Professional Documents
Culture Documents
protocol
Symantec AntiVirus management communications no
longer supports the IPX protocol.
Required protocols
If your servers and clients run firewall software, and you want to manage these
servers and clients, you must open these ports. Alternatively, permit
Rtvscan.exe on all computers and Pds.exe on servers and consoles to send and
receive traffic through your firewalls. Also, remote server and client installation
tools require that TCP ports 139 and 1024 - 5000 be opened.
System requirements
Note: The installation scripts do not check to verify that Internet Explorer 5.5
with Service Pack 2 or later is installed on computers when it is required. If the
target computers do not have the correct version of Internet Explorer, the
installation fails without informing you.
Windows XP with Service Pack 2 and Windows 2003 Server include a firewall
called Windows Firewall that can interfere with remote Symantec AntiVirus
installation, and communications between servers and clients. If any of your
servers or clients run Windows XP with Service Pack 2 or Windows Server 2003,
you can disable the firewall on them before you install Symantec AntiVirus
clients.
To disable Windows Firewall
1 On the Windows XP taskbar, click Start > Control Panel.
2 In the Control Panel window, double-click Network Connections.
3 In the Network Connections window, right-click the active connection, and
then click Properties.
discovery by using TCP port 39263. If you want to install Symantec AntiVirus
clients remotely, you must also open TCP ports 1024 - 4999 on your servers
before installation. Legacy communications also require that UDP port 2967 be
open on all computers.
Depending on your XP operating system and service pack, you might be able to
open individual ports or specify programs that you want to trust to
communicate through your firewall. Consult your Windows documentation for
information on how to configure your firewalls.
Note: This default does not apply to Windows XP computers that are installed in
a domain.
Note: This default does not apply to Windows XP computers that are installed in
a domain.
To permit remote software installation on Windows XP computers
1 Click Start > Settings > Control Panel > Administrative Tools > Local
Security Policy > Local Policies > Security Options.
2 Locate the policy for Network access: Sharing and Security model for local
accounts.
3 Change the setting from Guest only - local users authenticate as Guest to
Classic - local users authenticate as themselves.
Install Instructions
Installation sequence
The following list shows the order in which you install and configure
management, server, and client software:
Install the Symantec System Center.
Install Symantec AntiVirus management server and configure it as a
primary management server.
Install Symantec AntiVirus client software.
For example, when you unlock a server group that contains a migrated primary
management server for the first time with this version of the Symantec System
Center console, you are prompted to copy the server group root certificate to the
computer on which you installed this version of the Symantec System Center
console. For details about SSL, certificates, and how Symantec AntiVirus
implements certificates, refer to the Symantec AntiVirus Reference Guide.
First-time and existing customers should understand the following information:
You should securely remove the server group private key from the
\pki\private-keys directory on the primary management server after you
create a primary management server and all secondary management
servers. Copy the key to removable media, and then delete the key from the
\pki\private-keys directory on the primary management server and from
the Recycle Bin. Optimally, use a secure delete utility.
If you remove the server group private key after you configure a primary
management server, you must restore the private key to the primary
management server before you can add secondary management servers to
the server group.
If you promote a secondary management server to a primary management
server, and if the server group private key is on the primary management
server, the key is not copied to the newly promoted primary management
server as a security precaution. You must restore the server group private
key to the newly promoted primary management server before you can add
secondary management servers to the server group.
You must never lose your server group private key.
By default, the system clocks of all management console computers, servers,
and clients must be within the default of 24 hours plus or minus of the
system time on the primary management server. If this time requirement is
not met, servers and clients will not authenticate the Symantec System
Center logged on user and communications will fail. The plus time value is
the value that is specified for the time validity of the login certificate. You
can change both of these values by using the Configure Login Certificate
Settings dialog box in the Symantec System Center.
All communications (except one) between clients and servers now occur over
TCP, while legacy communications continue to occur over UDP. The
communications exception is that Discovery still occurs over UDP port
38,293.
When you migrate a legacy primary management server to this version of
Symantec AntiVirus, and if its server group contains legacy servers and
clients, the migrated primary management server will continue to support
legacy servers and clients over UDP.
New server groups now authenticate with a user name and password, while
legacy server groups authenticate with a password only. During the first
server migration in a server group, you are prompted to type a user name.
The name that you enter is the user name that you use to unlock the legacy
server groups. The password that you use to unlock the legacy server group
remains the same. The default user name is admin.
If you create a new server group and a new primary management server by
using this version of Symantec AntiVirus, legacy support over UDP is
disabled by default in that server group. You can enable legacy support in
that server group by using the Server Tuning Options dialog box in the
Symantec System Center.
You cannot manage newly installed servers and clients with legacy server
groups or legacy Symantec System Center consoles.
All newly installed or upgraded Symantec System Center consoles must run
on the new version of Symantec AntiVirus, on either a management server
or a managed client.
As you migrate clients to this version, consider creating a new server group
or groups by using the new version of the Symantec System Center,
migrating existing clients, and then dragging and dropping them to a new
server group or groups.
The NT Remote Install client installation option in the Symantec System
Installing Symantec
AntiVirus management
components
Symantec System Center installation and Terminal Services
The Symantec System Center installation is not permitted on supported
Windows server operating systems when the following services run:
Terminal Server and Services
Fast Switching
Remote Assistance
Remote Desktop
Most server-side assistant services prevent the Symantec System Center
installation. To install the Symantec System Center on supported Windows
server operating systems, you must first stop these services, after which you can
install the Symantec System Center. After installation, you can then restart and
use these services.
You can prevent users from running manual scans in Terminal sessions by
doing the following:
Restrict the Windows Start menu and directories for Symantec AntiVirus to
prevent users from running manual virus scans.
Use the Application Security (AppSec) registration utility to restrict
nonadministrator users to running only the programs that are included in
an administrator-defined list of applications.
You can prevent users from running virus scans during Terminal sessions on a
Windows 2000/2003 Terminal Services server using Application Security
(AppSec). For Windows 2000/2003 Terminal Services, AppSec is included in the
Windows 2000/2003 Server Resource Kit.