How do I collect remotely from a Windows 2008 Server Domain Controller using an off-box agent / collector?
This is the recommended method of setting up the Microsoft Windows Vista collector. Please wait on installing the collector to the agent.
The collector is to be installed last
Things to note before starting. The following roles need to be installed on the server, otherwise you will be unable to add a certificate or collect from the Domain Controller.
Roles that are needed on the Windows 2008 Server Domain Controller
Note: Adding roles can be done in Server Manager > Role Summary > Add Roles
Making the necessary changes to the Windows 2008 Server Domain Controller
In order for the Symantec Security Information Manager (SSIM) 4.7 Event Agent to communicate with a Windows 2008 Server Domain Controller remotely, the following will need to be performed below.
Receiving a certificate
Adding a security descriptor
For the collector to access the Event Log through WinRM, a security descriptor must be added to the monitored Vista or Windows 2008 system. The security descriptor allows a particular named user to access WinRM services on that system. WinRM services must be enabled for the user that will be entered into in the Sensor configuration.
To add the security descriptor you must update the Windows Registry.
A default registry key entry can be found in utils/customsd.reg in the Microsoft Vista Event Collector Installation package. This registry key works for many environments but may not for all.
If you wish to use the default customsd.reg file, do the following.
If you merged the default customsd.reg key above, you have configured a security descriptor. You can proceed on to the firewall configurations.
If you are going to configure your sensor with a user other than "Administrator" you must follow these steps:
Configuring Windows Firewall to work with the collector
In the Windows Firewall, you must allow TCP ports inbound 80,443,636,5998.
Note: For further security you can specify the SSIM appliance as the destination IP for ports 443 and 636.
For port 5998, you can set the Source IP as the SSIM appliance. For ports 80 and 25 are for LiveUpdate and a rule can be setup to limit by the Symantec LiveUpdate servers hostnames.
Configuring WinRM to work with the collector
(See "Receiving a Certificate" above).
To configure WinRM to work with the collector
1. Type the following command at the command prompt to run WinRM with HTTP:
2. You may receive a message: "WinRM is not set up to allow remote access to this machien for management. The following changes must be made:..."
When the tool displays Make these changes, type:
3. At the prompt, type:
4. If you use a local account for monitored host name at the prompt, type:
Making the necessary changes to the 4.7 SSIM Agent
The Symantec Event Agent should already be installed on the machine that you intend to install the collector to.
If the agent is not yet installed
NOTE: The <cert-alias-name>
Installing the Collector: Running the install.bat
The Microsoft Vista and Microsoft Windows 2008 Server operating systems require
the user to run the install.bat from the Administrator command prompt. If the
user does not run the install.bat from the Administrator command prompt, the
installer does not have sufficient permissions to properly install the collector.
To run the install.bat