Symantec Endpoint Protection Manager uses a certificate to authenticate communications between it and the Symantec Endpoint Protection clients. The certificate also digitally signs the policy files and installation packages that the client downloads from it. The clients store a cached copy of the certificate in the management server list. If the certificate is corrupted or invalid, the clients cannot communicate with the server. If you disable secure communications, then the clients can still communicate with the server, but do not authenticate communications from the management server.
You disable secure communications to update the certificate in the following situations:
Note: If the certificate is corrupted but otherwise still valid, you can perform disaster recovery as a best practice.
See Disaster recovery best practices for Endpoint Protection.
After you update the certificate and the clients check in and receive it, enable secure communications again.
When you update the certificate on a site with multiple management servers and use failover or load balancing, the certificate updates on the management server list. During the process of failover or load balancing, the client receives the updated management server list and the new certificate.
Note: Steps 1 through 5 apply only to version 14 and later. If you use 12.x, start with step 6.
To re-enable the original settings, wait at least three heartbeat cycles, recheck Enable secure communications between the management server and clients by using digital certificates for authentication, and then reassign the original management server list back to your groups.
Warning: Due to a change in the communication module, client versions 14.2.x cannot use this method to update the server certificate. To avoid breaking communication with these clients, use the single management server site procedure for these client versions, even for multi-management server sites.
Legacy Symantec KB ID: TECH123518