VMware vShield, Symantec SAV & SEPM communication issue -- VM clients not showing in SEPM

For our VMware infrastructure, we are trying to make vShield work with Symantec End Point 12.1.2. The setup is complete, as far as I can see, but no VMs are showing up under Clients in SEP Manager. Here is the summary of the setup:

- vShield Manager is up and running. No errors during its installation.
- All 4 VMware hosts have Symantec-SVA appliances. No errors during installation and the Shared Insight Cache service is running.
- All VM have vShield drivers installed from VMware tools.
- In vCenter, the Endpoint portion of vShield tab of each host shows entries for Symantec-SVA and various VMs 'Thin Agent enabled'. All events are normal; none critical.
- Within SymantecEP manager, the groups for the VMs has Enable Shared Insight Cache box checked in the main policy.

Why am I not seeing VMs under Clients in SEPM? Please help. Thanks.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

These are the primary requirements.

VMware vSphere
One of these versions:
ESXi 5.1
ESXi 5.0 Update 1
ESX 4.1, with Patch ESX410-201107001

VMware vShield
One of these versions:
VMware vShield Manager 5.1 with VMware vShield Endpoint 5.1
VMware vShield Manager 5.0 Update 1 with VMware vShield Endpoint 5.0 Update 1

Note: You must use vShield Manager to deploy vShield Endpoint to each host you want to manage.

Have you met the pre-requites?
btanExec ConsultantCommented:
From the Symantec aspect, I was thinking of the sylink.xml (for client to server comms).
see if importing manually into client helps.

Some useful guides  as much to stay close
What do I need to do to install a Security Virtual Appliance?

Installing a Symantec Endpoint Protection Security Virtual Appliance

Configuring the Symantec Endpoint Protection Security Virtual Appliance installation settings file
AkulshAuthor Commented:

We have met all requisites, except the last one you mentioned: "..use vShield Manager to deploy vShield Endpoint to each host you want to manage." I am working on it now and will let you now about the progress. Thanks so much.


I followed Symantec installation guide 12.1.2 (Ch 29 to 32) to install their SVA. I also used their latest Best Practices article TECH197344, so I think SVA is working OK. May look at your links if the need arises. Thanks.
Get Blueprints for Increased Customer Retention

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

AkulshAuthor Commented:

Sorry, I did not read your suggestions very carefully. I had already installed vShield Endpoint on all 4 hosts, right after installing vShield manager.

(In fact, in my original question, this statement was proof that vShield Endpoint were installed "- In vCenter, the Endpoint portion of vShield tab of each host shows entries for Symantec-SVA and various VMs 'Thin Agent enabled'. All events are normal; none critical.")

I have also installed vShield or VMCI Drivers from VMware tools on each VM. Unfortunately, the vShield tab of these VMs still show status as "Unprotected" under Services column.

Any other suggestion for troubleshooting? Do you need to look at any screen-shots? Thanks.
AkulshAuthor Commented:

The last 3 links you cited are included -- almost verbatim -- in the latest Symantec SEP_12.1.2 installation guide that I used (Ch 29-31).

About the first suggestion, I had exported the sylink.xml file and pointed to it during installation of SAV. The policy has changed a bit since, so newly exported sylink.xml will be  different but I don't know how to update SAV with new sylink.xml. In VM machines, I don't see SEP client installed so the file cannot be imported directly there. Thanks.
AkulshAuthor Commented:
I meant Symantec Security Virtual Appliance or SVA, not SAV in previous posting.
btanExec ConsultantCommented:
I saw it from the ova installatiin instead...


You can change the datastore prompt to zero if you want to install automatically on the first datastore for the ESXi host.

          <location_of_package>path to OVA file</location_of_package>

You can ignore the UNPROTECTED status at the VM level vShield tab as it shows the status of the App Firewall.
You should be seeing protected for the VM's on the ESxi's vShield Tab.
AkulshAuthor Commented:

I am very familiar with these settings.

BTW, to get the updated sylink.xml file incorporated, I uninstalled and reinstalled one Symantec SVA with new sylink.xml file. This has not made any difference yet.

By the way, I am installing these Symantec SVA appliance VMs on local hard disks of the 4 VMware hosts, since there is a lot of space there. Is there anything wrong with that? If so, how since these VMs are not to be migrated between hosts? Thanks.
AkulshAuthor Commented:

You say - "You should be seeing protected for the VM's on the ESxi's vShield Tab."

In VMware hosts' vShield tab, there are 2 sections.
in General, vShield Endpoint shows as Installed. Also Symantec SVA shows as Active SVM.
In Endpoint, there are 0 critical events and 9 normal events. All VMs show as "thin agent enabled."

Where should I see 'protected'? Also why these VMs are not showing as clients in SEPM? Thanks.
btanExec ConsultantCommented:
>>By the way, I am installing these Symantec SVA appliance VMs on local hard disks of the 4 VMware hosts, since there is a lot of space there. Is there anything wrong with that? If so, how since these VMs are not to be migrated between hosts?

<<virtual appliance is just another "guest" running and controlled centrally by the hypervisor overseeing the various guests. I do not see any difference or restriction though.
@ http://www.symantec.com/business/support/index?page=content&id=HOWTO81080

There is a good explanation from Symantec on the installation


Let’s do an example. Let’s say you have 3 datastores on your VMware host and you want the SVA to be on the third datastore. During setup it will simply ask you for the datastore number you want to install to. In this case you would type 3 and hit enter. My thoughts are is that you have to figure out your datastore problem. Here is the specific wording from the xml file


        # Datastore Selection prompt to install the SVA

        # 0 - Automatically install the SVA on the first datastore detected

        # 1 - Prompt to select datastore from available ones detected


One other thing is to check to make sure the user you are defining inside the SVA_InstallSettngs.XML file has the admin level access inside VMware to make all the changes required as part of the install.

I am not sure if this can be useful but good to validate if you have access to symantec support in the same link forum extracted
I am being told by Symantec Support the versions of vshield and ESXi I am using are not supported by Symantec Endpoint Protection Manager 12.1.2.  I am using vShield Endpoint 5.1, vShield Manager 5.1 and ESXi 5.1.  What version did you use for your setup?

I do see the install and uninstall need to do a forceclean option. I am not saying this will work but trying best to see any path not covered


A VMware Administrator can use the SVA installation tool with the "forceclean" option to remove the orphaned SVA entries from VMware vShield Manager. The forceclean option parses through the entire vCenter inventory of managed object ID's (moid), and removes the orphaned Symantec Endpoint Protection SVA entries from VMware vShield Manager.

Java –jar Symantec_SVA_install.jar –s SVA_InstallSettings.xml –forceclean
<<Also by default client and SEPM server is communicating via port no 8014. We should see traffic from those guest if they are configured correctly as expected.

It should look something like this
AkulshAuthor Commented:

I am using vShield Manager 5.1 and ESXi 5.1. They should work with Symantec Endpoint Protection Manager 12.1.2.

The Symantec-SVA installations give no error, as indicated by install log and displayed messages.


I am enclosing screen-shot of my vShield manager. Its simply says VM and not Protected VM. What AV program are you using?
I have gone over the vShield installation and upgrade guide and have not found anything missing, unless "Lookup service" and "security token service" are required for EndPoint. Not even sure what these services are. DNS is working fine, by the way.
btanExec ConsultantCommented:
Also for uninstallation the forceclean option is just to make sure the reinstallation does not have any remnant from past installation. Just in case you are doing uninstall and install when trying.

Status Unknown issue - http://www.symantec.com/connect/forums/shared-insight-cache-1212-vshield-security-virtual-appliance-status-unknown

I was having the same issue as above and found a VM article that states the EPSEC driver needs the guest image to be restarted. I restarted my guest, and they started working.
After weeks of working with Symantec Support and escalating the ticket, Symantec finally found an issue with the SVA_INSTALLSETTINGS.XML file.  Apparently the file has some of the relevant config settings commented out.  You need to make sure there aren't any <!-- or --> symbols around any of the config settings related to the ESX hosts or VCENTER communications.  I believe it was my SVA NETWORK CONFIGURATION that was commented out for some reason.  After reinstalling ALL the SVAs, the clients started displaying their SVA.

Comms with cache insight enabled - http://www.symantec.com/connect/forums/agentless-virtual-machine-antivirus-scanning

By default, Shared Insight cache is setup with no authentication and no SSL. As such, the default setting for the password is null. In other words, the password is blank. If you set Shared Insight Cache to Basic authentication with SSL or Basic Authentication with no SSL, you must specify a username's password that can access Shared Insight Cache.
Looks good to me.
Have you tried restarting one of the VM's and see if it shows up on SEPM?
Just to give it a shot.
AkulshAuthor Commented:

What AV are you using? Is it Symantec?

I have restarted a few VMs but since it made no difference, did not start all of them.

I am not sure if the VMs will show up in SEPM even when they are protected since VMware's installation guide says - SVA scans guest virtual machines from the outside, removing the need for agents in every virtual machine.
btanExec ConsultantCommented:
There is also a sylinkdrop.exe to restore the client and server comms, compared to manual reinstall.


Likewise, Checking the connection to the management server on the client computer
On the Status page, click Help > Troubleshooting.

In the Troubleshooting dialog box, click Connection Status.
In the Connection Status pane, you can see the last attempted connection and the last successful connection.
To reestablish a connection with the management server, click Connect Now
AkulshAuthor Commented:

As I stated in my last posting, in the vShield and Symantec SVA setup, there are no agents or clients on any VM. The SVA on each VMware host scans them from outside. In other words, there is no  direct communication between the management (SEPM) server and the client computers.

Better thing is to post a question on Symantec community asking if anyone has done this above setup and confirm if the VM's show up on SEPM.
That would sole the doubt.
btanExec ConsultantCommented:
understand that file actually is just part of the SVA installation which is stated in the <sylink_xml> pathname in the SVA_InstallSettings.xml. This for SVA to SEPM so it is fine then. SVA just scan files which in a common repository (their so called SIC) and if deem good the other GVM do not need to check further...EPSEC (vShield thin agent) in each GVM transfer those files to the SVA rather than do other ‘work’ in the guest. So far from the image, it dose looks alright.

SVA has by default Installation (or depending on "Log File" inside "Installationfolder\SharedInsightCacheInstallation.exe.config") folder/CacheServer.log to see any events that SIC creates, this will log errors if there is any, depending also on the "Log Level". For info type it is something like
[|] 4 | 12/15/2010 10:51:37 | INFO | CacheServerService.Service | Started service [-]

You may already know on these...
The vShield Endpoint host component adds two firewall rules to the ESX host: The vShield-Endpoint-Mux rule opens ports 48651 to port 48666 for communication between the host component and partner security VMs. The vShield-Endpoint-Mux-Partners rule may be used by partners to install a host component. It is disabled by default. Also VMWare advices that vCenter is not running on a vShield App protected host that it is managing

I was searching the past version (I know it kinda redundant) but just thought sharing if it helps

After deploying an SVM to an ESX host, the Endpoint Status panel does not report the status of that SVM. This is because the vShield Manager does not propagate some configuration parameters to the SVM until an inventory change occurs in the vCenter Server. Workaround: Perform an inventory change in the vCenter Server, such as suspending and then resuming that virtual machine.

On the EPSec status page, events may be reported for the wrong VM if two or more VMs share the same BIOS UUID. Workaround: Change the UUID of one or more of the virtual machines. http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1002403
AkulshAuthor Commented:

We opened a ticket with VMware and were told that "Protected VM" were shown in vShield Manager 5.0, but only "VM" are shown in that column starting with  vShield Manager 5.1.2. Here is what he told and wrote:

"The screenshots we looked at where the Endpoint tab stated "Protected VM" as the type have been changed to a type of "VM" this was done as per discussions with our 3rd party vendors.   As this status message only indicates that the VM is avaialble for protection having it list as "Protected VM" in previous versions was misleading. This change occured between vShield Manager 5.0 and vShield Manager 5.1.2"

Also it looks like the image you sent me was not an image from your company but from an article of VMware.

Now I am working on Symantec side since my setup is good on VMware side.

breadtan, I am going thru your links. Thanks.
AkulshAuthor Commented:
Just an update.

I was able to open a case with Symantec Tech Support today. The engineer did not find anything amiss. SymantecSVA can be seen in Monitors section of SEPM. (I was looking in Clients.) However he could not explain why SVA are not showing any clients listed. He will contact some advanced engineer on Monday and further troubleshoot with me. Thanks.

Good to know you are heading towards a resolution.
Good luck with that. Keep us updated.
AkulshAuthor Commented:
Sorry, Symantec has not yet come up with any solution. Still working with them. (So few engineers there seem to understand integration with VMware.)
AkulshAuthor Commented:
Just an update:

Nothing resolved yet. Symantec insists that each VM must have AV client installed and VMware says, No,  that should not be necessary.

One VMware guy is supposedly talking with Symantec to sort things.
btanExec ConsultantCommented:
Thanks for sharing.  Will be good if they can enabled some sort of debug logs at each to surface root cause. Faced such issue (in other vendor) before and eventually both end up having issue independently to be resolve
AkulshAuthor Commented:
VMware is still trying to convince Symantec to look into their implementation of vShield manager.
AkulshAuthor Commented:
Finally the mystery is solved.

It turns out Symantec is not currently using the vShield Endpoint API for agent-less AV on virtual machines in Symantec Endpoint Protection (SEP) 12.1. vShield support is planned to be integrated into future releases of the product.

Therefore we do need to install SEP client on each virtual machine for now.

SVA (Symantec Virtual Appliance) is only a plugin that helps Shared Insight Cache.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AkulshAuthor Commented:
Finally VMware engineer was able to find a posting by 2 Symantec engineers which clarified that Symantec's implementation of vShield manager is only partial, and does not provide agentless scanning of VMs. (The Symantec Engineer who was helping me did not know this fact.)

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.