Solved

VMware vShield, Symantec SAV & SEPM communication issue -- VM clients not showing in SEPM

Posted on 2013-12-30
29
2,565 Views
Last Modified: 2014-02-09
For our VMware infrastructure, we are trying to make vShield work with Symantec End Point 12.1.2. The setup is complete, as far as I can see, but no VMs are showing up under Clients in SEP Manager. Here is the summary of the setup:

- vShield Manager is up and running. No errors during its installation.
- All 4 VMware hosts have Symantec-SVA appliances. No errors during installation and the Shared Insight Cache service is running.
- All VM have vShield drivers installed from VMware tools.
- In vCenter, the Endpoint portion of vShield tab of each host shows entries for Symantec-SVA and various VMs 'Thin Agent enabled'. All events are normal; none critical.
- Within SymantecEP manager, the groups for the VMs has Enable Shared Insight Cache box checked in the main policy.

Why am I not seeing VMs under Clients in SEPM? Please help. Thanks.
0
Comment
Question by:Akulsh
  • 16
  • 7
  • 6
29 Comments
 
LVL 13

Expert Comment

by:Abhilash
ID: 39747531
These are the primary requirements.

VMware vSphere
One of these versions:
ESXi 5.1
ESXi 5.0 Update 1
ESX 4.1, with Patch ESX410-201107001

VMware vShield
One of these versions:
VMware vShield Manager 5.1 with VMware vShield Endpoint 5.1
VMware vShield Manager 5.0 Update 1 with VMware vShield Endpoint 5.0 Update 1

Note: You must use vShield Manager to deploy vShield Endpoint to each host you want to manage.

Have you met the pre-requites?
0
 
LVL 61

Expert Comment

by:btan
ID: 39747534
From the Symantec aspect, I was thinking of the sylink.xml (for client to server comms).
see if importing manually into client helps.
http://www.symantec.com/business/support/index?page=content&id=HOWTO81111#v73083950

Some useful guides  as much to stay close
What do I need to do to install a Security Virtual Appliance?
http://www.symantec.com/docs/HOWTO81110

Installing a Symantec Endpoint Protection Security Virtual Appliance
http://www.symantec.com/docs/HOWTO81083

Configuring the Symantec Endpoint Protection Security Virtual Appliance installation settings file
http://www.symantec.com/docs/HOWTO81082
0
 
LVL 3

Author Comment

by:Akulsh
ID: 39747781
Abhilash,

We have met all requisites, except the last one you mentioned: "..use vShield Manager to deploy vShield Endpoint to each host you want to manage." I am working on it now and will let you now about the progress. Thanks so much.

breadtan,

I followed Symantec installation guide 12.1.2 (Ch 29 to 32) to install their SVA. I also used their latest Best Practices article TECH197344, so I think SVA is working OK. May look at your links if the need arises. Thanks.
0
 
LVL 3

Author Comment

by:Akulsh
ID: 39747798
Abhilash,

Sorry, I did not read your suggestions very carefully. I had already installed vShield Endpoint on all 4 hosts, right after installing vShield manager.

(In fact, in my original question, this statement was proof that vShield Endpoint were installed "- In vCenter, the Endpoint portion of vShield tab of each host shows entries for Symantec-SVA and various VMs 'Thin Agent enabled'. All events are normal; none critical.")

I have also installed vShield or VMCI Drivers from VMware tools on each VM. Unfortunately, the vShield tab of these VMs still show status as "Unprotected" under Services column.

Any other suggestion for troubleshooting? Do you need to look at any screen-shots? Thanks.
0
 
LVL 3

Author Comment

by:Akulsh
ID: 39747813
breadtan,

The last 3 links you cited are included -- almost verbatim -- in the latest Symantec SEP_12.1.2 installation guide that I used (Ch 29-31).

About the first suggestion, I had exported the sylink.xml file and pointed to it during installation of SAV. The policy has changed a bit since, so newly exported sylink.xml will be  different but I don't know how to update SAV with new sylink.xml. In VM machines, I don't see SEP client installed so the file cannot be imported directly there. Thanks.
0
 
LVL 3

Author Comment

by:Akulsh
ID: 39747818
I meant Symantec Security Virtual Appliance or SVA, not SAV in previous posting.
0
 
LVL 61

Expert Comment

by:btan
ID: 39747842
I saw it from the ova installatiin instead...

http://www.symantec.com/business/support/index?page=content&id=HOWTO81082#v66232253

You can change the datastore prompt to zero if you want to install automatically on the first datastore for the ESXi host.

<Installation>         
          <location_of_package>path to OVA file</location_of_package>
          <esx_ip_address>192.168.x.z</esx_ip_address>
          <sylink_xml>./sylink.xml</sylink_xml>
          <datastore_prompt>1</datastore_prompt>
 </Installation>
0
 
LVL 13

Expert Comment

by:Abhilash
ID: 39747968
Akulsh,

You can ignore the UNPROTECTED status at the VM level vShield tab as it shows the status of the App Firewall.
You should be seeing protected for the VM's on the ESxi's vShield Tab.
0
 
LVL 3

Author Comment

by:Akulsh
ID: 39747973
breadtan,

I am very familiar with these settings.

BTW, to get the updated sylink.xml file incorporated, I uninstalled and reinstalled one Symantec SVA with new sylink.xml file. This has not made any difference yet.

By the way, I am installing these Symantec SVA appliance VMs on local hard disks of the 4 VMware hosts, since there is a lot of space there. Is there anything wrong with that? If so, how since these VMs are not to be migrated between hosts? Thanks.
0
 
LVL 3

Author Comment

by:Akulsh
ID: 39747985
Abhilash,

You say - "You should be seeing protected for the VM's on the ESxi's vShield Tab."

In VMware hosts' vShield tab, there are 2 sections.
in General, vShield Endpoint shows as Installed. Also Symantec SVA shows as Active SVM.
In Endpoint, there are 0 critical events and 9 normal events. All VMs show as "thin agent enabled."

Where should I see 'protected'? Also why these VMs are not showing as clients in SEPM? Thanks.
0
 
LVL 61

Expert Comment

by:btan
ID: 39748149
>>By the way, I am installing these Symantec SVA appliance VMs on local hard disks of the 4 VMware hosts, since there is a lot of space there. Is there anything wrong with that? If so, how since these VMs are not to be migrated between hosts?

<<virtual appliance is just another "guest" running and controlled centrally by the hypervisor overseeing the various guests. I do not see any difference or restriction though.
@ http://www.symantec.com/business/support/index?page=content&id=HOWTO81080

There is a good explanation from Symantec on the installation

http://www.symantec.com/connect/forums/symantec-virtual-appliance-clarification

Let’s do an example. Let’s say you have 3 datastores on your VMware host and you want the SVA to be on the third datastore. During setup it will simply ask you for the datastore number you want to install to. In this case you would type 3 and hit enter. My thoughts are is that you have to figure out your datastore problem. Here is the specific wording from the xml file

 ==============================================================

        # Datastore Selection prompt to install the SVA

        # 0 - Automatically install the SVA on the first datastore detected

        # 1 - Prompt to select datastore from available ones detected

 ===============================================================

One other thing is to check to make sure the user you are defining inside the SVA_InstallSettngs.XML file has the admin level access inside VMware to make all the changes required as part of the install.

I am not sure if this can be useful but good to validate if you have access to symantec support in the same link forum extracted
I am being told by Symantec Support the versions of vshield and ESXi I am using are not supported by Symantec Endpoint Protection Manager 12.1.2.  I am using vShield Endpoint 5.1, vShield Manager 5.1 and ESXi 5.1.  What version did you use for your setup?

I do see the install and uninstall need to do a forceclean option. I am not saying this will work but trying best to see any path not covered

http://www.symantec.com/business/support/index?page=content&id=TECH196821

A VMware Administrator can use the SVA installation tool with the "forceclean" option to remove the orphaned SVA entries from VMware vShield Manager. The forceclean option parses through the entire vCenter inventory of managed object ID's (moid), and removes the orphaned Symantec Endpoint Protection SVA entries from VMware vShield Manager.

Usage:
Java –jar Symantec_SVA_install.jar –s SVA_InstallSettings.xml –forceclean
<<Also by default client and SEPM server is communicating via port no 8014. We should see traffic from those guest if they are configured correctly as expected.
0
 
LVL 13

Expert Comment

by:Abhilash
ID: 39749517
Akulsh,

It should look something like this
http://www.vdicloud.nl/wp-content/uploads/2012/03/slide11.png
0
 
LVL 3

Author Comment

by:Akulsh
ID: 39753490
breadtan,

I am using vShield Manager 5.1 and ESXi 5.1. They should work with Symantec Endpoint Protection Manager 12.1.2.

The Symantec-SVA installations give no error, as indicated by install log and displayed messages.

Abhilash,

I am enclosing screen-shot of my vShield manager. Its simply says VM and not Protected VM. What AV program are you using?
I have gone over the vShield installation and upgrade guide and have not found anything missing, unless "Lookup service" and "security token service" are required for EndPoint. Not even sure what these services are. DNS is working fine, by the way.
Thanks.
Not-yet-protectedVMs.gif
0
 
LVL 61

Expert Comment

by:btan
ID: 39753633
Also for uninstallation the forceclean option is just to make sure the reinstallation does not have any remnant from past installation. Just in case you are doing uninstall and install when trying.

Status Unknown issue - http://www.symantec.com/connect/forums/shared-insight-cache-1212-vshield-security-virtual-appliance-status-unknown

I was having the same issue as above and found a VM article that states the EPSEC driver needs the guest image to be restarted. I restarted my guest, and they started working.
After weeks of working with Symantec Support and escalating the ticket, Symantec finally found an issue with the SVA_INSTALLSETTINGS.XML file.  Apparently the file has some of the relevant config settings commented out.  You need to make sure there aren't any <!-- or --> symbols around any of the config settings related to the ESX hosts or VCENTER communications.  I believe it was my SVA NETWORK CONFIGURATION that was commented out for some reason.  After reinstalling ALL the SVAs, the clients started displaying their SVA.


Comms with cache insight enabled - http://www.symantec.com/connect/forums/agentless-virtual-machine-antivirus-scanning

By default, Shared Insight cache is setup with no authentication and no SSL. As such, the default setting for the password is null. In other words, the password is blank. If you set Shared Insight Cache to Basic authentication with SSL or Basic Authentication with no SSL, you must specify a username's password that can access Shared Insight Cache.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 13

Expert Comment

by:Abhilash
ID: 39754636
Looks good to me.
Have you tried restarting one of the VM's and see if it shows up on SEPM?
Just to give it a shot.
0
 
LVL 3

Author Comment

by:Akulsh
ID: 39754936
Abhilash,

What AV are you using? Is it Symantec?

I have restarted a few VMs but since it made no difference, did not start all of them.

I am not sure if the VMs will show up in SEPM even when they are protected since VMware's installation guide says - SVA scans guest virtual machines from the outside, removing the need for agents in every virtual machine.
0
 
LVL 61

Expert Comment

by:btan
ID: 39755425
There is also a sylinkdrop.exe to restore the client and server comms, compared to manual reinstall.

http://www.symantec.com/business/support/index?page=content&id=HOWTO81179#v8527901

Likewise, Checking the connection to the management server on the client computer
On the Status page, click Help > Troubleshooting.

In the Troubleshooting dialog box, click Connection Status.
In the Connection Status pane, you can see the last attempted connection and the last successful connection.
To reestablish a connection with the management server, click Connect Now
0
 
LVL 3

Author Comment

by:Akulsh
ID: 39755497
breadtan,

As I stated in my last posting, in the vShield and Symantec SVA setup, there are no agents or clients on any VM. The SVA on each VMware host scans them from outside. In other words, there is no  direct communication between the management (SEPM) server and the client computers.
0
 
LVL 13

Expert Comment

by:Abhilash
ID: 39755616
Akulsh,

Better thing is to post a question on Symantec community asking if anyone has done this above setup and confirm if the VM's show up on SEPM.
That would sole the doubt.
0
 
LVL 61

Expert Comment

by:btan
ID: 39755628
understand that file actually is just part of the SVA installation which is stated in the <sylink_xml> pathname in the SVA_InstallSettings.xml. This for SVA to SEPM so it is fine then. SVA just scan files which in a common repository (their so called SIC) and if deem good the other GVM do not need to check further...EPSEC (vShield thin agent) in each GVM transfer those files to the SVA rather than do other ‘work’ in the guest. So far from the image, it dose looks alright.

SVA has by default Installation (or depending on "Log File" inside "Installationfolder\SharedInsightCacheInstallation.exe.config") folder/CacheServer.log to see any events that SIC creates, this will log errors if there is any, depending also on the "Log Level". For info type it is something like
[|] 4 | 12/15/2010 10:51:37 | INFO | CacheServerService.Service | Started service [-]

You may already know on these...
The vShield Endpoint host component adds two firewall rules to the ESX host: The vShield-Endpoint-Mux rule opens ports 48651 to port 48666 for communication between the host component and partner security VMs. The vShield-Endpoint-Mux-Partners rule may be used by partners to install a host component. It is disabled by default. Also VMWare advices that vCenter is not running on a vShield App protected host that it is managing

I was searching the past version (I know it kinda redundant) but just thought sharing if it helps

After deploying an SVM to an ESX host, the Endpoint Status panel does not report the status of that SVM. This is because the vShield Manager does not propagate some configuration parameters to the SVM until an inventory change occurs in the vCenter Server. Workaround: Perform an inventory change in the vCenter Server, such as suspending and then resuming that virtual machine.

On the EPSec status page, events may be reported for the wrong VM if two or more VMs share the same BIOS UUID. Workaround: Change the UUID of one or more of the virtual machines. http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1002403
0
 
LVL 3

Assisted Solution

by:Akulsh
Akulsh earned 0 total points
ID: 39760457
Abhilash,

We opened a ticket with VMware and were told that "Protected VM" were shown in vShield Manager 5.0, but only "VM" are shown in that column starting with  vShield Manager 5.1.2. Here is what he told and wrote:

"The screenshots we looked at where the Endpoint tab stated "Protected VM" as the type have been changed to a type of "VM" this was done as per discussions with our 3rd party vendors.   As this status message only indicates that the VM is avaialble for protection having it list as "Protected VM" in previous versions was misleading. This change occured between vShield Manager 5.0 and vShield Manager 5.1.2"

Also it looks like the image you sent me was not an image from your company but from an article of VMware.

Now I am working on Symantec side since my setup is good on VMware side.

breadtan, I am going thru your links. Thanks.
0
 
LVL 3

Assisted Solution

by:Akulsh
Akulsh earned 0 total points
ID: 39772827
Just an update.

I was able to open a case with Symantec Tech Support today. The engineer did not find anything amiss. SymantecSVA can be seen in Monitors section of SEPM. (I was looking in Clients.) However he could not explain why SVA are not showing any clients listed. He will contact some advanced engineer on Monday and further troubleshoot with me. Thanks.
0
 
LVL 13

Assisted Solution

by:Abhilash
Abhilash earned 250 total points
ID: 39772980
Akulsh,

Good to know you are heading towards a resolution.
Good luck with that. Keep us updated.
0
 
LVL 3

Author Comment

by:Akulsh
ID: 39787736
Sorry, Symantec has not yet come up with any solution. Still working with them. (So few engineers there seem to understand integration with VMware.)
0
 
LVL 3

Author Comment

by:Akulsh
ID: 39815024
Just an update:

Nothing resolved yet. Symantec insists that each VM must have AV client installed and VMware says, No,  that should not be necessary.

One VMware guy is supposedly talking with Symantec to sort things.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 250 total points
ID: 39815117
Thanks for sharing.  Will be good if they can enabled some sort of debug logs at each to surface root cause. Faced such issue (in other vendor) before and eventually both end up having issue independently to be resolve
0
 
LVL 3

Author Comment

by:Akulsh
ID: 39827370
VMware is still trying to convince Symantec to look into their implementation of vShield manager.
0
 
LVL 3

Accepted Solution

by:
Akulsh earned 0 total points
ID: 39833586
Finally the mystery is solved.

It turns out Symantec is not currently using the vShield Endpoint API for agent-less AV on virtual machines in Symantec Endpoint Protection (SEP) 12.1. vShield support is planned to be integrated into future releases of the product.

Therefore we do need to install SEP client on each virtual machine for now.

SVA (Symantec Virtual Appliance) is only a plugin that helps Shared Insight Cache.
0
 
LVL 3

Author Closing Comment

by:Akulsh
ID: 39845128
Finally VMware engineer was able to find a posting by 2 Symantec engineers which clarified that Symantec's implementation of vShield manager is only partial, and does not provide agentless scanning of VMs. (The Symantec Engineer who was helping me did not know this fact.)

http://www.symantec.com/connect/forums/agentless-virtual-machine-antivirus-scanning
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Suggested Solutions

Create your own, high-performance VM backup appliance by installing NAKIVO Backup & Replication directly onto a Synology NAS!
This article will show you how to create an ISO CD-ROM/DVD-ROM image (*.iso), and MD5 checksum signature, for use with VMware vSphere Hypervisor 6.5 (ESXi 6.5). It's a good idea to compare checksums, because many installations fail because of a corr…
Teach the user how to convert virtaul disk file formats and how to rename virtual machine files on datastores. Open vSphere Web Client: Review VM disk settings: Migrate VM to new datastore with a thick provisioned (lazy zeroed) disk format: Rename a…
Advanced tutorial on how to run the esxtop command to capture a batch file in csv format in order to export the file and use it for performance analysis. He demonstrates how to download the file using a vSphere web client (or vSphere client) and exp…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now