How does the P2P Authentication feature work in Endpoint Protection client?
When this feature is enabled in the Firewall policy, the SEP client will start the Symantec Network Access Control service. This service has a startup type of Manual and is not running unless this feature is enabled.
When Client A tries to access Client B, Client B will block the traffic and start authenticating Client A. The authentication process includes two phases: phase one is to verify the Client A has installed and been running the required SEP agent; after phase one finishes with success result, phase two will start; phase two is to get and check the compliance status of Client A, if the compliance status is positive, Client B will make the decision to allow the traffic; otherwise if the compliance status is negative, Client B will block the traffic from Client A.
As of P2P, compliance status is based on HI checking result. If HI checking passes, the compliance status is positive; otherwise if HI checking fails, the compliance status is negative. However, Admin can configure to disable/ignore HI checking; when HI checking result shows HI disabled/ignored, the compliance status will be still positive.
If phase 1 fails which means the Client A has no SEP agent installed or installed SEP agent is not a required one (P2P requires the Client A comes from the same company as client B, this company identification feature will be implemented in the final version), the authentication fails and no phase 2 interaction starts.
If phase 1 succeeds, phase 2 will start to get the final authentication result. After that, Client B will send Keep-Alive packet periodically when configured allow time expires, and Client A should reply with the newest HI status. Need to note, event if the HI result got in phase 2 is negative, this Keep-Alive session will still go on. When no response is received from Client A regarding the Keep-Alive packet sent by Client B, the Keep-Alive session will stop and the block phase will apply (described in the block section); also if the P2P session is timeout (final version feature, no any client A packet is received except the auth/keep-alive packet in the configured session time), Client B will release the P2P session related to Client A.
The SNAC P2P code uses UDP 39999 exclusively.