Follow the steps in this article to enable HTTPS communications between Symantec Endpoint Protection (SEP) clients and their managers.
Note: HTTPS communications is enabled on new installations of Symantec Endpoint Protection Manager (SEPM) 14. Migrations from 12.1 will use the HTTP/HTTPS communications settings from the previous version.
SEP clients communicate with their Symantec Endpoint Protection Manager (SEPM) through the SEPM Apache server. By default, the Apache server listens on port 8014 for unencrypted HTTP connections. Clients communicate with the SEPM Apache server by sending action codes, uploading logs and Operational State (OpState) data and downloading policy and content files. All policies and delta content updates downloaded by clients are digitally signed and/or encrypted by the manager. If you require a higher level of security, the SEPM Apache server can be configured to accept Transport Layer Security (TLS) and/or Secure Sockets Layer (SSL) encrypted HTTPS connections. This ensures that both the content of SEP communications is encrypted as well as the tunnel the communications are sent through.
Note: As of 12.1.6, the SEPM only accepts TLS connections. Clients on Windows versions that do not support TLS natively cannot communicate with a 12.1.6 or newer SEPM over HTTPS.
For more information on how Symantec Endpoint Protection uses encryption and certificates, see How Symantec Endpoint Protection uses encryption and certificates.
Enable HTTPS in Apache
Confirm HTTPS is enabled
Note: If you have not updated the manager with a Certificate Authority (CA) signed certificate and private key pair, the Web browser will present a warning that the certificate is not trusted. The same warning is presented when you attempt to access the Web site from a URL that is different than the subject name on the manager certificate. This is expected behavior.
Clients choose their manager based on the entries in their Management Server List (MSL). Create a new MSL, or edit an existing MSL to point clients to their manager(s) over SSL.
Create/Edit the Management Server List
Confirm client>server communications
The SEP client will download the updated MSL from the SEPM during its next heartbeat after the changes were made. During its next heartbeat, it will evaluate the new MSL to determine which manager to communicate with, and over which protocol to communicate. It can take up to three heartbeat intervals for clients to receive and apply the new communications settings policy.