Symantec Endpoint Encryption provides a robust solution to Drive Encryption (AKA Full Disk Encryption) for laptops and desktop and as well as Removable Media Encryption needs, such as USB drives, Bluray and similar media.
Symantec Encryption Management Server runs on a Standard Windows Server Operating system.
You can have multiple management servers, which share the same database. This article will help cover the basics of this setup.
IMPORTANT TIP! Ask us about our Check Roles Tool that will make the installation of Symantec Endpoint Encryption Management Server simple and seamless! This is an excellent tool that will both check if the features are enabled and tell you what is missing, and then **install them for you** (When run as administrator). Please contact our Symantec Encryption Support team and we will be happy to provide the tool for you. This tool makes it extremely easy to get all these features installed and enabled. The name of this tool is called "CheckRolesFor_11_3_1_Plus.exe".
For information on how to install the SEE Client, see the following article:
252118 - Installing the Symantec Endpoint Encryption Client (SEE Client)
Symantec Endpoint Encryption Management Server can be installed on Windows Server platforms as specified in the System Requirements. The System Requirements page provides a wealth of information that is always useful to review, such as SQL Server version requirements and the like.
Important Note: Only US English Operating Systems are supported. All other Windows Server languages are untested and are not supported.
EPG-29439
In order to install Symantec Endpoint Encryption for the first time, you will need the Sysadmin and public permissions to create a new database. Once the database is installed and created, you will not longer need to be Sysadmin.
For the database user that will be used for the Symantec Endpoint Encryption day-to-day operations, you need only the following permissions:
• db_datareader
• db_datawriter
• public
For future upgrades of Symantec Endpoint Encryption, you can be db_owner and perform the installation without the need to be Sysadmin.
SEE 11.4 MP1HF1 Note for Database Access and Active Directory Hardening: While installing or upgrading the Symantec Endpoint Encryption Management Server, domain user credentials provided on the Database Access screen are successfully validated against the hardened Active Directory (with LDAP signing policy enabled). [EPG-27643]
Note on SQL Permissions and SQL Groups:
*SQL permissions must be provided to individual users and those individuals can then be used for the database accounts configured for the SEE Management Server.
*In other words, SQL users will not be granted DB access if they are part of only a security group that was provided DB access--the user itself must be provided DB access.
*The database user doing the installation must also be granted permissions to the specific SEEMS Database. Even if someone is Sysadmin, but not granted the permission on the SEEMS database, the SEE install will fail (EPG-26441).
The SQL Server requires the two following downloads:
• The Microsoft SQL Server Feature Pack
• The MSOLEDBSQL driver
For the Feature Pack, download the following software from the specified URL:
• Microsoft System CLR Types for SQL Server 2012 (32-bit)
• Microsoft SQL Server 2012 (32-bit) Management Objects
NOTE: You require these pre-requisites only when you upgrade the Management Console on a Windows Server computer.
https://www.microsoft.com/en-us/download/details.aspx?id=56041
For the MSOLEDBSQL driver (OLE DB\OLEDB Driver), download the driver from this URL:
https://docs.microsoft.com/en-us/sql/connect/oledb/download-oledb-driver-for-sql-server?view=sql-server-ver15
Note: If you have installed the Version 19.0 OLE DB driver and the installer still provides a message stating it is not installed, you can install version 18.6 as a workaround.
IMPORTANT TIP! If the above seems like a lot of stuff to install, we have an excellent tool that will both check if the features are enabled and tell you what is missing, and then **install them for you** (When run as administrator). If you would like this tool, please contact our Symantec Encryption Support team and we will be happy to provide the tool for you. This tool makes it extremely easy to get all these features installed and enabled. The name of this tool is called "CheckRolesFor_11_3_1_Plus.exe".
Prerequisite Roles Server 2019:
On Microsoft Windows Server 2019
To enable the Web service (IIS) role on a Microsoft Windows 2019 Server
1. Go to Start > Programs > Administrative Tools > Server Manager.
2. In the Dashboard, click Add roles and features.
3. In the Add Roles and Features Wizard, click Next.
4. In the Installation Type page, click Role-based or feature-based installation and then click Next.
5. In the Server Selection page, make the selection that matches your environment and then choose your server and
click Next.
6. In the Server Roles page, select Web Server (IIS).
7. In the Add Roles and Features Wizard window, click Include management tools and then click Add Features.
8. Click Next.
9. In the Features page, expand .NET Framework 4.7 Features and check .NET Framework 4.7 and ASP.NET 4.7.
10. In the Features page, check Group Policy Management.
11. In the Features page, expand Remote Server Administration Tools > Role Administration Tools and check AD
DS and AD LDS Tools.
12. Click Next.
13. In the Web Server Role (IIS) page, click Next.
14. In the Role Services page, expand Web Server > Security and select Basic Authentication and Windows
Authentication.
15. In the Role Services page, expand Web Server > Application Development and check the following:
• .NET Extensibility 4.7
• ASP .NET 4.7
• ISAPI Extensions
• ISAPI Filters
16. In the Role Services page, expand Management Tools and check the following:
• IIS Management Console
• IIS 6 Management Compatibility (check all four entries)
• IIS Management Scripts and Tools
17. Click Next.
18. In the Confirmation page, click Install.
19. In the Results page, click Close.
You will also need to install the IIS role on the server in order to be able to use the Web Service for communications as well as some additional roles.
For a comprehensive list of all these items needed for the installation, see our help page and Installation/Admin Guide.
If you need any assistance installing the Symantec Endpoint Encryption Server, please feel free to reach out to our Encryption Support team and we are happy to assist.
Symantec Encryption Manager on standard Windows Operating Systems, such as Windows 10.
Some situations may necessitate installing the Symantec Endpoint Encryption Management Server (SEEMS) Console on a computer other than the server it was originally installed on.
This is useful if you want administrators to run reports, create SEE Clients, or manage Helpdesk recovery without allowing access to the actual Symantec Endpoint Encryption Management Server.
Prerequisites: Additional database configuration is required to allow access for each user and must be done on the SQL Server by a database administrator. See article TECH254548for more information. The steps in the preceding article should be completed before following this tutorial.
In order to install the SEEMS console on a non-server operating system (OS), perform the following steps:
Validating Access with Your Account
Now that the installation process has now completed, confirm the SEEMS console is working properly with the following steps:
Scenario 1: Can't get passed the SEE Database Account page on the installer.
There have been some instances where the SEE Management Server install will not proceed beyond the database page even thought the proper database permissions have been configured.
As mentioned, you will need at least db_owner permissions, but if that requirement is met, and the installer fails, you can install the SEE Management Server in msiexec verbose mode to output a log file.
To do this, use the following sytax:
msiexec /i SEEServerSuite.msi /l*vx c:\SEEMS-install.log
Start the installer and then check this log when you encounter the error and see if this will provide additional insight.
As test, instead of using the "Create New Database" option, if that is failing, try using the option "Create a new login"
In some database environments, this may actually work out better and during this portion, you will then be able to install.
If you have an existing database and you are not sure if you are making any connections, check the MS SQL logging to see if a logging event has been made.
Even if the database screen page fails, if you see logging, then you know the ports should be open.
If there is no logging, ensure the ports are not blocked.
Sometimes it's useful to enter in port 1433 under the custom port, even if this is the standard port being used.
Scenario 2: Not sure if the connection is getting to the MS SQL server from the SEE Management Server during install.
If you are running into issues, you can create a test file to help with the validation of connectivity. For more information on this, see the following article:
If you are unable to open the SEE Configuration Manager properly, or Symantec Encryption Management Server, see the following article:
220948 - Symantec Endpoint Encryption Management Server OR Symantec Endpoint Encryption Configuration Manager does not open properly
Scenario 3: Unable to upgrade Symantec Encryption Management Server with error "Execution Timeout Expired" The Timeout period elapsed prior to completion of the operation or the server is not responding"
If you are doing the installation of SEE Management Server, there is a timeout value configured of 10 minutes for all operations to complete.
If you are running into this condition, please reach out to Symantec Encryption Support for further guidance.
EPG-28774
ISFR-1692, EPG-22805, EPG-26441, EPG-26443, EPG-26453
SEE Management Server:
240649 - Symantec Endpoint Encryption 11.4 Dashboard and Reports
227219 - Making Symantec Endpoint Encryption Management Server Public Facing
152737 - Minimum Database Permissions for Symantec Endpoint Encryption Administrators
161258 - User and System Accounts Required by Endpoint Encryption
178363 - How to: Set up Database Access Account Rights - Symantec Endpoint Encryption
174725 - Grant Additional Administrators Access to Endpoint Encryption Manager Server Console
SEE Client:
252118 - Installing the Symantec Endpoint Encryption Client (SEE Client)