VMware vShield, Symantec SAV & SEPM communication issue -- VM clients not showing in SEPM

These are the primary requirements.

VMware vSphere
One of these versions:
ESXi 5.1
ESXi 5.0 Update 1
ESX 4.1, with Patch ESX410-201107001

VMware vShield
One of these versions:
VMware vShield Manager 5.1 with VMware vShield Endpoint 5.1
VMware vShield Manager 5.0 Update 1 with VMware vShield Endpoint 5.0 Update 1

Note: You must use vShield Manager to deploy vShield Endpoint to each host you want to manage.

Have you met the pre-requites?

From the Symantec aspect, I was thinking of the sylink.xml (for client to server comms).
see if importing manually into client helps.
http://www.symantec.com/business/support/index?page=content&id=HOWTO81111#v73083950

Some useful guides  as much to stay close
What do I need to do to install a Security Virtual Appliance?
http://www.symantec.com/docs/HOWTO81110

Installing a Symantec Endpoint Protection Security Virtual Appliance
http://www.symantec.com/docs/HOWTO81083

Configuring the Symantec Endpoint Protection Security Virtual Appliance installation settings file
http://www.symantec.com/docs/HOWTO81082

Abhilash,

We have met all requisites, except the last one you mentioned: "..use vShield Manager to deploy vShield Endpoint to each host you want to manage." I am working on it now and will let you now about the progress. Thanks so much.

breadtan,

I followed Symantec installation guide 12.1.2 (Ch 29 to 32) to install their SVA. I also used their latest Best Practices article TECH197344, so I think SVA is working OK. May look at your links if the need arises. Thanks.

Abhilash,

Sorry, I did not read your suggestions very carefully. I had already installed vShield Endpoint on all 4 hosts, right after installing vShield manager.

(In fact, in my original question, this statement was proof that vShield Endpoint were installed "- In vCenter, the Endpoint portion of vShield tab of each host shows entries for Symantec-SVA and various VMs 'Thin Agent enabled'. All events are normal; none critical.")

I have also installed vShield or VMCI Drivers from VMware tools on each VM. Unfortunately, the vShield tab of these VMs still show status as "Unprotected" under Services column.

Any other suggestion for troubleshooting? Do you need to look at any screen-shots? Thanks.

breadtan,

The last 3 links you cited are included -- almost verbatim -- in the latest Symantec SEP_12.1.2 installation guide that I used (Ch 29-31).

About the first suggestion, I had exported the sylink.xml file and pointed to it during installation of SAV. The policy has changed a bit since, so newly exported sylink.xml will be  different but I don't know how to update SAV with new sylink.xml. In VM machines, I don't see SEP client installed so the file cannot be imported directly there. Thanks.

I meant Symantec Security Virtual Appliance or SVA, not SAV in previous posting.

I saw it from the ova installatiin instead...

http://www.symantec.com/business/support/index?page=content&id=HOWTO81082#v66232253

You can change the datastore prompt to zero if you want to install automatically on the first datastore for the ESXi host.

<Installation>         
          <location_of_package>path to OVA file</location_of_package>
          <esx_ip_address>192.168.x.z</esx_ip_address>
          <sylink_xml>./sylink.xml</sylink_xml>
          <datastore_prompt>1</datastore_prompt>
 </Installation>

Akulsh,

You can ignore the UNPROTECTED status at the VM level vShield tab as it shows the status of the App Firewall.
You should be seeing protected for the VM's on the ESxi's vShield Tab.

breadtan,

I am very familiar with these settings.

BTW, to get the updated sylink.xml file incorporated, I uninstalled and reinstalled one Symantec SVA with new sylink.xml file. This has not made any difference yet.

By the way, I am installing these Symantec SVA appliance VMs on local hard disks of the 4 VMware hosts, since there is a lot of space there. Is there anything wrong with that? If so, how since these VMs are not to be migrated between hosts? Thanks.

Abhilash,

You say - "You should be seeing protected for the VM's on the ESxi's vShield Tab."

In VMware hosts' vShield tab, there are 2 sections.
in General, vShield Endpoint shows as Installed. Also Symantec SVA shows as Active SVM.
In Endpoint, there are 0 critical events and 9 normal events. All VMs show as "thin agent enabled."

Where should I see 'protected'? Also why these VMs are not showing as clients in SEPM? Thanks.

>>By the way, I am installing these Symantec SVA appliance VMs on local hard disks of the 4 VMware hosts, since there is a lot of space there. Is there anything wrong with that? If so, how since these VMs are not to be migrated between hosts?

<<virtual appliance is just another "guest" running and controlled centrally by the hypervisor overseeing the various guests. I do not see any difference or restriction though.
@ http://www.symantec.com/business/support/index?page=content&id=HOWTO81080

There is a good explanation from Symantec on the installation

http://www.symantec.com/connect/forums/symantec-virtual-appliance-clarification

Let’s do an example. Let’s say you have 3 datastores on your VMware host and you want the SVA to be on the third datastore. During setup it will simply ask you for the datastore number you want to install to. In this case you would type 3 and hit enter. My thoughts are is that you have to figure out your datastore problem. Here is the specific wording from the xml file

 ==============================================================

        # Datastore Selection prompt to install the SVA

        # 0 - Automatically install the SVA on the first datastore detected

        # 1 - Prompt to select datastore from available ones detected

 ===============================================================

One other thing is to check to make sure the user you are defining inside the SVA_InstallSettngs.XML file has the admin level access inside VMware to make all the changes required as part of the install.

I am not sure if this can be useful but good to validate if you have access to symantec support in the same link forum extracted

I am being told by Symantec Support the versions of vshield and ESXi I am using are not supported by Symantec Endpoint Protection Manager 12.1.2.  I am using vShield Endpoint 5.1, vShield Manager 5.1 and ESXi 5.1.  What version did you use for your setup?

I do see the install and uninstall need to do a forceclean option. I am not saying this will work but trying best to see any path not covered

http://www.symantec.com/business/support/index?page=content&id=TECH196821

A VMware Administrator can use the SVA installation tool with the "forceclean" option to remove the orphaned SVA entries from VMware vShield Manager. The forceclean option parses through the entire vCenter inventory of managed object ID's (moid), and removes the orphaned Symantec Endpoint Protection SVA entries from VMware vShield Manager.

Usage:
Java –jar Symantec_SVA_install.jar –s SVA_InstallSettings.xml –forceclean

<<Also by default client and SEPM server is communicating via port no 8014. We should see traffic from those guest if they are configured correctly as expected.

Akulsh,

It should look something like this
http://www.vdicloud.nl/wp-content/uploads/2012/03/slide11.png

breadtan,

I am using vShield Manager 5.1 and ESXi 5.1. They should work with Symantec Endpoint Protection Manager 12.1.2.

The Symantec-SVA installations give no error, as indicated by install log and displayed messages.

Abhilash,

I am enclosing screen-shot of my vShield manager. Its simply says VM and not Protected VM. What AV program are you using?
I have gone over the vShield installation and upgrade guide and have not found anything missing, unless "Lookup service" and "security token service" are required for EndPoint. Not even sure what these services are. DNS is working fine, by the way.
Thanks.
Not-yet-protectedVMs.gif

Also for uninstallation the forceclean option is just to make sure the reinstallation does not have any remnant from past installation. Just in case you are doing uninstall and install when trying.

Status Unknown issue - http://www.symantec.com/connect/forums/shared-insight-cache-1212-vshield-security-virtual-appliance-status-unknown

I was having the same issue as above and found a VM article that states the EPSEC driver needs the guest image to be restarted. I restarted my guest, and they started working.

After weeks of working with Symantec Support and escalating the ticket, Symantec finally found an issue with the SVA_INSTALLSETTINGS.XML file.  Apparently the file has some of the relevant config settings commented out.  You need to make sure there aren't any <!-- or --> symbols around any of the config settings related to the ESX hosts or VCENTER communications.  I believe it was my SVA NETWORK CONFIGURATION that was commented out for some reason.  After reinstalling ALL the SVAs, the clients started displaying their SVA.

Comms with cache insight enabled - http://www.symantec.com/connect/forums/agentless-virtual-machine-antivirus-scanning

By default, Shared Insight cache is setup with no authentication and no SSL. As such, the default setting for the password is null. In other words, the password is blank. If you set Shared Insight Cache to Basic authentication with SSL or Basic Authentication with no SSL, you must specify a username's password that can access Shared Insight Cache.

Looks good to me.
Have you tried restarting one of the VM's and see if it shows up on SEPM?
Just to give it a shot.

Abhilash,

What AV are you using? Is it Symantec?

I have restarted a few VMs but since it made no difference, did not start all of them.

I am not sure if the VMs will show up in SEPM even when they are protected since VMware's installation guide says - SVA scans guest virtual machines from the outside, removing the need for agents in every virtual machine.

There is also a sylinkdrop.exe to restore the client and server comms, compared to manual reinstall.

http://www.symantec.com/business/support/index?page=content&id=HOWTO81179#v8527901

Likewise, Checking the connection to the management server on the client computer
On the Status page, click Help > Troubleshooting.

In the Troubleshooting dialog box, click Connection Status.
In the Connection Status pane, you can see the last attempted connection and the last successful connection.
To reestablish a connection with the management server, click Connect Now

breadtan,

As I stated in my last posting, in the vShield and Symantec SVA setup, there are no agents or clients on any VM. The SVA on each VMware host scans them from outside. In other words, there is no  direct communication between the management (SEPM) server and the client computers.

Akulsh,

Better thing is to post a question on Symantec community asking if anyone has done this above setup and confirm if the VM's show up on SEPM.
That would sole the doubt.

understand that file actually is just part of the SVA installation which is stated in the <sylink_xml> pathname in the SVA_InstallSettings.xml. This for SVA to SEPM so it is fine then. SVA just scan files which in a common repository (their so called SIC) and if deem good the other GVM do not need to check further...EPSEC (vShield thin agent) in each GVM transfer those files to the SVA rather than do other ‘work’ in the guest. So far from the image, it dose looks alright.

SVA has by default Installation (or depending on "Log File" inside "Installationfolder\SharedInsightCacheInstallation.exe.config") folder/CacheServer.log to see any events that SIC creates, this will log errors if there is any, depending also on the "Log Level". For info type it is something like
[|] 4 | 12/15/2010 10:51:37 | INFO | CacheServerService.Service | Started service [-]

You may already know on these...
The vShield Endpoint host component adds two firewall rules to the ESX host: The vShield-Endpoint-Mux rule opens ports 48651 to port 48666 for communication between the host component and partner security VMs. The vShield-Endpoint-Mux-Partners rule may be used by partners to install a host component. It is disabled by default. Also VMWare advices that vCenter is not running on a vShield App protected host that it is managing

I was searching the past version (I know it kinda redundant) but just thought sharing if it helps

After deploying an SVM to an ESX host, the Endpoint Status panel does not report the status of that SVM. This is because the vShield Manager does not propagate some configuration parameters to the SVM until an inventory change occurs in the vCenter Server. Workaround: Perform an inventory change in the vCenter Server, such as suspending and then resuming that virtual machine.

On the EPSec status page, events may be reported for the wrong VM if two or more VMs share the same BIOS UUID. Workaround: Change the UUID of one or more of the virtual machines. http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1002403

Sorry, Symantec has not yet come up with any solution. Still working with them. (So few engineers there seem to understand integration with VMware.)

Just an update:

Nothing resolved yet. Symantec insists that each VM must have AV client installed and VMware says, No,  that should not be necessary.

One VMware guy is supposedly talking with Symantec to sort things.

VMware is still trying to convince Symantec to look into their implementation of vShield manager.

Finally VMware engineer was able to find a posting by 2 Symantec engineers which clarified that Symantec's implementation of vShield manager is only partial, and does not provide agentless scanning of VMs. (The Symantec Engineer who was helping me did not know this fact.)

http://www.symantec.com/connect/forums/agentless-virtual-machine-antivirus-scanning