Tuesday, August 26, 2008

Week 35 Article 03 - Cannot login to Symantec Endpoint Protection Manager Console Aaargh!! But I solved it at last

The latest Symantec Corporate Antivirus product in the market is Symantec Endpoint Protection v11. Since almost all my customers are using Symantec for Antivirus protection, this year, as part of their upgrades, Symantec Endpoint Protection (SEP) was installed.

SEP is Symantec's attempt at controlling the client pcs using policys as found in Windows domains. If you were to look at the policy structure, it looks so familiar to the group policy found in Windows 2000.

Now, lately I have noticed that I am unable to login to the Symantec Endpoint Protection Manager (SEPM). This is the administration console for SEP, where you can monitor and roll out new clients, just to name a few functions. The message shown when I try logging on is as follows



Investigating further, I found that the Symantec Endpoint Protection Manager service was stopped. I restarted this but within a few seconds, it stopped again. Looking through the Windows event logs I found the following entries
EventID: 4096 Source: SemSrv
The Java Virtual Machine has exited with a code of -1, the service is being stopped.

EventID: 5 Source: SemSrv
The semsrv service has stopped.


After countless hours of trolling google for answers, I finally managed to get this solved myself. And as for Symantec support, well it would be good if they knew they product abit better!!

Listed below are the steps to rectify this problem.
1. Ensure that you have a copy of the SEPM installer
2. Be aware that you will have to re-add all clients to the server. Dont worry you dont have to reinstall the antivirus client. There is an easier way and I will tell you that towards the end of this document.
3. Check your IIS on the server hosting SEPM to see what website is currently using tcp port 80 for incoming traffic. The fix forces SEPM to use tcp port 80, thereby disrupting any other websites that might be expecting traffic on the same tcp port.
4. Go to Add/Remove Programs and click on Change beside Symantec Endpoint Protection Manager. When the uninstaller starts, click on Remove.
5. During the next few screens you will be asked if you want to remove the database files and the backup files. Leave these unticked.
6. Once the uninstall has finised, start the installer for SEPM.
7. When you come to the selection for selecting a Web Site, Use the default Web site is selected by default. Choose the one below that choice, which is Create a custom website.
8. Follow through with the default settings for the rest of the choices.
9. Once installed, you will be able to login to SEPM.
10. Now you have to go into IIS and change the listening port for the website that was originally listening on port 80. Once you have changed it, start this website and check to ensure that it comes up alright. If you still get an error saying that some other program is using the new tcp port but you are sure that none is (you did a netstat -a -o), then in the website properties, click on advanced beside the IP address to ensure that that website is not listening on multiple ports.
11.Now, you have to re-add all the clients back into your SEPM domain. This can be done using the steps listed in document found at http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007082009543848?Open&seg=ent

Have fun and yeah you can always email me your thanks at nivleshc@yahoo.com or just leave a nice comment.

Cya

2 comments:

Unknown said...

OK we were having the same issue. We tracked it down to a conflict of port allocation by TomCat.



Found that the service - Symantec Endpoint Protection Manager - would stop about 20 seconds after starting and an error in the event log as listed in this thread.

Searched through the logs at:

Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\logs

looked at catalina.out and found the message below:

StandardServer.await: create[8005]: java.net.BindException: Address already in use: JVM_Bind

Following advise from a Symantec KB:

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/e77298b64281e447ca25736800837709?OpenDocument



This stated to:

Cause:
This error, along with any similar error referencing a different port, indicates that another application or process has already been bound to this port. For errors relating to port 8005 or 9090, the conflict is probably the result of another application running it's own Tomcat server on the same machine. Some products that use Symantec Endpoint Protection 11.0 Ports: IM Manager - Port 9090; Sonicwall ViewPoint - Port 8005; Symantec BrightMail AntiSpam 6.0.x Control Center - Port 8005; Symantec Mail Security for SMTP 5.0 Control Center - Port 8005.




Solution:
In order to resolve this issue, you must either change the port that the conflicting application runs on, or alter the Tomcat port.

To alter the Tomcat port, following these steps:

Ensure that the Symantec Endpoint Protection Manager service is stopped.
Right-click the server.xml file and click Edit to modify the file:
C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\conf\server.xml)

For conflicts with port 8005, change the port to another unused port:
port="8005"

For conflicts with port 9090, change the port to another unused port:
port="9090"

Save the changes to the "server.xml" file.
Start the Symantec Endpoint Protection Manager service.
Attempt to login to the Symantec Endpoint Protection Manager.
Restarted the service and was able to logon.

Eduardo PT. said...

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\semsrv\Parameters]

"JVM Option Number 0"="-Xms512m"
"JVM Option Number 1"="-Xmx512m"

Thanks Microsoft updates.. :(