1. Stop the SEPM services.
    1. Symantec Endpoint Protection Launcher
    2. Symantec Endpoint Protection Manager
    3. Symantec Endpoint Protection Manager API Service
    4. Symantec Endpoint Protection Manager Webserver
  2. Open …\<SEPM install directory>\tomcat\conf\web.xml with a text editor.
    1. Navigate to the section “Built in Filter Definitions”.  The first filter is httpHeaderSecurity, it is commented out.  On the next line below the closing comment (-->) copy and paste in the following filter configuration.
<filter>
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
      <init-param>
          <param-name>hstsEnabled</param-name>
          <param-value>true</param-value>
     </init-param>
     <init-param>
          <param-name>hstsMaxAgeSeconds</param-name>
          <param-value>31536000</param-value>
     </init-param>
     <init-param>
          <param-name>hstsIncludeSubDomains</param-name>
          <param-value>true</param-value>
     </init-param>
     <async-supported>true</async-supported>
</filter>
  1.  Navigate to the section “Built in Filter Mappings".  The first filter is httpHeaderSecurity, it is commented out.  On the next line below the closing comment (-->), copy and paste in the following filter-mapping configuration.
<filter-mapping>
    <filter-name>httpHeaderSecurity</filter-name>
    <url-pattern>/*</url-pattern>
    <url-pattern>*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>
  1. Start the SEPM services.
    1. Symantec Endpoint Protection Launcher
    2. Symantec Endpoint Protection Manager
    3. Symantec Endpoint Protection Manager API Service
    4. Symantec Endpoint Protection Manager Webserver
  2. Verify the Web Console is working by logging into https://<Hostname>:8443.

Steps to enable HSTS for semwebsrv service (httpd) on port 8445 and 443

  1. Stop the SEPM services.
    1. Symantec Endpoint Protection Launcher
    2. Symantec Endpoint Protection Manager
    3. Symantec Endpoint Protection Manager API Service
    4. Symantec Endpoint Protection Manager Webserver
  2. Open …\<SEPM install directory>\apache\conf\ssl 
    1. In a text editor, open ssl.conf and add the following line at the bottom, then save the file. 
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
  1.  In a text editor, open sslforclients.conf and add the following line at the bottom, then save the file. 
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
  1. Start the SEPM services.
    1. Symantec Endpoint Protection Launcher
    2. Symantec Endpoint Protection Manager
    3. Symantec Endpoint Protection Manager API Service
    4. Symantec Endpoint Protection Manager Webserver

Additional Information

Additional Information on HSTS for port 8446:

While it's possible to enable HSTS on port 8446, the configuration won't have an actual effect. This is because HSTS is used to direct a client to only use HTTPS when trying to communicate to a specific service. In the case of the SEPM API Service (running on port 8446), the service -only- responds to HTTPS traffic by default; it will not respond to HTTP traffic. As such, the HSTS header is actually meaningless to the client, as it must already use HTTPS regardless.