Solved

Symantec IIS port conflict WSUS and Monitoring Problem

Posted on 2010-08-15
20
1,947 Views
Last Modified: 2013-12-09
I recently upgraded to Symantec Protection Centre v12 on my SBS 2003 R2 platform.

Now I get the "Error: Connection Error" click Reset Server Node message in WSUS 3.0.

I also get a "Page cannot be found" HTTP Error 404 when looking at the Monitoring and Reporting in Server Management.

I had "problems" when installing Symantec Protection Centre, in particular with respect to port 2638 which was assigned to wmiprvse.exe . I followed the instructions at http://msdn.microsoft.com/en-us/library/bb219447(VS.85).aspx and now everything seems to be a bit sh1t.

I need the monitoring and WSUS services to work. IIS also doesn't appear to work as I can't get to http://companyweb which gives the same HTTP Error 404.

It's all gone horribly wrong. I don't have a test environment so this was implemented on live (no comments please, I only have 3 employees and can't afford a separate test environment). Any help (but not winding back to Symantec Endpoint v11 as that's a pain in the rear) would be great.

Thanks.
0
Comment
Question by:MarcusN
20 Comments
 
LVL 2

Assisted Solution

by:tekrage
tekrage earned 200 total points
Comment Utility
You have a port conflict.

Change the SPC service port to free up port 2638.  To do that:

1.) Stop the embedded database and the SPC service form services.msc

2.) Browse to HKEY_LOCAL_MACHINE\system\currentcontrolset\services\asanys_sem5\parameters

3.) Double-click on Parameter DWORD Value and change the 2638 value at the end of the string to another port such as 2639.
 
4.) Open C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\conf\server.xml (default location) with Notepad.
 
5.) Change the line which reads
<value>jdbc:sybae:Tds:localhost:2638/?JCONNECT_VERSION=5</value> and change 2638 to reflect the new port number (2639 or whatever port number you chose)

6.) Restart  the embedded database and the SPC service form services.msc

7.) Run iisreset /restart from the command prompt to reset IIS services and get the sites working again.


If that doesn't work then I need to know what processes are using what ports.  You can run a "netstat -ab > c:\ports.txt" from the command prompt then open C:\ports.txt and paste the contents here.
0
 

Author Comment

by:MarcusN
Comment Utility
Hello Mr. Tekrage,

Thank you for your help and sorry for the delay in replying.

I have followed your excellent instructions to the letter, but the problem persists. Attached is the port log. I have cpoied your example exactly and replaced 2638 with 2639. In the port log you'll see that wmiprvse has not been reassigned or bound  to 2638 (which it was originally) even though I also rebooted the server.

Thanks for any additional help you can give.

Regards, Marcus
ports2010-08-16.txt
0
 

Author Comment

by:MarcusN
Comment Utility
Hello again,

I was wondering whether there were any further thoughts on resolving this as now, in addition to the original problem of no monitoring, no companyweb, no WSUS, I also get the error "Unable to communicate with the reporting component" whenI open Symantec Endpoint Protection Centre.

My entire server and business monitoring and all the companyweb have been damaged as a result of the installation of SEP Small Business Edition onto the SBS 2003R2 server.

Any advice most appreciated.

Regards, Marcus
0
 
LVL 2

Expert Comment

by:tekrage
Comment Utility
Ok let's concentrate on one problem at a time.  Can you get me an export of the IIS configuration file?  Here's how you do that:

  1. Open up your IIS manager (Administrative Tools -> Internet Information Services (IIS) Manager).
  2. Drill down on the left hand side until you see Web Sites.  Right click on "Web Sites" and go to All Tasks then Save Configuration to a File.
  3. Enter a file name and either leave the default path (C:\Windows\system32\inetsrv) or browse and store it on your desktop or My Docs.  Make sure you don't encrypt the configuration with a password.
  4. Save the file then post it here so I can take a look at how your IIS is setup.
Of if this isn't possible then you can always open up the IIS manager, click on "Web Sites" in the left hand side then take a screen shot of all of the web sites listed on the right side.  Just be sure to expand all of the columns so all of the values are visible.  You can post that screenshot here or if you can't do screenshots then type it up but that would be pretty painful.

Regards,
Tim
0
 

Author Comment

by:MarcusN
Comment Utility
Hello Tim,

Thanks for your time on this matter. Attached is the IIS configuration file saved as you suggested in points 1 to 4. The saved file is a .xml .

Regards, Marcus


IIS-Config-2010-08-15.xml
0
 
LVL 2

Expert Comment

by:tekrage
Comment Utility
Marcus,

Are you behind a firewall or router?  Or is your SBS directly connected to the internet?

Can you go to a command prompt and type:

ipconfig /all > C:\ip.txt

Then post the C:\ip.txt file?

Thanks,
Tim
0
 

Author Comment

by:MarcusN
Comment Utility
Hello Tim,

I am behind a secure cable router with an internet facing static IP address of 92.237.ABC.XYZ.

That secure router then connects to the "red" NIC on the ISA 2004 firewall server which is installed on the SBS 2003 R2 server.

The other "blue" NIC on the SBS server faces my company LAN. The SBS server is the domain controller and DHCP server etc. All IP addreses are controlled by the SBS server.

I'd happily E-mail the ipconfig file to you but am a little reluctant to post it. What I have done is attach a modified file in which I have consistently changed some of the IP address digits.

Until I installed Symantec Protection Centre (SPC) v12 everything was stable and worked. I have changed none of the ISA server policies. I have made no changes to the scope of the DHCP server. All of the services running on SBS are unchanged. I have not implemented the WSUS recommendations yet and the platform and server were all stable.

I have made no changes to the GPOs recently. These have been stable for the last 6 months and really only differ from the out of the box GPOs relating to the control a specific OU and clients and users associated with that.

I was wondering whether you or any other readers would have a view on whether I should uninstall SPC v12, uninstall and reinstall SBS monitoring and then reinstall SPC v12. I am really reluctant to do that as it means disconnecting the SBS from the Internet Service Provider whilst I have no anti-virus protection, and I know that causes me problems with maintenance of the static IP address I require.

Thanks again for yout help and time on this.

Regards, Marcus (FYI, I am in GMT+1 time zone)
ipconfig2010-08-18a.txt
0
 

Author Comment

by:MarcusN
Comment Utility
Oh, there is one other thing which I don't know whether it is important. In;

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\asanys_sem5\parameters

the "Paremeter" entry isn't a REG_DWORD it is a REG_SZ.

I changed the value at the end from port=2638 to port=2639 though.
0
 
LVL 20

Expert Comment

by:jimmymcp02
Comment Utility
if you look at the IIS config for the wsus site is it pointing to the correct path?
0
 

Author Comment

by:MarcusN
Comment Utility
Hi,

Firstly, when I follow the original instructions from Tim (Tekrage - ref 16/08/10 12:34 AM, ID: 33442377) AND after point (6) and before point (7) I run Symantec Protection Centre -> Management Server Configuration Wizard I can get the Symantec Endpoint Protection Small Business Edition portal to work again. This intermediate step corrects the problem I reported in ref 17/08/10 11:42 PM, ID: 33459993.

Secondly, I am now back to the precise problem I originally posted; no companyweb, no WSUS, but now the Symantec Embedded Database is attached to port 2639 not the default 2638.

Thirdly, in the IIS Manager under ServerName ->Web Sites -> WSUS Administration it would appear that the paths are correct. Please have a look at the attached two files for the information relating to this.

Thanks for helping as well.
IIS-WSUS-Info2010-08-18.txt
WSUS-properties2010-08-18.jpg
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 2

Accepted Solution

by:
tekrage earned 200 total points
Comment Utility
Marcus,

I think I'm starting to see what's going on here.  It looks like you have a router that's doing NAT then you have a firewall running on the ISA server that's ALSO doing NAT.  If you  have a router that has a firewall built into it then the need for ISA becomes somewhat minimized.  Some people like to maintain the ISA server in addition to a standard firewall because it acts like an application proxy to protect any applications running on IIS (OWA, Outlook's RPC over HTTP, WSUS, etc).

If I understand your notes correctly it looks like you have a router with an IP address of 92.237.xxx.xxx but in IIS I can see an IP address assigned of 165.168.xxx.xxx to your default site.

This is what I'd like to do.  Go into IIS and do a complete IIS backup.  You can do that by right clicking on the server name on the left hand side, then go to All Tasks, and finally Backup / Restore Configuration.  Create a backup then close the IIS manager.

Now go to the SBS Server Management tool.  Click on Internet and E-mail beneat the Standard Management group and click on Repair Internet and E-mail Settings.  Follow that whole wizard and allow it to reconfigure your network settings for you based on what you tell it.  If after you run this repair wizard your sites still don't work then please answer the questions below.  And if things go horribly awry then you can always restore the IIS settings from bacukp but I don't think you'll have that happen.

  • Do you have the router doing NAT and ISA doing NAT?  Or is it one or the other?
  • Second, what public IP block are you using?  The 92.237.xxx.xxx or 165.168.xxx.xxx?
  • Finally what's your internal IP subnet?  Something along the lines of 192.168.1.x or 10.1.1.x?
-Tim
0
 

Author Comment

by:MarcusN
Comment Utility
Hello Tim,

Thanks for this, I followed your instructions but it hasn't resolved the problem.

I don't think a filewall-NAT issue is the problem for the following reasons.

The hardware configuration has been stable and unchanged for over 18 months. Only the ISA is undertaking NAT (Networks->Network Rules->Internet Access_relation=NAT). The ISA configuration I have is the "Back Firewall" arrangement in which there are two firewalls. The outer firewall happens to be my secure router with a NIC facing the Web with static IP of 92.237.XXX.XXX. That IP address is provided to me by my ISP and is associated with the NIC MAC.

The NIC facing the corporate WAN has a DHCP allocated IP address. The SBS server assignes these. Let's say the IP address is 165.168.1.1 for argument's sake. The ipconfig shows that this is correctly assigned to be the "default gateway".

The "red" NIC (i.e. the NIC that faces the outer firewall) has a server assigned IP address. For arguments sake let's say this is 165.168.1.2 .

The "blue" NIC (i.e. the NIC that faces the corporate LAN) also has a server assigned IP address. For arguments sake let's say that is 10.1.1.50 .

This arrangement has been perfectly fine. Users could access their E-mail through Outlook Web Access. They could get to the companyweb from the LAN side. Nothing has changed except the installation of Symantec Endpoint Protection v12 to replace Symantec Antivirus with Groupware Protection v10.

I do get an interesting WMI error though. The error E-mail to the Administrator from the SBS server (called COMSERV) is from WMI@COMSERV with a subject "Error on COMSERV". Message is as follows.

COMSERV has reported a Error.  Reported status is:
Queues - Unknown
Drives - Unknown
Services - Error
Memory - Unknown
CPU - Unknown

Is a fault with WMI something that will also cause an error with IIS and WSUS? Interestingly, reporting from the ISA console is perfectly fine.

Also, the wmiprvse service which was the service that was originally hogging port 2638 (and caused the clash with Symantec) is now on port 2989. Could this be a part of the problem?
0
 
LVL 2

Assisted Solution

by:tekrage
tekrage earned 200 total points
Comment Utility
When you were setting up the firewall port did you run:

netsh firewall add portopening port=2989 name=WMIFixedPort
or
netsh firewall add portopening port=2989 name=WMIFixedPort protocol=tcp

The second rule is what you need to run.  If you didn't run it then I suggest you try running it then resetting IIS (run iisreset.exe /restart from the command prompt).

Also how did you setup WMI to use port 2989?  Did you run dcomcfg?  The reason I ask is the default static port is 24158, not 2989.  It's always possible that the port opening on the firewall is incorrect.
0
 

Author Comment

by:MarcusN
Comment Utility
Hi, I'll give this a go, but if this doesn't work and it has a negative impact on my ISA or other settings, is it easy to undo this?

Also, I didn't consciously set up WMI on port 2683 or 2989 - it just seems to be there. Here are all the entries relating to wmiprvse taken from netstat -ab where ComServ is my server name and ComNet is the corporate LAN.

 TCP    comserv:15011           comserv.ComNet.local:msft-gc  ESTABLISHED     11716
  [wmiprvse.exe]

 TCP    comserv:15119           comserv.ComNet.local:ldap  ESTABLISHED     11716
  [wmiprvse.exe]

 TCP    comserv:40338           comserv.ComNet.local:msexch-routing  ESTABLISHED     11716
  [wmiprvse.exe]

 TCP    comserv:2989            comserv.ComNet.local:ldap  CLOSE_WAIT      11716
  [wmiprvse.exe]

 UDP    comserv:9364            *:*                                    11720
  [wmiprvse.exe]

 UDP    comserv:2988            *:*                                    11716
  [wmiprvse.exe]
0
 
LVL 2

Expert Comment

by:tekrage
Comment Utility
Yeah all you're doing is adding a firewall allow rule.  It won't cause any big headaches.

Can you turn off your firewall and see if the problem goes away?  Then at least we'll know if we're heading in the right direction.  Just disconnect your router for the test although it sounds like your router is already providing a level of firewall protection on its own so unplugging the router isn't absolutely necessary.
0
 

Author Comment

by:MarcusN
Comment Utility
Hi Tim,

I have now followed your instructions setting the firewall allow rule and switching off ISA and the front firewall then restarted the server (no-one in the office on Sunday!) and the problem persists.

Still no companyweb, WSUS and no server monitoring reports (perhams a WMI problem).

I could cry into my beer I'm so confused.

Have a good weekend.

Regards, Marcus
0
 
LVL 29

Assisted Solution

by:Sudeep Sharma
Sudeep Sharma earned 100 total points
Comment Utility
You could check the below link from Symantec which details the best pratices when installing the symantec antivirus in Windows SBS 2003

http://www.symantec.com/business/support/endpointsecurity/SEP_SBS_BestPractices_v3.0.pdf

Sudeep
0
 

Author Comment

by:MarcusN
Comment Utility
This looks helpful, thank you. It does suggest that I uninstall SEP, reboot and then see whether the failes services are working. I'll try that when I return from leave in September. If that fails I'm planning to uninstall WMI, IIS, WSUS and then reinstall them, hopefully to get everything working again. I will then reinstall SEP and hope the problem has gone. I will report back when I return from leave.
0
 

Assisted Solution

by:MarcusN
MarcusN earned 0 total points
Comment Utility
Hello everyone,

Sorry for taking so long to reply, but I have solved this problem now and if you would like to cut and paste this solution I can give you the points.

To resolve this problem I contacted Symantec and opened a case. They were NOT very helpful.

The problem is that Symantec Endpoint Protection SMall Business Edition v12 messes up IIS if port 2638 is being used by anything else. That then messes up WSUS and the Management Console Monitoring view.

Here's what you need to do.

1) Download the Symantec Support tool from http://www.symantec.com/business/support/index?page=content&id=TECH105414&locale=en_US . Look at the errors and warnings. If any relate to port 2638, resolve them.

2) Once that's done, use ntbackup to make backups of your Exchange and Company Web.

3) You can then install SEP SBE 12 and it should work.

If you get this wrong and you have my problem, you are in deep sh1t. You then have to do the following.

a) You need to open a case with Symantec and ask them for the CleanWipe executable. Hopefully you have a service contract because if you don't you'll have difficulty getting the Symantec CleanWipe executable. The version I received was 11.0.6000.550 .

b) Execute CleanWipe to completely remove all traces of Symantec antivirus, endpoint protection and management consoles. If you are using Symantec Exchange spam and mail scanning products, you can leave those installed.

c) Completely uninstall Monitoring by following the instructions at http://msmvps.com/blogs/bradley/archive/2007/05/30/backup-and-monitoring-part-cannot-be-viewed-in-server-management-console.aspx . DON'T reinstall Monitoring yet. There's other stuff to do.

d) Use NTBackup to backup Exchange (...\Program Files\ExchSrve) and your Company Web (...\Inetpub) material .

e) If youare running ISA as well, export all of your configuration to an xml file. You'll need it at the very end.

f) Completely uninstall IIS ! Yes, I know this is an uncomfortable thought, but you need to do this. Follow the instructions at http://forums.techarena.in/small-business-server/548091.htm and read post 5. DON't reinstall IIS yet. There's other stuff to do.

g) Follow these instructions relating to Exchange http://support.microsoft.com/kb/320202 .

h) Now follow the IIS reinstallation instructions referenced at the link I mentioned in (f).

i) Now follow the WMI reinstallation instructions referenced at the link I mentioned in (c).

j) If you are usine ISA, import the settings from the file you made in (e).

You should now find that Exchange is fine and that you don't need to make use of the NTBackups.

You can now follow steps (1) to (3) and install SEP SBE 12. It should be OK.

ISSUES.
Symantec don't make CleanWipe available. Why they don't is beyond me and is really poor customer support. You have to open a case and pay to get a tool to wipe off their software. It's like they have hijacked your computer! Really annoying.

Don't bother logging a case with Microsoft. They only deal with one issue (ticket) at a time and to resolve this problem with them requires an IIS ticket, WMI ticket, Exchange ticket and AV ticket. Costs a fortune and if you're a small business it can bankrupt you!

Finally, if you have made any changes to your GPOs that are not the out of the box ones, make sure you export your GPO settings as well as your registry settings before you begin. Hopefully you won't have to roll back to the original registry settings (as you have to go back to point (a) and start again if you do!) but you will at least be able to restore your GPO to a stable condition.

Good luck. This took me 4 weeks to research and complete successfully. Thanks Symantec.
0
 

Author Closing Comment

by:MarcusN
Comment Utility
Comments from the Experts helped me to eliminate possible causes and then enabled me to resolve this matter myself in the last post.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

For those of you actively in the Malware fightling business, we now have available an amazing new tool in the malware wars (first recommended to me by rpggamergirl (http://www.experts-exchange.com/M_3598771.html), the Zone Advisor for the Virus and …
Prologue It is often required to host multiple websites on a single instance of IIS, mostly in development environments instead of on production servers. I am sure it is not much a preferred solution on production servers but this is at least a pos…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now