In order to install Symantec Endpoint Encryption for the first time, you will need the Sysadmin and public permissions to create a new database. Once the database is installed and created, you will not longer need to be Sysadmin.
For the database user that will be used for the Symantec Endpoint Encryption day-to-day operations, you need only the following permissions:
• db_datareader
• db_datawriter
• public
For future upgrades of Symantec Endpoint Encryption, you can be db_owner and perform the installation without the need to be Sysadmin.
SEE 11.4 MP1HF1 Note for Database Access and Active Directory Hardening: While installing or upgrading the Symantec Endpoint Encryption Management Server, domain user credentials provided on the Database Access screen are successfully validated against the hardened Active Directory (with LDAP signing policy enabled). [EPG-27643]
Note on SQL Permissions and SQL Groups:
*SQL permissions must be provided to individual users and those individuals can then be used for the database accounts configured for the SEE Management Server.
*In other words, SQL users will not be granted DB access if they are part of only a security group that was provided DB access--the user itself must be provided DB access.
*The database user doing the installation must also be granted permissions to the specific SEEMS Database. Even if someone is Sysadmin, but not granted the permission on the SEEMS database, the SEE install will fail (EPG-26441).
The SQL Server requires the two following downloads:
• The Microsoft SQL Server Feature Pack
• The MSOLEDBSQL driver
For the Feature Pack, download the following software from the specified URL:
• Microsoft System CLR Types for SQL Server 2012 (32-bit)
• Microsoft SQL Server 2012 (32-bit) Management Objects
NOTE: You require these pre-requisites only when you upgrade the Management Console on a Windows Server computer.
https://www.microsoft.com/en-us/download/details.aspx?id=56041
For the MSOLEDBSQL driver (OLE DB\OLEDB Driver), download the driver from this URL:
https://docs.microsoft.com/en-us/sql/connect/oledb/download-oledb-driver-for-sql-server?view=sql-server-ver15
Note: If you have installed the Version 19.0 OLE DB driver and the installer still provides a message stating it is not installed, you can install version 18.6 as a workaround.
IMPORTANT TIP! If the above seems like a lot of stuff to install, we have an excellent tool that will both check if the features are enabled and tell you what is missing, and then **install them for you** (When run as administrator).If you would like this tool, please contact our Symantec Encryption Support team and we will be happy to provide the tool for you. This tool makes it extremely easy to get all these features installed and enabled. The name of this tool is called "CheckRolesFor_11_3_1_Plus.exe".
Prerequisite Roles Server 2019:
On Microsoft Windows Server 2019
To enable the Web service (IIS) role on a Microsoft Windows 2019 Server
1. Go to Start > Programs > Administrative Tools > Server Manager.
2. In the Dashboard, click Add roles and features.
3. In the Add Roles and Features Wizard, click Next.
4. In the Installation Type page, click Role-based or feature-based installation and then click Next.
5. In the Server Selection page, make the selection that matches your environment and then choose your server and
click Next.
6. In the Server Roles page, select Web Server (IIS).
7. In the Add Roles and Features Wizard window, click Include management tools and then click Add Features.
8. Click Next.
9. In the Features page, expand .NET Framework 4.7 Features and check .NET Framework 4.7 and ASP.NET 4.7.
10. In the Features page, check Group Policy Management.
11. In the Features page, expand Remote Server Administration Tools > Role Administration Tools and check AD
DS and AD LDS Tools.
12. Click Next.
13. In the Web Server Role (IIS) page, click Next.
14. In the Role Services page, expand Web Server > Security and select Basic Authentication and Windows
Authentication.
15. In the Role Services page, expand Web Server > Application Development and check the following:
• .NET Extensibility 4.7
• ASP .NET 4.7
• ISAPI Extensions
• ISAPI Filters
16. In the Role Services page, expand Management Tools and check the following:
• IIS Management Console
• IIS 6 Management Compatibility (check all four entries)
• IIS Management Scripts and Tools
17. Click Next.
18. In the Confirmation page, click Install.
19. In the Results page, click Close.
You will also need to install the IIS role on the server in order to be able to use the Web Service for communications as well as some additional roles.
For a comprehensive list of all these items needed for the installation, see our help page and Installation/Admin Guide.
If you need any assistance installing the Symantec Endpoint Encryption Server, please feel free to reach out to our Encryption Support team and we are happy to assist.
Symantec Encryption Manager on standard Windows Operating Systems, such as Windows 10.
Some situations may necessitate installing the Symantec Endpoint Encryption Management Server (SEEMS) Consoleon a computer other than the server it was originally installed on.
This is useful if you want administrators to run reports, create SEE Clients, or manage Helpdeskrecovery without allowing access to the actualSymantec Endpoint Encryption Management Server.
Prerequisites: Additional database configuration is required to allow access for each user and must be done on the SQL Server by a database administrator. See article TECH254548for more information. The steps in the preceding article should be completed before following this tutorial.
In order to install the SEEMS console on a non-server operating system (OS), perform the following steps:
- Log into Windows as one of the users granted database permissions, following the article above.
- Download the Symantec Endpoint Encryption package. Be sure to use the same version currently being used in production for SEEMS.
- In this example, the SEEMS has 11.2.1 HF1 installed, thus we will install 11.2.1 HF1 on our Windows 10 computer.
- This package is the exact same package used to install the software on a Windows Server. It can be copied over from the server's downloads folder, or downloaded from the MySymantec product portal.
- Once downloaded, unzip the folder.
- Double click onSEE Server suite x64 if you are using a 64-bit OS, orSEE Server Suiteif you are using a 32-bit OS.
- Once the program opens, clickNext.
- Read the information on this screen and clickNextagain.
- Read the End User License Agreement, click the button next toI accept the terms in the license agreement, and clickNext.
- ClickCompleteorCustomdepending on what type of installation you would like.
- Most situations will want to clickComplete.
- Select the type of authentication you would like to use.
- None (password authentication only)means a password will be used for authentication upon SEE client package creation.
- Personal Identity Verification(PIV) means a card/token can be used for authentication upon SEE client package creation.
Note: This feature is not for PIV authentication for SEEMS.
- Ensure theUse SEE Serverbox is checked if you would like the SEEMS console to communicate with an existing SEE database.
Note: If you enter the information above and click next, and nothing happens, this is normal behavior. Click Next again and it'll take you to the next page. There is a prereq check happening at this start and the first click starts that, and the next click does the next portion. This will be addressed in a future release (EPG-26453).
- Type in the database name in theDatabase Instancefield, or clickBrowseto search for the database instance.
- Once theDatabase Instancehas been selected, ensure the properDatabase Nameis inserted in the next field.
- SEEMSDbis the default SEE database name.
- EnableTLS/SSLcommunication as directed by your SEEMS administrator.
Note: This may require additional configuration, which will not be covered in this tutorial. - Enter the correct port as directed by your SEEMS Administrator which the SEEMS console and the database will use for communication. The default port is 1433.
Note: This may require additional configuration, which will not be covered in this tutorial. - As the user account currently being used to login to windows was provisioned for SEEMS database access, keep the authentication method asWindows Authenticationand clickNext.
- If this step did not work, see KB article TECH254548 to ensure all prerequisites have been completed successfully.
- Enter the SEEManagement Passwordas directed by your SEEMS administrator and click Next.
- ClickInstall.
- After the installation is complete, clickFinish.
Validating Access with Your Account
Now that the installation process has now completed, confirm the SEEMS console is working properly with the following steps:
- Open theStart Menuand openSymantec Endpoint Encryption Managerin the programs list:
- Expand the various snap-ins and ensure they work as expected.
- To ensure the database communication is working as expected, expand theSymantec Endpoint Encryption Reportssnap-in and run a report
- The following screen shot shows theComputer Status Reportbeing successfully run (the % is a wildcard, showing all computers):
Troubleshooting
Scenario 1: Can't get passed the SEE Database Account page on the installer.
There have been some instances where the SEE Management Server install will not proceed beyond the database page even thought the proper database permissions have been configured.
As mentioned, you will need at least db_owner permissions, but if that requirement is met, and the installer fails, you can install the SEE Management Server in msiexec verbose mode to output a log file.
To do this, use the following sytax:
msiexec /i SEEServerSuite.msi /l*vx c:\SEEMS-install.log
Start the installer and then check this log when you encounter the error and see if this will provide additional insight.
As test, instead of using the "Create New Database" option, if that is failing, try using the option "Create a new login"
In some database environments, this may actually work out better and during this portion, you will then be able to install.
If you have an existing database and you are not sure if you are making any connections, check the MS SQL logging to see if a logging event has been made.
Even if the database screen page fails, if you see logging, then you know the ports should be open.
If there is no logging, ensure the ports are not blocked.
Sometimes it's useful to enter in port 1433 under the custom port, even if this is the standard port being used.
Scenario 2: Not sure if the connection is getting to the MS SQL server from the SEE Management Server during install.
If you are running into issues, you can create a test file to help with the validation of connectivity. For more information on this, see the following article:
If you are unable to open the SEE Configuration Manager properly, or Symantec Encryption Management Server, see the following article:
220948 - Symantec Endpoint Encryption Management Server OR Symantec Endpoint Encryption Configuration Manager does not open properly
Scenario 3: Unable to upgrade Symantec Encryption Management Server with error "Execution Timeout Expired" The Timeout period elapsed prior to completion of the operation or the server is not responding"
If you are doing the installation of SEE Management Server, there is a timeout value configured of 10 minutes for all operations to complete.
If you are running into this condition, please reach out to Symantec Encryption Support for further guidance.
