Configuring the Symantec Endpoint Encryption Management Server
If the Symantec Endpoint Encryption Management Server wizard does not automatically, you can manually start the SEEMS Configuration Wizard by running the SEEMS Configuration Manager to set up your directory service synchronization and configure the Web service.
Note:You must complete the wizard before you can synchronize your directory services and create your client installation packages. You can use the SEEMS Configuration Manager to change these settings later.
If the SEEMS Configuration Wizard does not launch automatically after the installation wizard has completed, you can also manually start the wizard by running the SEEMS Configuration Manager on the Symantec Endpoint Encryption Management Server.
Configuring the Symantec Endpoint Encryption Management Server includes the following steps:
- Specifying your directory service
- Configuring the directory service for synchronization
- Configure the Web service for the server
Directory service synchronization lets you keep the database current with the information in your directory services. This synchronization lets you use the Management Console to apply policies according to your organization's directory Organizational Units and containers.
Use the Directory Service Synchronization Options page to select the directory services to synchronize with the Symantec Endpoint Encryption database.
To specify the directory service:
- Place a check mark on the Directory Service Synchronization Options page to indicate that you want to synchronize your directory service.
- Configure the following options:
- If you want to control if the synchronization service should automatically run at boot time, use this option.
- If you want the service to run automatically and synchronize at boot time, choose Automatic.
- If you do not want the service to run automatically and synchronize at boot time, choose Manual.
- To control whether this server should act as a primary synchronizer or a secondary synchronizer, use this option.
- If you plan to deploy only one Symantec Endpoint Encryption Management Server, the server automatically synchronizes with the directory services.
- It synchronizes regardless of whether you configure it to act as a primary synchronizer or a secondary synchronizer.
- Click Next.
Configuring the directory service synchronization
If you choose to synchronize your directory service, the Directory Service Synchronization Configuration page is displayed.
Use this page to enter the configuration details about your Active Directory (AD). You can add additional or exclude domains from synchronization.
Configuring the Active Directory synchronization
To enter Active Directory configuration details:
- In the Active Directory Forest Name field, enter the name of the Active Directory forest that you want to configure.
- In the Preferred Global Catalog Server field, enter the Fully Qualified Domain Name (FQDN) of a global catalog server for the forest.
- In the Active Directory User Name, Password, and Confirm Password fields, enter the credentials of the Active Directory synchronization account.
- In the User Domain field, enter the NetBIOS name of the Active Directory synchronization account.
- Click Enable TLS/SSL to encrypt all synchronization traffic between Active Directory and the Symantec Endpoint Encryption Management Server. Make sure that you are in compliance with the prerequisites.
To exclude domains from synchronization:
If there are domains within your AD forests that do not contain Symantec Endpoint Encryption client computers, you can improve performance and usability, by excluding these domains from being synchronized.
- To exclude Active Directory domains from synchronization, click Configure Domain Filter.
- In the Include Computers from column on the left, select a domain that you want to exclude.
- To move a domain into the Exclude Computers from column, click >. When you exclude a parent domain, you also exclude all of the child domains of that domain.
Note: You can also choose to exclude the top level of the domain and then choose to only include the child domains that contain the Symantec Endpoint Encryption client computers.
- Click OK.
To add or remove Active Directory forests to synchronization:
- To synchronize with additional Active Directory forests, click Add. The status text on the top-right side of the Active Directory Forest Name field updates to display the number of forests.
- Enter the configuration information for the additional forest.
- To remove the configuration information for an AD Forest, select the desired forest and click Delete.
- To view the configuration information for the previous forest, click Prev.
^Jump to Top
Configuring the Web service
The SEEMS Configuration Wizard is used to configure the communications between the Symantec Endpoint Encryption Management Server and the client computers. You set the protocol and the port that will be used for communication.
Note: If you intend to use SSL, then you also provide the communication certificates. See the article “About configuring TLS/SSL communications for Symantec Endpoint Encryption”. TECH225339
To configure the Web service:
- In the Web Service Configuration dialog box, enter the name of the web server in the Web Server Name field.
Note: The name field is pre-filled with the NetBIOS name of the computer that hosts the Symantec Endpoint Encryption Management Server.
If using HTTPS communication between the server and client computers, the name must match the common name (CN). You specify the common name (CN) in the server-side TLS/SSL certificate.
You must modify this field to include the fully qualified domain name (FQDN) under the following circumstance:
If DNS configuration issues prevent the NetBIOS name from resolving, an FQDN is more appropriate for your network environment.
- In the IIS Client Account Credentials section, enter the credentials and domain of the IIS client account.
- In the Protocol section, select to use either HTTP or HTTPS for communications.
- Use HTTP if you do not want to encrypt server - client communications. In the HTTP port field, enter the number of the TCP port on the Symantec Endpoint Encryption Management Server to use for client communication. By default, the port is 80.
- To encrypt client communication with server, click HTTPS. In the HTTPS port field, enter the TCP port on the Symantec Endpoint Encryption Management Server to use for communication. By default, the port is 443.
- (If using HTTPS) In the Client Computer Communications section, next to the Client-Side CA Certificate field, click Browse.
- In the Choose SSL certificate file dialog box, the available certificates are displayed from the personal certificate store of the local computer.
- Select the client-side CA certificate that the client computers use for encrypted communication with the server, and click Open.
- After you click Open, the dialog box should display the certificate hash string under the Browse button.
- (If using HTTPS) In the Client Computer Communications section, next to the Server-Side TLS/SSL Certificate field, click Browse.
- In the Certificate selection dialog box, the available certificates are displayed from the personal certificate store of the local computer. Select the server-side TLS/SSL certificate that the server's Web service uses, and click OK. After you click OK, the dialog box should display the certificate hash string under the Browse button.
Note: When you select the certificate, you also assign it to the Symantec Endpoint Encryption Services web site through the IIS Manager snap-in.
- Click Finish.
- Click Restart if prompted.
^Jump to Top
Note: Once these steps are complete, see article HOWTO101989 for how to verify the installation of Symantec Endpoint Encryption.
If you are unable to open the SEE Configuration Manager properly, or Symantec Encryption Management Server, see the following article:
220948 - Symantec Endpoint Encryption Management Server OR Symantec Endpoint Encryption Configuration Manager does not open properly