You can centrally manage all types of servers from the Admin page in the Symantec Endpoint Protection Manager Console.
The Admin page, under View Servers, lists the following groupings:
■ Local Site
The console on the local site, databases, replication partners, such as other consoles whose databases replicate, and optional Enforcers
■ Remote Sites
The console on any remote site, databases, replication partners, such as other management servers whose databases replicate, and optional Enforcers
2. MANAGING SEPM SERVERS
You can centrally manage all types of servers from the Admin page in
the Symantec Endpoint Protection Manager Console.
The Admin page, under View Servers, lists the following groupings:
■ Local Site
The console on the local site, databases, replication partners, such as
other consoles whose databases replicate, and optional Enforcers
■ Remote Sites
The console on any remote site, databases, replication partners, such
as other management servers whose databases replicate, and
optional Enforcers
2
3. MANAGING SEPM SERVERS
Starting and stopping the management server service
When you install Symantec Endpoint Protection Manager, the last step
of the Server Configuration Assistant includes a console check box
(selected by default).
If you leave the check box selected, the console automatically starts.
The management server runs as an automatic service.
If it did not start automatically, you can start it (and later stop it) by
using Services from the Administrative Tools from the Start menu.
3
4. MANAGING SEPM SERVERS
Deleting selected servers
You may have uninstalled multiple installations of Symantec Endpoint
Protection Manager.
However, they might still display in the management server Console.
In this situation, you must delete the connections.
The most common occurrence of this situation is when you use a
Microsoft SQL database with multiple management servers connected
to it.
If one management server is uninstalled, it still appears on the other
consoles. You need to manually delete the servers that are no longer
connected.
4
5. MANAGING SEPM SERVERS
Exporting and importing server settings
You may want to export or import settings for a Symantec Endpoint
Protection Manager. Settings are exported to a file in xml format.
5
6. MAINTAINING SERVER SECURITY
All of the servers for which you can establish a connection require you to
configure third-party passwords in the Symantec Endpoint Protection
Manager.
The third-party passwords are automatically saved in the database that
you created when you initially installed the management server.
You are typically prompted to provide the third-party password during
the configuration of the following types of servers:
■ Email servers
■ Directory servers
■ RSA servers
■ Proxy servers
6
7. MAINTAINING SERVER SECURITY
Granting or denying access to remote Symantec Endpoint
Protection Manager consoles
You can secure the main console by granting or denying access to
those computers on which a remote console is installed. By default, all
consoles are allowed access.
Administrators can log on to the main console locally or remotely from
any computer on the network.
7
8. MAINTAINING SERVER SECURITY
Digital certificates are the industry standard for authenticating and
encrypting sensitive data.
If you want to prevent the reading of information as it passes through
routers in the network, you need to encrypt the data.
Therefore you need a digital certificate that uses the HTTPS protocol.
As part of this secure procedure, the server identifies and
authenticates itself with a server certificate.
8
9. MAINTAINING SERVER SECURITY
Symantec uses the HTTPS protocol for the communication between all
the servers, clients, and optional Enforcers in a network.
You must also enable encryption on Symantec Endpoint Protection
Manager so that the server identifies and authenticates itself with a
server certificate.
If you do not enable this option, then the installation of a digital
certificate is not effective.
9
10. MAINTAINING SERVER SECURITY
The management server supports the following types of certificate:
■ JKS keystore file (.jks)
A Java tool that is called keytool.exe generates the keystore file. Symantec
supports only the Java Key Standard (JKS) format. The Java Cryptography
Extension (JCEKS) format requires a specific version of the Java Runtime
Environment (JRE). The management server supports only a JCEKS keystore file
that is generated with the same version as the Java Development Kit (JDK) on the
management server.
The keystore must contain both a certificate and a private key. The keystore
password must be the same as the key password. It is usually exported from
Internet Information Services (IIS).
■ PKCS12 keystore file (.pfx and .p12)
■ Certificate and private key file (DER and PEM format)
Symantec supports unencrypted certificates and private keys in the DER or the
PEM format. PKCS8-encrypted private key files are not supported.
10
11. COMMUNICATING WITH OTHER SERVERS
Establishing communication between Symantec Endpoint
Protection Manager and email servers
If you want to use email notification, you need to configure the email
server on Symantec Endpoint Protection Manager.
11
12. COMMUNICATING WITH OTHER SERVERS
Setting up a connection between an HTTP proxy server and
Symantec Endpoint Protection Manager
If you support an HTTP proxy server in the corporate network, you
need to connect the HTTP proxy server to Symantec Endpoint
Protection Manager.
You can use the HTTP proxy server to automatically download
LiveUpdate contents.
12
13. COMMUNICATING WITH OTHER SERVERS
Configuring Symantec Endpoint Protection Manager to use RSA
SecurID Authentication
If your corporate network includes an RSA server, you need to install
the software for an RSA ACE Agent on the computer on which you
installed Symantec Endpoint Protection Manager and configure it as a
SecurID Authentication client.
13
14. MANAGING ADMINISTRATORS
You can use administrator accounts to manage Symantec Endpoint
Protection Manager.
Administrators log on to the Symantec Endpoint Protection Manager
console to change policy settings, manage groups, run reports, and
install client software, as well as other management tasks.
The default account is a system administrator account, which provides
access to all features.
You can also add a more limited administrator account, for
administrators who need to perform a subset of tasks.
14
15. MANAGING ADMINISTRATORS
When you install the Symantec Endpoint Protection Manager, a
default system administrator account is created, called admin.
The system administrator account gives an administrator access to all
the features in Symantec Endpoint Protection Manager.
To help you manage security, you can add additional system
administrator accounts, domain administrator accounts, and limited
administrator accounts.
Domain administrators and limited administrators have access to a
subset of Symantec Endpoint Protection Manager features.
15
16. MANAGING ADMINISTRATORS
You choose which accounts you need based on the types of roles and
access rights you need in your company.
For example, a large company may use the following types of roles:
16
17. MANAGING ADMINISTRATORS
1.
An administrator who installs the management server and the
client installation packages. After the product is installed, an
administrator in charge of operations takes over. These administrators
are most likely system administrators.
2.
An operations administrator maintains the servers, databases,
and installs patches. If you have a single domain, the operations
administrator could be a domain administrator who is fully authorized
to manage sites.
17
18. MANAGING ADMINISTRATORS
3.
An antivirus administrator, who creates and maintains the Virus
and Spyware policies and LiveUpdate policies on the clients. This
administrator is most likely to be a limited administrator.
4.
A desktop administrator, who is in charge of security and
creates and maintains the Firewall policies and Intrusion Prevention
policies for the clients. This administrator is most likely to be a domain
administrator.
18
19. MANAGING ADMINISTRATORS
5.
A help desk administrator, who creates reports and has readonly access to the policies. The antivirus administrator and desktop
administrator read the reports that the help desk administrator sends.
The help desk administrator is most likely to be a limited administrator
who is granted reporting rights and policy rights.
19
20. MANAGING ADMINISTRATORS
Adding an administrator account
As a system administrator, you can add another system administrator,
administrator, or limited administrator.
As an administrator within a domain, you can add other administrators
with access rights equal to or less restrictive
20
21. MANAGING ADMINISTRATORS
Configuring the access rights for a limited administrator
If you add an account for a limited administrator, you must also
specify the administrator's access rights.
Limited administrator accounts that are not granted any access rights
are created in a disabled state and the limited administrator will not
be able to log on to the management server.
21
22. MANAGING ADMINISTRATORS
Changing the authentication method for administrator accounts
After you add an administrator account, the user name and password
are stored in the Symantec Endpoint Protection Manager database.
When the administrator logs on to the management server, the
management server verifies with the database that the user name and
password are correct.
However, if your company uses a third-party server to authenticate
existing user names and passwords, you can configure Symantec
Endpoint Protection Manager to authenticate with the server.
22
23. MANAGING ADMINISTRATORS
Changing the password for an administrator account
For security purposes, you may need to change the password for
another administrator's account.
The following rules apply to changing passwords:
■ System administrators can change the password for all
administrators.
■ Domain administrators can change the password for other domain
administrators and limited administrators within the same domain.
■ Limited administrators can change their own passwords only.
23
24. MANAGING THE DATABASE
Symantec Endpoint Protection supports both an embedded database
and the Microsoft SQL Server database.
If you have more than 5,000 clients, you should use a Microsoft SQL
Server database.
Symantec Endpoint Protection Manager automatically installs an
embedded database. The database contains information about
security policies, configuration settings, attack data, logs, and reports.
24
25. MANAGING THE DATABASE
After you install Symantec Endpoint Protection Manager, the
management server may start to slow down after a few weeks or a
few months.
To improve the management server performance, you may need to
reduce the database storage space and schedule various database
maintenance tasks.
25
26. MANAGING THE DATABASE
Scheduling automatic database backups
You can schedule database backups to occur at a time when fewer
users are logged on to the network.
You can also back up the database at any time.
26
27. MANAGING THE DATABASE
Scheduling automatic database maintenance tasks
After you install the management server, the space in the database grows
continually. The management server slows down after a few weeks or
months.
To reduce the database size and to improve the response time with the
database, the management server performs the following database
maintenance tasks:
■ Truncates the transaction log.
The transaction log records almost every change that takes place within
the database. The management server removes unused data from the
transaction log.
■ Rebuilds the index.
The management server defragments the database table indexes to
improve the time it takes to sort and search the database.
27
28. MANAGING THE DATABASE
Increasing the Microsoft SQL Server database file size
If you use the Microsoft SQL Server database, periodically check the
database size to make sure that the database does not reach its
maximum size. If you can, increase the maximum size that the
Microsoft SQL Server database holds.
28
29. MANAGING THE DATABASE
Exporting data to a Syslog server
To increase the space in the database, you can configure the
management server to send the log data to a Syslog server.
When you export log data to a Syslog server, you must configure the
Syslog server to receive the logs.
29
30. MANAGING THE DATABASE
Specifying how long to keep log entries in the database
To help control hard disk space, you can decrease the number of log
entries that the database keeps. You can also configure the number of
days the entries are kept.
30
31. MANAGING THE DATABASE
Clearing log data from the database manually
You can perform a manual log sweep after backing up the database,
if you prefer to use this method as part of routine database
maintenance.
If you allow an automatic sweep to occur, you may lose some log data
if your database backups do not occur frequently enough.
If you regularly perform a manual log sweep after you have
performed a database backup, it ensures that you retain all your log
data.
This procedure is very useful if you must retain your logs for a
relatively long period of time, such as a year. You can manually clear
the logs, but this procedure is optional and you do not have to do it.
31
32. DISASTER RECOVERY TECHNIQUES
Reinstalling or reconfiguring Symantec Endpoint Protection
Manager
If you need to reinstall or reconfigure the management server, you can
import all your settings by using a disaster recovery file.
You can reinstall the software on the same computer, in the same
installation directory.
You can also use this procedure to install an additional site for
replication.
The Symantec Endpoint Protection Manager creates a recovery file
during installation. The recovery file is selected by default during the
reinstallation process.
32
33. DISASTER RECOVERY TECHNIQUES
Generating a new server certificate
If you reinstall Symantec Endpoint Protection Manager on a different
computer, you must generate a new server certificate.
If the original computer is corrupted or you upgrade the management
server from a previous version, you must reinstall Symantec Endpoint
Protection Manager on a different computer.
To reinstall Symantec Endpoint Protection Manager on a different
computer, you install the management server as if for the first time,
rather than with the recovery file.
33
34. DISASTER RECOVERY TECHNIQUES
Restoring the database
If the database gets corrupted or you need to perform disaster
recovery, you can restore the database.
To restore the database, you must first have backed it up.
You must restore the database using the same version of Symantec
Endpoint Protection Manager that you used to back up the database.
You can restore the database on the same computer on which it was
installed originally or on a different computer.
The database restore might take several minutes to complete.
34
Hinweis der Redaktion
By default, the management server performs these tasks on a schedule. You canperform the maintenance tasks immediately, or adjust the schedule so that itoccurs when users are not on their computers.
You reinstall the database settings on a different computer by using the databasebackup and restore utility. However, the server certificate that the newmanagement server uses does not match the existing server certificate in therestored database. Because client-server communication uses the server certificate,you must generate a new server certificate.