Symantec Endpoint Protection Installation and Administration Guide

Portugues Chinese (Simplified) Czech Deutsch Español Français Italian Japanese Korean Polish Russian Chinese (Traditional) English

Configuring encrypted communication between Symantec Endpoint Protection Manager and Microsoft SQL Server

Symantec Endpoint Protection Manager uses a certificate to authenticate communications between the
Symantec Endpoint Protection
 (SEPM) and the Microsoft SQL Server Express or SQL Server databases. You must generate the certificate and import it into the
Symantec Endpoint Protection Manager
 computer for SEPM to connect to either SQL Server database. If the certificate does not exist, is expired, or is about to expire, the connection between SEPM and the database fails.
You can install or upgrade the management server and either SQL Server database if you have not imported the certificate. However, the Management Server Configuration Wizard detects whether the certificate is already expired or expires within the next 30 days. SEPM sends a notification every day until the 30 days is over to remind the administrator to import the certificate. You may see the following message:
Within the next 30 days, Symantec Endpoint Protection Manager will no longer be able to connect to the Microsoft SQL Server database because SQL Server uses a certificate that is about to expire.
Step 1: Generate a self-signed certificate
If your organization does not already have a Certificate Authority (CA) signed certificate, you must generate one. This step describes how to generate and replace the default self-signed
Symantec Endpoint Protection Manager
 (SEPM) certificate with a CA-signed certificate.
Step 2: Configure a permanent certificate for SQL Server
You must enable encrypted connections for an instance of the SQL Server Database Engine and must use SQL Server Configuration Manager to specify the certificate. See "Configure the SQL Server" at: Enable encrypted connections to the Database Engine
Step 3: Import the SQL Server certificate into Windows on the
Symantec Endpoint Protection Manager
 computer
The management server computer must have the SQL Server public certificate provisioned. To provision the certificate on the management server computer, you import it into Windows. The server computer must be set up to trust the certificate's root authority.
  1. On the Windows Server where SEPM is installed, right click the certificate.
  2. In the Certificate Import Wizard, follow the steps to import the certificate.
    Under
    Store Location
    , select
    Local Machine
    :
    Select
    Place all certificates in the following store
    , click
    Browse
    , and in the Select Certificate Store dialog box, click
    Trusted Root Certification Authorities
    :
  3. Click
    OK
    , and then click
    Next
    .
Step 4: Configure permissions for the
jre11
 folder
If your SQL Server is configured using a domain admin with Windows authentication, the domain admin needs to have
Read & execute
,
List folder contents
, and
Read
 permissions for the
jre11
 folder on the
Symantec Endpoint Protection Manager
 server.
  1. On the Symantec Endpoint Protection Manager server, go to
    \...\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager
     folder, right-click the
    jre11
     folder, and click
    Properties
    .
  2. In the file properties window, on the
    Security
     tab, click
    Advanced
    .
  3. In the
    Advanced Security Settings
     window, on the
    Permissions
     tab, click
    Add
    .
  4. In the
    Permissions Entry
     window, click
    Select a principal
    .
  5. In the
    Select User, Computer, Service Account, or Group
     window, add the
    domainadmin
     user, and click
    OK
    .
  6. In the
    Permissions Entry
     window, click
    OK
    .
  7. In the
    Advanced Security Settings
     window, on the
    Permissions
     tab, select
    domainadmin
    , and click
    Change
    .
  8. In the
    Select User, Computer, Service Account, or Group
     window, add the
    domainadmin
     user again, and click
    OK
    .
  9. In the
    Advanced Security Settings
     window, check
    Replace owner on subcontainers and objects
    , check
    Replace all child object permission entries with inheritable permission entries from this object
    , click
    Enable inheritance
    , and click
    Apply
    .
  10. Click
    Yes
     and
    OK
     to confirm.
  11. In the file properties window, make sure that the
    domainadmin
     user has now all required permissions, and click
    OK
    .
Step 5: Open the Management Server Configuration Wizard and complete the Server Configuration with
Windows Authentication
 option
To open the wizard, go to
\...\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\bin
 folder, and double-click
sca.exe
 file.
Step 6: Check if the communication is encrypted and using the SQL Server certificate
  1. On the management server, open the following file:
    C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\conf\Catalina\localhost\root.xml
     and make sure that
    encrypt=true
     and
    trustServerCertificate=false
    .
  2. On the SQL Server, open
    Protocols for MSSQLSERVER Properties
    , and check if
    Force Encryption=Yes
    .
  3. On the SQL Server, run the following query, to check if the connection between
    Symantec Endpoint Protection Manager
     and SQL Server is encrypted: 
    SELECT session_id, connect_time, net_transport, encrypt_option, auth_scheme, client_net_address FROM sys.dm_exec_connections
    Check if
    encrypt_option=TRUE
    .