SEPM:Remote SEP deployment within a domain

Security 6 Minutes

Introduction
This post demonstrates how Symantec Endpoint Protection (SEP) agent is deployed within a domain.

Symantec endpoint protection manager supports intra domain SEP agent deployment, next time I would want to try if it is possible to do inter domain SEP agent deployment.

I have downloaded SEP trialware and tried it on my VM workstation. VMware Workstation is a great tool for learning and testing.

Organization Unit structure and deployment strategy

Within the red box are organization units (OU) which I have created.
Within the red box are organization units (OU) which I have created.

FOR_SEP_DEPLOYMENT OU is created as a convenience for me to group all domain computers because I want to distribute Windows firewall group policy to these newly joined computers.

SEP requires the SMB ports (UDP137 and UDP138, TCP139 and TCP 445) to be enabled for initial deployment, the SMB ports are the ports which file and printer sharing is using.

After the SEP agents are deployed the computers will be moved to their intended OU.

Configure Windows firewall with GPO
Group Policy Object (GPO) contains policy which you have configured, the GPO will be linked to the OU, objects contained within the OU will receive the configured policy.

If you cannot find Group Policy Management, you can either use MMC to create a snap-in or install the Group Policy Management feature with Server Manager.

Group Policy Management feature.
Group Policy Management feature.
MMC, select File > Add/Remove Snap-in or use short cut key CTRL-M, then select Group Policy Management, and save the snap-in.
MMC, select File > Add/Remove Snap-in or use short cut key CTRL-M, then select Group Policy Management, and save the snap-in.

The path to find the legacy Windows Firewall configuration in Group Policy Editor is Computer Configuration –> Administrative Templates –> Network –> Network Connections

You will see a sub folder which says Windows Firewall; this Windows Firewall group policy is legacy, however you only need to enable ICMP echo request and File and Printer sharing rules which will work on Windows 7 32/64-bit.

Windows Firewall policy location
Windows Firewall policy location

Select Windows Firewall then click on Domain Profile.

SEPM-WSUS-2013-06-06-00-16-52

Enable the policy as shown, you can choose whether you need logging or not for dropped packets.
Enable the policy as shown, you can choose whether you need logging or not for dropped packets.
I specify my SEPM, DC1 and DC2 IP address in the Allow inbound file and printer sharing exception policy.
I specify my SEPM, DC1 and DC2 IP address in the Allow inbound file and printer sharing exception policy.
Choosing Echo request is suffice on Allow ICMP exceptions policy.
Choosing Echo request is suffice on Allow ICMP exceptions policy.
Link the GPO to my FOR_SEP_DEPLOYMENT OU
Link the GPO to my FOR_SEP_DEPLOYMENT OU

Join domain
This section briefly introduces how a computer joins a domain.

Configure the IP parameters and include the DC1 and DC2 in the DNS. Domain controllers rely on DNS to do domain name resolution this is the basis of AD.
Configure the IP parameters and include the DC1 and DC2 in the DNS. Domain controllers rely on DNS to do domain name resolution this is the basis of AD.
Go to Computer properties, change your computer name and join the domain.
Go to Computer properties, change your computer name and join the domain.
Enter the domain administrator credential.
Enter the domain administrator credential.
You will receive a welcome dialog box once successful.
You will receive a welcome dialog box once successful.
Computer that joined domain successfully will appear in Computers OU.
Computer that joined domain successfully will appear in Computers OU.
Move the computer to the OU that you intend for SEP deployment.
Move the computer to the OU that you intend for SEP deployment.
Computer will receive the Windows firewall policy, normally for group policy to be pushed to the domain computer it takes hours by default. You can speed up the process by using gpupdate /force on the client computer.
Computer will receive the Windows firewall policy, normally for group policy to be pushed to the domain computer it takes hours by default. You can speed up the process by using gpupdate /force on the client computer.
The rules in the red box are the rules from the group policy.
The rules in the red box are the rules from the group policy.
The SMB rules from group policy.
The SMB rules from group policy.

To sidetrack, if you wish to configure customized rules on Windows 7 firewall with group policy you cannot use legacy Windows Firewall policy, instead use the Windows Firewall with Advanced Security policy.

Use the Windows Firewall with advanced security to configure customized rules for your domain computers that are installed with modern Windows OS (Win7, Win8, Windows 2008 and above)
Use the Windows Firewall with advanced security to configure customized rules for your domain computers that are installed with modern Windows OS (Win7, Win8, Windows 2008 and above)

Add LDAP server on SEPM
You need to add LDAP server on your Symantec Endpoint Protection Manager (SEPM). SEPM has a structure that looks similar to AD users and groups.

The groups within the red box are not created by me but imported from AD.
The groups within the red box are not created by me but imported from AD.

Select My Company which is the root of the tree, you will see Import Organization Unit or container.
Select My Company which is the root of the tree, you will see Import Organization Unit or container.

Import OU from AD also imports the objects that reside in the OU. Since my SEP policy is based on machine, importing OU is suffice.

Before you can import anything from AD you need to add LDAP server.

Click on Admin, then select Servers. Select the SEPM server which has your server's hostname, the localhost contains database. Select the SEPM server then click edit the server properties.
Click on Admin, then select Servers. Select the SEPM server which has your server’s hostname, the localhost contains database. Select the SEPM server then click edit the server properties.
Select Directory Servers tab and add your AD.
Select Directory Servers tab and add your AD.
Enter the domain name or IP address of your DC. I put secondary DC address in Replication Server tab.
Enter the domain name or IP address of your DC. I put secondary DC address in Replication Server tab.
Insert secondary DC into the Replication Server tab.
Insert secondary DC into the Replication Server tab.
Use the administrator credential, or whichever credential that has domain rights to enumerate OUs
Use the administrator credential, or whichever credential that has domain rights to enumerate OUs
Enumerate the OU by choosing the directory server profile.
Enumerate the OU by choosing the directory server profile.

Choose the OU that you need to include in SEPM. Whenever you move objects from one OU to another OU, SEPM can sync with AD and place the object in the correct group on SEPM.

Although SEP4 was moved to FOR_SEP_DEPLOYMENT OU, SEP4 does not appear in the respective SEPM group. You need to right click the group and choose Sync Now; SEPM will sync its group database with AD.
Although SEP4 was moved to FOR_SEP_DEPLOYMENT OU, SEP4 does not appear in the respective SEPM group. You need to right click the group and choose Sync Now; SEPM will sync its group database with AD.
SEP4 appears in the group after sync now was clicked. SEP4 is offline because no SEP agent was deployed.
SEP4 appears in the group after sync now was clicked. SEP4 is offline because no SEP agent was deployed.

Deploy SEP agent
SEPM needs to turn on Computer Browser service in order to enumerate the computers in the domain or workgroup.

If you want SEPM to search the network automatically, you need to turn on network discovery on the domain on SEPM. But this is not necessary, you can search manually by giving an IP address range.

Select the group you want to add client and click on Add Client.

This is new deployment so choose the default.
This is new deployment so choose the default.
You can customized your install feature set profile, however I want domain computer to get the full version so the default is fine.
You can customized your install feature set profile, however I want domain computer to get the full version so the default is fine.
Choose the default - Remote Push.
Choose the default – Remote Push.
If you want to use network discovery to allow SEPM to automatically enumerate the computers turn on Network discovery on Domain profile.
If you want to use network discovery to allow SEPM to automatically enumerate the computers turn on Network discovery on Domain profile.
Turning on network discovery will allow SEPM to enumerate the computers in the domain.
Turning on network discovery will allow SEPM to enumerate the computers in the domain.
Alternatively search the network manually by entering the IP address range.
Alternatively search the network manually by entering the IP address range.
Enter the domain administrator credential. SEPM needs administrator account to deploy and install the agent on the computers. If you use workgroup you need to unhide administrator account on Windows 7 then create password for the administrator account.
Enter the domain administrator credential. SEPM needs administrator account to deploy and install the agent on the computers. If you use workgroup you need to unhide administrator account on Windows 7 then create password for the administrator account.
SEPM attempts to login with your administrator credential.
SEPM attempts to login to SEP4 with domain administrator credential.
Successful login will display the domain computer on the right box.
Successful login will display the domain computer on the right box.

Click next and send and until finish.

Click Send button to send the agent to the domain computer.
Click Send button to send the agent to the domain computer.
SEP agent has been successfully pushed to the domain computer.
SEP agent has been successfully pushed to the domain computer.
On your DC move the domain computer to the intended OU.
On your DC move the domain computer to the intended OU.

After you have moved the domain computer to the intended OU, you need to right click the group on SEPM and click sync now.

Reboot the domain computer.
Reboot the domain computer.
SEP agent is offline because after domain computer has moved, the previous agent report status was gone. Eventually the SEP agent will come online because the agent will report status back to SEPM. But if you are impatient you can initiate Update policy from domain computer.
SEP agent is offline because after domain computer has moved, the previous agent report status was gone. Eventually the SEP agent will come online because the agent will report status back to SEPM. But if you are impatient you can initiate Update policy from domain computer.
Initial manual update policy action on domain computer.
Initial manual update policy action on domain computer.
SEP4 back online.
SEP4 back online.
Advertisement

Published by cyruslab

Published

One thought on “SEPM:Remote SEP deployment within a domain

  1. Hello,
    thanks for this article, can you help on how to deploy SEPM within multiple vlans or interdomain environment.

    Thanks

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s