About configuring the connection to SEPM

For
Symantec Endpoint Detection and Response
to communicate with your endpoints, you must configure a connection to the
SEPM
management server. The following is important information that you should know about setting up this connection.
Topics in this section include the following:
Communication protocols, ports, and certificates
Symantec recommends that all
SEP
endpoint configuration settings use HTTPS and port 443 for communicating with
Symantec EDR
version 3.0 and later. For
SEP
endpoints to communicate with
Symantec EDR
through this secure protocol, the endpoints must have a valid SSL certificate installed, allowing secure communication with
Symantec EDR
. The
SEP
communication configuration dialog on
Symantec EDR
provides a mechanism to configure the
SEP
port and protocol communication settings on
SEPM
using
SEP
’s private APIs. In addition, when the
SEP
communication settings are saved on
Symantec EDR
,
Symantec EDR
’s SSL certificate is also pushed to the endpoints so that they can securely communicate with
Symantec EDR
over HTTPS. The certificate that is pushed down to endpoints through this mechanism uses a certificate that is configured on
Symantec EDR
at the time the settings are saved. This certificate is either the default built-in, self-signed
Symantec EDR
certificate or another trusted certificate that has been uploaded through the
EDR appliance console
. Only
SEP
endpoints that run 14.0 RU 1 or later can take advantage of
Symantec EDR
’s private APIs to automatically receive
Symantec EDR
’s SSL certificate through this mechanism. If you have an environment with endpoints that run a previous version of
SEP
, you must install
Symantec EDR
’s SSL certificate separately so that the endpoints securely communicate with
Symantec EDR
.
Important considerations about connections to multiple
SEPM
instances
  • Up to ten connections to
    SEPM
    have been tested and are supported, but you can have any number of connections in your configuration.
  • If you have multiple connected
    SEPM
    instances at a site (that is, the
    SEPM
    instances share a database), create a connection to only one
    SEPM
    per site in the
    EDR appliance console
    . If multiple
    SEPM
    s from the same site attempt to connect to the same
    Symantec EDR
    management platform, they compete for authentication credentials and might not operate properly.
  • With multiple connected
    SEPM
    instances per site, commands from
    Symantec EDR
    are sent to the shared database by the SEPM instance that is connected to
    Symantec EDR
    . Therefore, all shared SEPM instances perform the command properly. But only the SEPM instance that executed the command may have the record of the command in the
    SEPM
    console.
  • Click the following link to learn more about how to use replication between
    SEPM
    instances.
    For more information on how to set up sites and configure replication in
    SEPM
    , see the following sections in the
    Symantec
    Endpoint Protection 14.0.1.x/14.1 Installation and Administration Guide
    :
    Configuring the management server
    and
    Managing sites and replication
    . You can find the guide article.DOC10654.html.
  • Consider carefully your deployment strategy of
    Symantec EDR
    when working with a complex
    SEP
    environment. You can reduce the amount of time to propagate commands by not using replication in
    SEP
    and having
    Symantec EDR
    individually connect to each
    SEPM
    instance. However, that may not be compatible with your current
    SEP
    strategy.
Important considerations about multiple domains in your
SEP
management server
  • You must create a separate
    SEPM
    connection for each configured domain. See the
    Symantec Endpoint Protection
    documentation for a complete description of the domains that
    SEP
    defines.
  • If you don't create a
    SEPM
    connection for a defined domain in your environment, the commands that are sent to
    SEPM
    are not forwarded to resources in the domain.
  • You may see an error when sending a command to resources in domains without configured connections. Check the
    Logging > Actions
    page to determine which resources have not executed the command. Define a
    SEPM
    connection for the domain that is associated with those resources to resolve the issue.
Location of
SEPM
and
SEP
endpoints
SEPM
and
SEP
endpoints must be on separate computers for the
ECC
commands to function properly. Otherwise, when an endpoint is isolated (quarantined), there is no way to rejoin (unquarantine) it. The reason is that isolating the endpoint also isolates the
SEPM
, so the connection between
Symantec EDR
and
SEPM
is blocked.
Click the following link to begin the
Symantec EDR
/
SEPM
integration workflow.