Good morning,
I have opened a support ticket with Symantec on this issue, but I was looking for some user feedback and perhaps some input on using SEP 12. I am familiar with the product and I have been using it since SAV 10.1. A lot has changed since then. At my new job, we are extremely security conscious and one of the things we've chosen to move forward with is full installs of SEP 12.1 to our servers. In our DMZ we are currently employing use of an RODC which has special considerations of it's own. There are approximately 12 servers that use the RODC as a login server. Prior to installing SEP 12, I verified that everything in our DMZ works as expected. Logging on worked fine from all servers and traffic patterns to and from the RODC to the servers were expected.
Fast forward to a few days ago. I deployed SEP 12.1 to all servers including the RODC in the DMZ. Prior to deploying SEP, I made a policy for the firewall system that was an allow any/any while I observed traffic patterns. My goal at this point was to audit communications and then go through and create a tighter set of rules based on observations. Once SEP was fully installed. I assumed everything was okay and I walked away from the environment for a little while. A day later, I attempted to log into one of my DMZ servers and I noticed that the normal login process wasn't working. I attempted to log in to several other servers and viewed the same results. After attempting several things like taking my hardware based firewalls out of the picture, I was unable to make any headway with the issue. As a last ditch effort, I decided to remove SEP from the environment starting with the RODC. As soon as I took SEP off of the RODC, everything returned to normal. I did some limited testing, then placed SEP back on to the RODC using the Basic Protection for Servers option. This option seems to work as well.
So my question is, if I had a policy for the firewall configured for any/any, what else could be interfering with DC/DNS communiation between my servers and RODC? What in the IPS module or SONAR could be causing this? How do I track it down? How would I correct the issue?
Thanks in advance.