locked
Branch Cache - Windows 7/SCCM Distributed Mode - Symantec Antivirus/Firewall problem RRS feed

  • Question

  • Hello

    I have been looking for some information on SCCM technet forums about making Branchcache feature to work for content distribution. The thread is https://social.technet.microsoft.com/Forums/en-US/fc95c28f-7aa3-4a4f-85d9-bdf98929dc70/allow-clients-to-share-content-with-other-clients-on-the-same-subnet?forum=configmanagergeneral 

    The thread has all my efforts so far to make it work.

    In essence, we have the Windows firewall disabled in our Windows 7 estate and Symantec EP 12 is both the antivirus as well as firewall. By the looks of it the GPO firewall settings which open the BranchCache related ports are ineffective as Windows firewall is not active.

    So my question is how do I go about configuring everything branchcache-port related on Windows 7 machine. Has anyone done this before? Is there any RSOP type tool for Symantec EP to see what is being blocked or allowed?

    The SCCM DP is configured with the branch cache setting. The package being tested has the "allow-clients-to-share-content-with-other-clients-on-the-same-subnet" enabled but the (really slow) subnet I am testing it on, all the clients are individually downloading the content over the WAN.

    Thanks in advance and best wishes

    Steve


    Thursday, March 12, 2015 5:48 PM

Answers

  • Hi Phil,

    There has been some progress. With the help of Symantec engineers we created a firewall rule for all Windows 7 machines for port 3702 UDP bidirectional and also another for  what the Symantec calls the "HTTP server rule" (which includes both 80 and 443) and now I can see the content is being shared by the peers. There are no more firewall port-blocking events logged under BranchCache event log. I also used psexec to run netsh branchcache show localcache command when the content was being sourced and it was incrementally building up its cache before it was visible on the C:\Windows\ccmcache package folder... all good news. I also checked the BITS event logs and it was showing the peer content sharing (though it does not tell from which peer the content comes from but not worried much).

    Owing to the complexity in testing (especially on a slow remote network) it took some time. What I am still unsure about is if it's the 2nd machine onwards within the subnet that starts using the local content cache or the 3rd? One of the Microsoft step-by-step guide seems to suggest it's the 3rd - if it's true then it would be slightly inefficient for us.

    http://www.microsoft.com/en-us/download/details.aspx?id=5772 refer to page 23 onwards/ where it goes through the various stages of content retrieval and sharing using 3 clients on a subnet.

    Thanks for all your help on this. It's much appreciated.

    • Proposed as answer by Vivian_Wang Tuesday, March 31, 2015 1:55 AM
    • Marked as answer by Vivian_Wang Wednesday, April 1, 2015 9:28 AM
    Thursday, March 19, 2015 11:31 AM

All replies

  • hi,

    as a matter of elimination - check the event logs on the client. BranchCache should log events 7 and/or 8 if there's a firewall issue.

    Log Name: Microsoft-Windows-BranchCache/Operational

    Also - any proxy between the clients and content servers? Proxy can sometimes strip the Branchcache headers..

    thanks

    Phil



    Phil Wilcock http://2pintsoftware.com @2pintsoftware


    Thursday, March 12, 2015 6:54 PM
  • Thanks Phil. I am fairly certain it is the SEP Antivirus/firewall blocking branchcache as I checked on the log you suggested on one of the Windows 7 machines being monitored. It has the following errors logged:

    ==========================================================

    A firewall is blocking inbound traffic on TCP port 80, which is used to serve content to requesting computers. As a result, other computers on the network, including the Hosted Cache server, cannot retrieve content from this client. 
    To create a Windows Firewall rule that allows inbound traffic on TCP port 80, run the command "netsh branchcache set service" from an elevated command prompt. If a different firewall is used, modify the firewall settings to allow this traffic.

    ==========================================================

    A firewall is blocking inbound traffic on UDP port 3702, which is used to discover the availability of cached content on this computer. Other computers on the network cannot discover this client. 
    To create a Windows Firewall rule that allows traffic on UDP port 3702, run the command "netsh branchcache set service distributed" from an elevated command prompt. If a different firewall is used, modify the firewall settings to allow this traffic.

    ==========================================================

    I have verified that the GPO configuring the branch cache is applied correctly on these Windows 7 machines -it's just that Windows firewall settings are ineffective. I think I will need to log a call with Symantec.





    Friday, March 13, 2015 12:04 PM
  • Hi,

    I am Chetan Savade from Symantec Technical Support Team.

    Symantec uses port 80/8014 for ommunication between the SEPM and SEP clients and Enforcers. If possible you can use custom ports as well.

    You should specify both the inbound and the outbound traffic in the rule whenever possible. You do not need to create inbound rules for traffic such as HTTP. The Symantec Endpoint Protection client uses stateful inspection for TCP traffic. Therefore, it does not need a rule to filter the return traffic that the clients initiate.

    Check these articles: Adding a new firewall rule

    http://www.symantec.com/docs/HOWTO55404

    Customizing firewall rules

    http://www.symantec.com/docs/HOWTO55097

    Which Communications Ports does Symantec Endpoint Protection use?

    http://www.symantec.com/docs/TECH163787

    Best Regards,

    Chetan

    Friday, March 13, 2015 1:45 PM
  • hi Steve,

    yep that's pretty classic Firewall messing with BranchCache - over to you Symantec!

    If you get an answer - please post it here and I'll write up a quick blog on the matter

    have a great weekend!

    Phil


    Phil Wilcock http://2pintsoftware.com @2pintsoftware

    Friday, March 13, 2015 6:15 PM
  • Thanks Phil. Will do. You too have a nice weekend.
    Friday, March 13, 2015 6:32 PM
  • Hi Chetan, thanks for your response. If I have understood you correctly, port 80 needs no further re-configuring but a new rule will need to be setup to open 3702? Let me do it on Monday.

    Another question - If port 80 is fine as it is, why is the branchcache error event logged?

    Have a nice weekend.

    Friday, March 13, 2015 6:34 PM
  • Hi Phil,

    There has been some progress. With the help of Symantec engineers we created a firewall rule for all Windows 7 machines for port 3702 UDP bidirectional and also another for  what the Symantec calls the "HTTP server rule" (which includes both 80 and 443) and now I can see the content is being shared by the peers. There are no more firewall port-blocking events logged under BranchCache event log. I also used psexec to run netsh branchcache show localcache command when the content was being sourced and it was incrementally building up its cache before it was visible on the C:\Windows\ccmcache package folder... all good news. I also checked the BITS event logs and it was showing the peer content sharing (though it does not tell from which peer the content comes from but not worried much).

    Owing to the complexity in testing (especially on a slow remote network) it took some time. What I am still unsure about is if it's the 2nd machine onwards within the subnet that starts using the local content cache or the 3rd? One of the Microsoft step-by-step guide seems to suggest it's the 3rd - if it's true then it would be slightly inefficient for us.

    http://www.microsoft.com/en-us/download/details.aspx?id=5772 refer to page 23 onwards/ where it goes through the various stages of content retrieval and sharing using 3 clients on a subnet.

    Thanks for all your help on this. It's much appreciated.

    • Proposed as answer by Vivian_Wang Tuesday, March 31, 2015 1:55 AM
    • Marked as answer by Vivian_Wang Wednesday, April 1, 2015 9:28 AM
    Thursday, March 19, 2015 11:31 AM