This article describes best practices for configuring Symantec Endpoint Protection (SEP) with Terminal Server and Citrix solutions.
The following recommendations apply to Symantec Endpoint Protection version 14.0 and later. It provides information on the best configuration of Symantec Endpoint Protection in Terminal Server and Citrix environments.
This article focuses strictly on providing guidance on how to successfully deploy the Symantec Endpoint Protection 14 protection components to a Microsoft Terminal Server or Citrix Presentation Server. It also provides guidance on recovering from potential issues that may arise during the deployment and a list of useful online resources.
This article does not cover deploying Symantec Endpoint Protection 14 to workstation, other more general administration concerns or Citrix server best practice in general; for guidance on these topics, please refer to the relevant product documentation.
The aim of this whitepaper is to show that Symantec Endpoint Protection can function correctly on terminal servers and where necessary document any changes required to the Symantec Endpoint Protection architecture in order to improve performance or reliability on those terminal servers. The findings of this white paper are already helping to shape the future direction for SEP functionality on Citrix and Terminal servers.
The terminal server component of Windows Server allows remote clients and devices to access and use Windows Server desktops and applications. These devices can be Windows, Macintosh or Linux workstations as well as wireless devices, laptops, set top boxes or potentially any device with a network connection. When Terminal Services is activated on a windows server, users can connect to a virtual desktop on the server and all applications are executed on the server, instead of the client device.
Conceptually, the design is similar to using PCAnywhere, VNC or any other remote control product. However, by running a special kernel, a windows terminal server is able to support multiple users connecting to the server simultaneously – each running their own virtual desktop. A single server can potentially support dozens, if not hundreds or even thousands of simultaneous users.
Citrix Presentation Server, a member of the Citrix Delivery Center product family, is an end-to-end Windows application delivery system that offers both client-side and server-side application virtualization, for optimal application performance and flexible delivery options. With the secure application architecture, organizations can centralize applications and data in secure data centers, reducing costs of management and support, increasing data security, and ensuring fast, reliable performance.
Presentation Server allows IT departments to deliver secure applications as a service, providing on-demand access to users while affording the flexibility to leverage future application architectures.
Symantec Endpoint Protection client will run acceptably on Windows Terminal Servers; however that can be made in order to optimize the overall user experience.
The following recommendations should be taken into account:
Configure Auto-Protect to:
Symantec recommends to:
Some server administrators may wish to exclude their users roaming profiles and/or “My Documents” folders from being scanned for security risks. While this will improve performance, Symantec would not recommend this approach – in practice this is generally the location in which security risks are discovered.
If a scheduled scan is required then it should be run out of hours in order to minimise user impact. In addition, ActiveScans when new definitions arrive and startup scans should not be run as they could place unnecessary load on the terminal server during business hours.
There are no tamper protection recommendations for a server just running Terminal Services.
Although it is not recommended to run Network Threat Protection on terminal servers, it is entirely possible to do so. The default Symantec Endpoint Protection rule set will allow all terminal services functions to work correctly. However, it should be noted that if a custom rule set is created, the following services and ports should be allowed:
At all times, terminal server administrators should bear in mind that running SEP client on their terminal servers will not protect the client computer from threats. Depending on the terminal solution being used, Symantec has a separate solution for these (most could run SEP, others may require SEP for XP Embedded) and you should discuss the requirement with your Symantec partner, SE or account manager.
When running SEP client on terminal servers, you will notice that multiple instances of both SmcGui.exe and ccApp.exe are running. In addition, on 64 bit terminal servers you will also see ProtectionUtilSurrogate.exe running per user. This is normal behaviour and should not cause problems in small deployments or remote administration scenarios. However, under certain circumstances and depending on the number of sessions in use, this can cause the CPU utilization to spike to 100% and large amount of extra memory to be used. Although these processes are required for a fully working SEP client installation, they can be prevented from loading on terminal servers with minimal effect to the end user. For details on how to do this, please see Appendix D.
Although SEP client can be configured to support multiple users with individual policies, in a terminal server environment, this will manifest itself in a different way than would be imagined. If a user is logged onto the console of the server, then all remote users will be given the same policy. If there is no console user, then all users will receive the policy of the first logged in user.
Symantec are working to change this so that the feature works correctly on terminal servers, but this behaviour is expected at this moment in time.
As with Windows Terminal services, Symantec Endpoint Protection runs without major issue on Citrix environments as long as all previous recommendations are taken into account. In addition, certain components of the application may however cause issues. These can vary from an incorrectly configured firewall component blocking traffic to the Tamper Protection module causing issues with certain health checking components of Citrix.
In addition to the AntiVirus and AntiSpyware exclusions for standard terminal servers, the following exclusions are recommended for Citrix servers:
Symantec recommends that the following process is excluded from Tamper Protection on Citrix servers, as it is known to cause problems:
As per terminal servers, if you wish to run the SEP firewall on a Citrix server then it is possible to do so without any issue using the default rule set in SEP 14 and beyond. If, however you wish to create a custom rule set for Citrix then the following processes and communications ports should be taken into account:
Svchost.exe
ntoskrnl.exe
Default port for unsecured Web
Interface web servers and or TCP+HTTP browsing (XML port) and or Citrix Secure Gateway Secure Ticket Authority (STA) unsecured port.
Default port for Citrix Secure Gateway, SSL Relay Service, Citrix ICA connections using SSL+HTTPS browsing and secure connections to a Citrix Web Interface web server) This is the only port that is needed to be open on an external firewall for secure connections to a Citrix Presentation Server environment utilizing the Citrix Secure Gateway technology.
Svchost.exe
Default ICA port, this can be changed if necessary. This port is not necessary to be open on the external firewall if you will be utilizing Citrix Secure Gateway for Windows.
ImaSrv.exe
TCP/2512 (on Farm Master)
1024-5000 (on Remote
Farm Master) TCP/2512
Citrix server to server communications
ImaSrv.exe
Citrix Management Console for Presentation Server 4.0 communication to the Citrix IMA Data Store
lmgrd.exe
Citrix Access Suite License Server and the License Manager daemon communicate over this port
CITRIX.exe
Dynamic by default, but configurable, see
Citrix Licensing Server wrapper
Svchost.exe
depends on CITRIX.exe configuration
Allows Citrix servers to communicate with a Citrix license server
mmc.exe
Allows Citrix management console to communicate with Citrix
ConfigMgrSvr.exe
Allows Citrix management console to communicate with Citrix
Dllhost.exe
Allows Citrix management console to communicate with Citrix
Mfcom.exe
Allows Citrix management console to communicate with Citrix
SmaService.exe
Allows Citrix management console to communicate with Citrix
XTE.exe
ICA session w/ Session Reliability client-to-server communications. This port is only used when Session Reliability is enabled.
In the case of services that use dynamic ports on servers, it is recommended that a host group be used that contains the IP addresses of the Citrix servers in your organization. This group has been pre-created in the provided firewall policy, you simply need to add your Citrix server addresses to it.
It should be noted that administrators will only see multiple instances of SmcGui.exe, ccApp.exe, and ProtectionUtilSurrogate.exe if they are publishing a full server desktop via Citrix. If published applications are used solely then there will be no multiple instances of these processes and there is no requirement to follow the steps in Appendix D.
While it is possible to run the Symantec Endpoint Protection Manager on a terminal server, it is not recommended if the terminal server is to be hosting a large number of terminal sessions due to the performance overhead of the Manager services, particularly when updating definitions and running the Java console.
In conclusion, it can be seen that Symantec Endpoint Protection client will work on terminal and Citrix servers when installed “out of the box.” However, there are a number of product and configuration optimizations that can be made in order to drastically improve reliability and performance in this particular environment.
Future versions of Symantec Endpoint Protection are already in development and there are many changes being made to the code to provide better optimization in terminal services environments. Until these enhancements are realized, the steps in this whitepaper will provide the same performance benefits.
All the steps in this whitepaper have already been performed on several large Citrix deployments on Symantec customer sites and all participants have been extremely impressed at the performance benefits that these modifications bring about.
During the authoring of this whitepaper, the following environment was built:
As can be seen from the diagram above, a domain “SYMCTEST” was established – all servers and clients were members of this domain during testing. Both Citrix servers were joined to the same Citrix Farm – “CitrixFarm.” CITRIX64 served as the Farm master. For the purpose of testing, anonymous access to Citrix applications was configured. Common business applications, such as Microsoft Word and Excel were installed onto the Citrix servers and were published through the Citrix Web Interface. In addition, a full desktop was also published.
Symantec Endpoint Protection Manager was installed onto the server “SEPM.” Packages were then created for servers and deployed from the console. The Windows firewall was turned off on all servers, as the SEP firewall was used, initially with the default firewall policy from 14 and later with a custom-developed policy.
Using the client XPCLIENT, multiple remote desktop sessions were established to each Windows Terminal Server, and performance and task manager processes were observed. In the same way, 10 anonymous sessions were established to each Citrix server – separate tests were performed for published applications and the published desktop. In both cases, the task manager was observed from a console connection.
Changes were then made to the clients on the servers and re-testing was performed to see the difference in performance and processes that were loaded. Each change was made separately, then tested.
Once the process and AntiVirus and AntiSpyware optimization were complete, work was started on the firewall ruleset, with an initial ruleset being put in place that allowed all communication to and from the domain controller and blocked and logged all further traffic. Rules were then created per each block rule that allowed the Citrix and Terminal Server processes until there were no more blocked requests related to Citrix or Terminal Services processes. All tests were then re-run with this new ruleset in use to confirm overall functionality. In addition, Citrix farm administration tasks were also performed from each Citrix server to ensure that server to server communications were still working correctly.
Once all performance changes and testing had been completed, functionality tests were run against the SEP clients running on the servers to prove that core functionality had not been affected by the changes put in place. Virus detections still occurred and users were notified, clients were able to be managed from the management console, and would accept commands and update content and policies successfully.
The following additional processes can be seen running on a Windows terminal server running SEP Client: