Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1994
  • Last Modified:

Symantec IIS port conflict WSUS and Monitoring Problem

I recently upgraded to Symantec Protection Centre v12 on my SBS 2003 R2 platform.

Now I get the "Error: Connection Error" click Reset Server Node message in WSUS 3.0.

I also get a "Page cannot be found" HTTP Error 404 when looking at the Monitoring and Reporting in Server Management.

I had "problems" when installing Symantec Protection Centre, in particular with respect to port 2638 which was assigned to wmiprvse.exe . I followed the instructions at http://msdn.microsoft.com/en-us/library/bb219447(VS.85).aspx and now everything seems to be a bit sh1t.

I need the monitoring and WSUS services to work. IIS also doesn't appear to work as I can't get to http://companyweb which gives the same HTTP Error 404.

It's all gone horribly wrong. I don't have a test environment so this was implemented on live (no comments please, I only have 3 employees and can't afford a separate test environment). Any help (but not winding back to Symantec Endpoint v11 as that's a pain in the rear) would be great.

5 Solutions
You have a port conflict.

Change the SPC service port to free up port 2638.  To do that:

1.) Stop the embedded database and the SPC service form services.msc

2.) Browse to HKEY_LOCAL_MACHINE\system\currentcontrolset\services\asanys_sem5\parameters

3.) Double-click on Parameter DWORD Value and change the 2638 value at the end of the string to another port such as 2639.
4.) Open C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\conf\server.xml (default location) with Notepad.
5.) Change the line which reads
<value>jdbc:sybae:Tds:localhost:2638/?JCONNECT_VERSION=5</value> and change 2638 to reflect the new port number (2639 or whatever port number you chose)

6.) Restart  the embedded database and the SPC service form services.msc

7.) Run iisreset /restart from the command prompt to reset IIS services and get the sites working again.

If that doesn't work then I need to know what processes are using what ports.  You can run a "netstat -ab > c:\ports.txt" from the command prompt then open C:\ports.txt and paste the contents here.
MarcusNAuthor Commented:
Hello Mr. Tekrage,

Thank you for your help and sorry for the delay in replying.

I have followed your excellent instructions to the letter, but the problem persists. Attached is the port log. I have cpoied your example exactly and replaced 2638 with 2639. In the port log you'll see that wmiprvse has not been reassigned or bound  to 2638 (which it was originally) even though I also rebooted the server.

Thanks for any additional help you can give.

Regards, Marcus
MarcusNAuthor Commented:
Hello again,

I was wondering whether there were any further thoughts on resolving this as now, in addition to the original problem of no monitoring, no companyweb, no WSUS, I also get the error "Unable to communicate with the reporting component" whenI open Symantec Endpoint Protection Centre.

My entire server and business monitoring and all the companyweb have been damaged as a result of the installation of SEP Small Business Edition onto the SBS 2003R2 server.

Any advice most appreciated.

Regards, Marcus
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Ok let's concentrate on one problem at a time.  Can you get me an export of the IIS configuration file?  Here's how you do that:

  1. Open up your IIS manager (Administrative Tools -> Internet Information Services (IIS) Manager).
  2. Drill down on the left hand side until you see Web Sites.  Right click on "Web Sites" and go to All Tasks then Save Configuration to a File.
  3. Enter a file name and either leave the default path (C:\Windows\system32\inetsrv) or browse and store it on your desktop or My Docs.  Make sure you don't encrypt the configuration with a password.
  4. Save the file then post it here so I can take a look at how your IIS is setup.
Of if this isn't possible then you can always open up the IIS manager, click on "Web Sites" in the left hand side then take a screen shot of all of the web sites listed on the right side.  Just be sure to expand all of the columns so all of the values are visible.  You can post that screenshot here or if you can't do screenshots then type it up but that would be pretty painful.

MarcusNAuthor Commented:
Hello Tim,

Thanks for your time on this matter. Attached is the IIS configuration file saved as you suggested in points 1 to 4. The saved file is a .xml .

Regards, Marcus


Are you behind a firewall or router?  Or is your SBS directly connected to the internet?

Can you go to a command prompt and type:

ipconfig /all > C:\ip.txt

Then post the C:\ip.txt file?

MarcusNAuthor Commented:
Hello Tim,

I am behind a secure cable router with an internet facing static IP address of 92.237.ABC.XYZ.

That secure router then connects to the "red" NIC on the ISA 2004 firewall server which is installed on the SBS 2003 R2 server.

The other "blue" NIC on the SBS server faces my company LAN. The SBS server is the domain controller and DHCP server etc. All IP addreses are controlled by the SBS server.

I'd happily E-mail the ipconfig file to you but am a little reluctant to post it. What I have done is attach a modified file in which I have consistently changed some of the IP address digits.

Until I installed Symantec Protection Centre (SPC) v12 everything was stable and worked. I have changed none of the ISA server policies. I have made no changes to the scope of the DHCP server. All of the services running on SBS are unchanged. I have not implemented the WSUS recommendations yet and the platform and server were all stable.

I have made no changes to the GPOs recently. These have been stable for the last 6 months and really only differ from the out of the box GPOs relating to the control a specific OU and clients and users associated with that.

I was wondering whether you or any other readers would have a view on whether I should uninstall SPC v12, uninstall and reinstall SBS monitoring and then reinstall SPC v12. I am really reluctant to do that as it means disconnecting the SBS from the Internet Service Provider whilst I have no anti-virus protection, and I know that causes me problems with maintenance of the static IP address I require.

Thanks again for yout help and time on this.

Regards, Marcus (FYI, I am in GMT+1 time zone)
MarcusNAuthor Commented:
Oh, there is one other thing which I don't know whether it is important. In;


the "Paremeter" entry isn't a REG_DWORD it is a REG_SZ.

I changed the value at the end from port=2638 to port=2639 though.
if you look at the IIS config for the wsus site is it pointing to the correct path?
MarcusNAuthor Commented:

Firstly, when I follow the original instructions from Tim (Tekrage - ref 16/08/10 12:34 AM, ID: 33442377) AND after point (6) and before point (7) I run Symantec Protection Centre -> Management Server Configuration Wizard I can get the Symantec Endpoint Protection Small Business Edition portal to work again. This intermediate step corrects the problem I reported in ref 17/08/10 11:42 PM, ID: 33459993.

Secondly, I am now back to the precise problem I originally posted; no companyweb, no WSUS, but now the Symantec Embedded Database is attached to port 2639 not the default 2638.

Thirdly, in the IIS Manager under ServerName ->Web Sites -> WSUS Administration it would appear that the paths are correct. Please have a look at the attached two files for the information relating to this.

Thanks for helping as well.

I think I'm starting to see what's going on here.  It looks like you have a router that's doing NAT then you have a firewall running on the ISA server that's ALSO doing NAT.  If you  have a router that has a firewall built into it then the need for ISA becomes somewhat minimized.  Some people like to maintain the ISA server in addition to a standard firewall because it acts like an application proxy to protect any applications running on IIS (OWA, Outlook's RPC over HTTP, WSUS, etc).

If I understand your notes correctly it looks like you have a router with an IP address of 92.237.xxx.xxx but in IIS I can see an IP address assigned of 165.168.xxx.xxx to your default site.

This is what I'd like to do.  Go into IIS and do a complete IIS backup.  You can do that by right clicking on the server name on the left hand side, then go to All Tasks, and finally Backup / Restore Configuration.  Create a backup then close the IIS manager.

Now go to the SBS Server Management tool.  Click on Internet and E-mail beneat the Standard Management group and click on Repair Internet and E-mail Settings.  Follow that whole wizard and allow it to reconfigure your network settings for you based on what you tell it.  If after you run this repair wizard your sites still don't work then please answer the questions below.  And if things go horribly awry then you can always restore the IIS settings from bacukp but I don't think you'll have that happen.

  • Do you have the router doing NAT and ISA doing NAT?  Or is it one or the other?
  • Second, what public IP block are you using?  The 92.237.xxx.xxx or 165.168.xxx.xxx?
  • Finally what's your internal IP subnet?  Something along the lines of 192.168.1.x or 10.1.1.x?
MarcusNAuthor Commented:
Hello Tim,

Thanks for this, I followed your instructions but it hasn't resolved the problem.

I don't think a filewall-NAT issue is the problem for the following reasons.

The hardware configuration has been stable and unchanged for over 18 months. Only the ISA is undertaking NAT (Networks->Network Rules->Internet Access_relation=NAT). The ISA configuration I have is the "Back Firewall" arrangement in which there are two firewalls. The outer firewall happens to be my secure router with a NIC facing the Web with static IP of 92.237.XXX.XXX. That IP address is provided to me by my ISP and is associated with the NIC MAC.

The NIC facing the corporate WAN has a DHCP allocated IP address. The SBS server assignes these. Let's say the IP address is for argument's sake. The ipconfig shows that this is correctly assigned to be the "default gateway".

The "red" NIC (i.e. the NIC that faces the outer firewall) has a server assigned IP address. For arguments sake let's say this is .

The "blue" NIC (i.e. the NIC that faces the corporate LAN) also has a server assigned IP address. For arguments sake let's say that is .

This arrangement has been perfectly fine. Users could access their E-mail through Outlook Web Access. They could get to the companyweb from the LAN side. Nothing has changed except the installation of Symantec Endpoint Protection v12 to replace Symantec Antivirus with Groupware Protection v10.

I do get an interesting WMI error though. The error E-mail to the Administrator from the SBS server (called COMSERV) is from WMI@COMSERV with a subject "Error on COMSERV". Message is as follows.

COMSERV has reported a Error.  Reported status is:
Queues - Unknown
Drives - Unknown
Services - Error
Memory - Unknown
CPU - Unknown

Is a fault with WMI something that will also cause an error with IIS and WSUS? Interestingly, reporting from the ISA console is perfectly fine.

Also, the wmiprvse service which was the service that was originally hogging port 2638 (and caused the clash with Symantec) is now on port 2989. Could this be a part of the problem?
When you were setting up the firewall port did you run:

netsh firewall add portopening port=2989 name=WMIFixedPort
netsh firewall add portopening port=2989 name=WMIFixedPort protocol=tcp

The second rule is what you need to run.  If you didn't run it then I suggest you try running it then resetting IIS (run iisreset.exe /restart from the command prompt).

Also how did you setup WMI to use port 2989?  Did you run dcomcfg?  The reason I ask is the default static port is 24158, not 2989.  It's always possible that the port opening on the firewall is incorrect.
MarcusNAuthor Commented:
Hi, I'll give this a go, but if this doesn't work and it has a negative impact on my ISA or other settings, is it easy to undo this?

Also, I didn't consciously set up WMI on port 2683 or 2989 - it just seems to be there. Here are all the entries relating to wmiprvse taken from netstat -ab where ComServ is my server name and ComNet is the corporate LAN.

 TCP    comserv:15011           comserv.ComNet.local:msft-gc  ESTABLISHED     11716

 TCP    comserv:15119           comserv.ComNet.local:ldap  ESTABLISHED     11716

 TCP    comserv:40338           comserv.ComNet.local:msexch-routing  ESTABLISHED     11716

 TCP    comserv:2989            comserv.ComNet.local:ldap  CLOSE_WAIT      11716

 UDP    comserv:9364            *:*                                    11720

 UDP    comserv:2988            *:*                                    11716
Yeah all you're doing is adding a firewall allow rule.  It won't cause any big headaches.

Can you turn off your firewall and see if the problem goes away?  Then at least we'll know if we're heading in the right direction.  Just disconnect your router for the test although it sounds like your router is already providing a level of firewall protection on its own so unplugging the router isn't absolutely necessary.
MarcusNAuthor Commented:
Hi Tim,

I have now followed your instructions setting the firewall allow rule and switching off ISA and the front firewall then restarted the server (no-one in the office on Sunday!) and the problem persists.

Still no companyweb, WSUS and no server monitoring reports (perhams a WMI problem).

I could cry into my beer I'm so confused.

Have a good weekend.

Regards, Marcus
Sudeep SharmaTechnical DesignerCommented:
You could check the below link from Symantec which details the best pratices when installing the symantec antivirus in Windows SBS 2003


MarcusNAuthor Commented:
This looks helpful, thank you. It does suggest that I uninstall SEP, reboot and then see whether the failes services are working. I'll try that when I return from leave in September. If that fails I'm planning to uninstall WMI, IIS, WSUS and then reinstall them, hopefully to get everything working again. I will then reinstall SEP and hope the problem has gone. I will report back when I return from leave.
MarcusNAuthor Commented:
Hello everyone,

Sorry for taking so long to reply, but I have solved this problem now and if you would like to cut and paste this solution I can give you the points.

To resolve this problem I contacted Symantec and opened a case. They were NOT very helpful.

The problem is that Symantec Endpoint Protection SMall Business Edition v12 messes up IIS if port 2638 is being used by anything else. That then messes up WSUS and the Management Console Monitoring view.

Here's what you need to do.

1) Download the Symantec Support tool from http://www.symantec.com/business/support/index?page=content&id=TECH105414&locale=en_US . Look at the errors and warnings. If any relate to port 2638, resolve them.

2) Once that's done, use ntbackup to make backups of your Exchange and Company Web.

3) You can then install SEP SBE 12 and it should work.

If you get this wrong and you have my problem, you are in deep sh1t. You then have to do the following.

a) You need to open a case with Symantec and ask them for the CleanWipe executable. Hopefully you have a service contract because if you don't you'll have difficulty getting the Symantec CleanWipe executable. The version I received was 11.0.6000.550 .

b) Execute CleanWipe to completely remove all traces of Symantec antivirus, endpoint protection and management consoles. If you are using Symantec Exchange spam and mail scanning products, you can leave those installed.

c) Completely uninstall Monitoring by following the instructions at http://msmvps.com/blogs/bradley/archive/2007/05/30/backup-and-monitoring-part-cannot-be-viewed-in-server-management-console.aspx . DON'T reinstall Monitoring yet. There's other stuff to do.

d) Use NTBackup to backup Exchange (...\Program Files\ExchSrve) and your Company Web (...\Inetpub) material .

e) If youare running ISA as well, export all of your configuration to an xml file. You'll need it at the very end.

f) Completely uninstall IIS ! Yes, I know this is an uncomfortable thought, but you need to do this. Follow the instructions at http://forums.techarena.in/small-business-server/548091.htm and read post 5. DON't reinstall IIS yet. There's other stuff to do.

g) Follow these instructions relating to Exchange http://support.microsoft.com/kb/320202 .

h) Now follow the IIS reinstallation instructions referenced at the link I mentioned in (f).

i) Now follow the WMI reinstallation instructions referenced at the link I mentioned in (c).

j) If you are usine ISA, import the settings from the file you made in (e).

You should now find that Exchange is fine and that you don't need to make use of the NTBackups.

You can now follow steps (1) to (3) and install SEP SBE 12. It should be OK.

Symantec don't make CleanWipe available. Why they don't is beyond me and is really poor customer support. You have to open a case and pay to get a tool to wipe off their software. It's like they have hijacked your computer! Really annoying.

Don't bother logging a case with Microsoft. They only deal with one issue (ticket) at a time and to resolve this problem with them requires an IIS ticket, WMI ticket, Exchange ticket and AV ticket. Costs a fortune and if you're a small business it can bankrupt you!

Finally, if you have made any changes to your GPOs that are not the out of the box ones, make sure you export your GPO settings as well as your registry settings before you begin. Hopefully you won't have to roll back to the original registry settings (as you have to go back to point (a) and start again if you do!) but you will at least be able to restore your GPO to a stable condition.

Good luck. This took me 4 weeks to research and complete successfully. Thanks Symantec.
MarcusNAuthor Commented:
Comments from the Experts helped me to eliminate possible causes and then enabled me to resolve this matter myself in the last post.

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now