HOW TO: Install/Upgrade Symantec Endpoint Encryption Management Server (SEE Management Server)

Products

Desktop Email Encryption Drive Encryption Encryption Management Server Endpoint Encryption File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

Symantec Endpoint Encryption provides a robust solution to Drive Encryption (AKA Full Disk Encryption) for laptops and desktop and as well as Removable Media Encryption needs, such as USB drives, Bluray and similar media.

Symantec Encryption Management Server runs on a Standard Windows Server Operating system.

You can have multiple management servers, which share the same database. This article will help cover the basics of this setup and helpful utilities to make your life easier during installation.

For information on how to install the SEE Client, see the following article:

252118 - Installing the Symantec Endpoint Encryption Client (SEE Client)

Environment

Symantec Endpoint Encryption Management Server can be installed on Windows Server platforms as specified in the System Requirements. The System Requirements page provides a wealth of information that is always useful to review, such as SQL Server version requirements and the like.

Important Note: Only US English Operating Systems are supported. All other Windows Server languages are untested and are not supported.
EPG-29439

Resolution

Before attempting to upgrade your SEE Management Server, it's a good idea to take a backup of your SQL SEEMS Database.
Also, if you can take a snapshot of the system before doing so, this will make it easy to revert back if needed.

161187 - Best Practices for Disaster Recovery with Symantec Endpoint Encryption Management Server (SEE Management Server)

In order to install Symantec Endpoint Encryption for the first time, you will need the Sysadmin and public permissions to create a new database.
Once the database is installed and created, you will not longer need to be Sysadmin. Future upgrade require only DB Owner (db_owner) permissions.

Once the installation has been completed, for the database user that will be used for the Symantec Endpoint Encryption day-to-day operations, you need only the following permissions:

• db_datareader
• db_datawriter
• public

SQL Permissions and SQL Groups:
*SQL permissions must be provided to individual users and those individuals can then be used for the database accounts configured for the SEE Management Server.
*In other words, SQL users will not be granted DB access if they are part of only a security group that was provided DB access--the user itself must be provided DB access.
*The database user doing the installation must also be granted permissions to the specific SEEMS Database. Even if someone is Sysadmin, but not granted the permission on the SEEMS database, the SEE install will fail (EPG-26441).

Note for SEE 11.4 MP1HF1 and above: Database Access and Active Directory Hardening: While installing or upgrading the Symantec Endpoint Encryption Management Server, domain user credentials provided on the Database Access screen are successfully validated against the hardened Active Directory (with LDAP signing policy enabled). [EPG-27643]

The SQL Server requires the two following downloads:
• The Microsoft SQL Server Feature Pack
• The MSOLEDBSQL driver

For the Feature Pack, download the following software from the specified URL:
• Microsoft System CLR Types for SQL Server 2012 (32-bit)
• Microsoft SQL Server 2012 (32-bit) Management Objects

NOTE: You require these pre-requisites only when you upgrade the Management Console on a Windows Server computer.
https://www.microsoft.com/en-us/download/details.aspx?id=56041

For the MSOLEDBSQL driver (OLE DB\OLEDB Driver), download the driver from this URL:
https://docs.microsoft.com/en-us/sql/connect/oledb/download-oledb-driver-for-sql-server?view=sql-server-ver15

Note: If you have installed the Version 19.0 OLE DB driver and the installer still provides a message stating it is not installed, you can install version 18.6 as a workaround.

Symantec Endpoint Encryption 12 installations or upgrades
Additional packages are required compared to SEE 11, however, this section will show you which packages are needed to help streamline the rest of the process.

Consideration 1: If you are on Symantec Endpoint Encryption 11.3.1 or higher, upgrade directly to SEE version 12 using the steps below.

Consideration 2: If you are on Symantec Endpoint Encryption 11.0.x through 11.3.0, you must first upgrade to SEE 11.4 MP2, and then upgrade to SEE 12 from there.

In other words, first update to 11.4 MP2 the server side (from 11.0.x through 11.3.0), and then upgrade the server to SEE 12 using the steps below.

Consideration 3: If you are using SQL Server 2012, before performing the upgrade to SEE version 12, update to a newer version.

SEE 12 now supports SQL Server 2022. SQL Server 2012 may produce an error if you attempt to upgrade:

"1: Incorrect syntax near 'OFFSET'.
Invalid usage of the option NEXT in the FETCH statement"

IMPORTANT TIP for SEE 11.4 install/upgrade: We have an excellent tool that will both check if the features are enabled and tell you what is missing, and then **install them for you** (When run as administrator). If you would like this tool, please contact our Symantec Encryption Support team and we will be happy to provide the tool for you.
This tool makes it extremely easy to get all these features installed and enabled. The name of this tool is called "CheckRolesFor_11_3_1_Plus.exe".

If you are already on SEE 11.3.1 or above, you can upgrade to SEE 12 using the steps below.
SEE 12 is recommended due to all the improvements available in this release.

If you are on SEE 11.4, proceed to step one here.

Step 1: First, there are four Net packages you will need to install:

Prerequisites Item 1: .Net Desktop Runtime 6
https://dotnet.microsoft.com/en-us/download/dotnet/6.0

Prerequisites Items 2 and 3: ASP.Net Core Runtime 6 (64-bit Installer) & ASP.Net Core Runtime 6 Hosting Bundle:

https://dotnet.microsoft.com/en-us/download/dotnet/6.0

Prerequisites Item 4: NET Framework 4.8 Runtime

https://dotnet.microsoft.com/en-us/download/dotnet-framework

NOTE: If you get an unsupported platform error when installing .NET Framework 4.8.1, you can use .NET Framework 4.8.

Once you click on the above ".NET Framework 4.8.1", you will then be able to download an "online" or "Offline" version.
For this example, we will get the offline version for a lab that is disconnected from the internet.

You will then be taken to the below screen:

Step 2: Once you have all of these available, install them and reboot the Windows Server.

Step 3: In the SEE Management Server Download that you downloaded via the download portal, there is a new utility called "SEEMS_Install_PreRequisites_Verifier.exe":

Run this .exe as administrator and it will check to make sure any missing packages are then installed:

If any of the needed packages or roles are needed, a pop-up will appear, such as the following:

These packages must be downloaded and installed manually, similar to the OLEDB and SQL Management Objects. Once these are installed, reboot the system and run the "SEEMS_Install_PreRequisites_Verifier.exe" tool again.

Step 4: Keep running the tool until you have all the prerequisites installed and receive the following message:

Step 5: Once you receive the above, you are ready to install the SEE Management Server version 12.

Step 6: Once you have installed the server, and finished the SEEMS Configuration Wizard's Post Install Configuration, you will then be able to login to the new SEE 12 Web Portal.

The new SEE 12 Web Portal includes Client Creation, Groups, and Policies management, as well as significantly improved reporting.

To access the new portal, click on the Start Menu, and select Symantec Endpoint Encryption and then "SEE Management Console".

For more information on the new web portal, see the following article (Includes information on licensing):

240649 - Symantec Endpoint Encryption 11.4 Licensing, Dashboard and Reports

Go to Start > Programs > Administrative Tools > Server Manager.
In the Dashboard, click Add roles and features.
In the Add Roles and Features Wizard, click Next.
In the Installation Type page, click Role-based or feature-based installation and then click Next.
In the Server Selection page, make the selection that matches your environment and then choose your server and click Next.
In the Server Roles page, select Web Server (IIS).
In the Add Roles and Features Wizard window, click Include management tools and then click Add Features.
Click Next.
In the Features page, expand .NET Framework 4.7 Features and check .NET Framework 4.7 and ASP.NET 4.7.
In the Features page, check Group Policy Management.
In the Features page, expand Remote Server Administration Tools > Role Administration Tools and check AD DS and AD LDS Tools.
Click Next.
In the Web Server Role (IIS) page, click Next.
In the Role Services page, expand Web Server > Security and select Basic Authentication and Windows Authentication.
In the Role Services page, expand Web Server > Application Development and check the following:

.NET Extensibility 4.7
ASP .NET 4.7
ISAPI Extensions
ISAPI Filters

In the Role Services page, expand Management Tools and check the following:

IIS Management Console
IIS 6 Management Compatibility (check all four entries)
IIS Management Scripts and Tools

Click Next.
In the Confirmation page, click Install.
In the Results page, click Close.

You will also need to install the IIS role on the server in order to be able to use the Web Service for communications as well as some additional roles.

For a comprehensive list of all these items needed for the installation, see our help page and Installation/Admin Guide.

If you need any assistance installing the Symantec Endpoint Encryption Server, please feel free to reach out to our Encryption Support team and we are happy to assist.

Symantec Encryption Manager on standard Windows Operating Systems, such as Windows 10.

Some situations may necessitate installing the Symantec Endpoint Encryption Management Server (SEEMS) Console on a computer other than the server it was originally installed on.

This is useful if you want administrators to run reports, create SEE Clients, or manage Helpdesk recovery without allowing access to the actual Symantec Endpoint Encryption Management Server.

Prerequisites: Additional database configuration is required to allow access for each user and must be done on the SQL Server by a database administrator. See article TECH254548for more information. The steps in the preceding article should be completed before following this tutorial.

In order to install the SEEMS console on a non-server operating system (OS), perform the following steps:

Log into Windows as one of the users granted database permissions, following the article above.
Download the Symantec Endpoint Encryption package. Be sure to use the same version currently being used in production for SEEMS.
- In this example, the SEEMS has 11.2.1 HF1 installed, thus we will install 11.2.1 HF1 on our Windows 10 computer.
- This package is the exact same package used to install the software on a Windows Server. It can be copied over from the server's downloads folder, or downloaded from the MySymantec product portal.
Once downloaded, unzip the folder.
Double click on SEE Server suite x64 if you are using a 64-bit OS, or SEE Server Suite if you are using a 32-bit OS.
Once the program opens, click Next.
Read the information on this screen and click Next again.
Read the End User License Agreement, click the button next to I accept the terms in the license agreement, and click Next.
Click Complete or Custom depending on what type of installation you would like.
- Most situations will want to click Complete.
Select the type of authentication you would like to use.
- None (password authentication only) means a password will be used for authentication upon SEE client package creation.
- Personal Identity Verification (PIV) means a card/token can be used for authentication upon SEE client package creation.
  Note: This feature is not for PIV authentication for SEEMS.
Ensure the Use SEE Server box is checked if you would like the SEEMS console to communicate with an existing SEE database.

Note: If you enter the information above and click next, and nothing happens, this is normal behavior. Click Next again and it'll take you to the next page. There is a prereq check happening at this start and the first click starts that, and the next click does the next portion. This will be addressed in a future release (EPG-26453).
Type in the database name in the Database Instance field, or click Browse to search for the database instance.
Once the Database Instance has been selected, ensure the proper Database Name is inserted in the next field.
- SEEMSDb is the default SEE database name.
Enable TLS/SSL communication as directed by your SEEMS administrator.
Note: This may require additional configuration, which will not be covered in this tutorial.
Enter the correct port as directed by your SEEMS Administrator which the SEEMS console and the database will use for communication. The default port is 1433.
Note: This may require additional configuration, which will not be covered in this tutorial.
As the user account currently being used to login to windows was provisioned for SEEMS database access, keep the authentication method as Windows Authentication and click Next.
If this step did not work, see KB article 174725 to ensure all prerequisites have been completed successfully.
Enter the SEE Management Password as directed by your SEEMS administrator and click Next.
Click Install.
After the installation is complete, click Finish.

Validating Access with Your Account

Now that the installation process has now completed, confirm the SEEMS console is working properly with the following steps:

Open the Start Menu and open Symantec Endpoint Encryption Manager in the programs list:
Expand the various snap-ins and ensure they work as expected.
To ensure the database communication is working as expected, expand the Symantec Endpoint Encryption Reports snap-in and run a report
- The following screen shot shows the Computer Status Report being successfully run (the % is a wildcard, showing all computers):

Troubleshooting

Scenario 1: Can't get passed the SEE Database Account page on the installer.

There have been some instances where the SEE Management Server install will not proceed beyond the database page even thought the proper database permissions have been configured.
As mentioned, you will need at least db_owner permissions, but if that requirement is met, and the installer fails, you can install the SEE Management Server in msiexec verbose mode to output a log file.

To do this, use the following sytax:

msiexec /i SEEServerSuite.msi /l*vx c:\SEEMS-install.log

Start the installer and then check this log when you encounter the error and see if this will provide additional insight.

As test, instead of using the "Create New Database" option, if that is failing, try using the option "Create a new login"

In some database environments, this may actually work out better and during this portion, you will then be able to install.

If you have an existing database and you are not sure if you are making any connections, check the MS SQL logging to see if a logging event has been made.
Even if the database screen page fails, if you see logging, then you know the ports should be open.

If there is no logging, ensure the ports are not blocked.

Sometimes it's useful to enter in port 1433 under the custom port, even if this is the standard port being used.

Scenario 2: Not sure if the connection is getting to the MS SQL server from the SEE Management Server during install

If you are running into issues, you can create a test file to help with the validation of connectivity. For more information on this, see the following article:

If you are unable to open the SEE Configuration Manager properly, or Symantec Encryption Management Server, see the following article:

220948 - Symantec Endpoint Encryption Management Server OR Symantec Endpoint Encryption Configuration Manager does not open properly

Scenario 3: Unable to upgrade Symantec Encryption Management Server with error "Execution Timeout Expired" The Timeout period elapsed prior to completion of the operation or the server is not responding"

If you are doing the installation of SEE Management Server, there is a timeout value configured of 10 minutes for all operations to complete.
If you are running into this condition, please reach out to Symantec Encryption Support for further guidance.

EPG-28774

Scenario 3: Can't get passed the SEE Management Server install with Smart Card popup.

If this is seen, you may need to login to the Windows Server with a password (unplug any smartcards) to perform the install.

This may be due to Windows Security GPOs requiring Smartcards. The SEE Management Server does not require PIV cards to be used for installation.
If you continue running into this issue, please reach out to Symantec Encryption Support for Further Guidance.