Monthly Archives: January 2012

Fixing Citrix XTE Server After Installing Citrix Secure Gateway

In configuring a new XenApp 6.5 server on Windows 2008 R2, I found that users could no longer authenticate to the server. I also discovered that I was unable to start the Citrix XTE Server service.

When I tried to manually start the service, I received the following error:

Windows could not start the Citrix XTE Server on Local Computer. For more information, review the System Event Log. If this is a non-Microsoft service, contact the service vendor, and refer to service-specific error code 1.

These sorts of nondescript errors pop up all the time when trying to troubleshoot Citrix services, which makes it tough to do any real troubleshooting.

I dug around in the registry and found a strange entry in the HKEY_LOCAL_MACHINESOFTWAREWow6432NodeCitrixXTEConfig key.  The ServerRootPath was set to C:Program Files (x86)CitrixSecure Gateway.  It struck me as odd that this problem popped up only after I had installed the Secure Gateway service, and that the path to the XTEServer was suddenly pointing to the directory where the Secure Gateway binaries were stored.

I did some reading online and found that when installing older versions of the Secure Gateway service, this registry misconfiguration took place, preventing the XTE service from starting. One would think that Citrix would have fixed this problem already, but I guess not.

So, I simply changed the ServerRootPath registry entry to reflect the proper root directory of the XTEServer, which fixed the issue.  The proper entry for that registry value is C:Program Files (x86)CitrixXTE.

All you should need to do to fix the problem is change that value and reboot the server.  After that, you are good to go.

EDIT: I later found this.


Symantec Endpoint Protection Manager – GC overhead limit exceeded

I was unable to launch SEPM. I was recieving the following error. “Unexpected server error” I found this in the scm-server.log.

java.lang.OutOfMemoryError: GC overhead limit exceeded

The solution was


The default configuration of the Symantec Endpoint Protection Manager (SEPM) is designed to minimize the memory and disk-space footprint. However, in larger organizations which may be leveraging multiple groups and/or replicated sites, the default settings may cause the system to under-perform.



The following error(s) will be logged repeatedly in the “scm-server-0.log” and “scm-server-1.log”  logfiles:

ATTENTION: Server side cache reached high water mark. INFO: Server side cache reached high water mark. java.lang.OutOfMemoryError: Java heap space

When trying to launch the SEPM, you get the error “Could not create the Java virtual machine” and the Symantec Endpoint Protection Manager service (semsrv) may or may not start.

Importing an extremely large MAC address list for the LAN Enforcer MAB Authentication results in zero-byte sized Profile.xml


The Symantec Endpoint Protection Manager is a Java-based application, and consequently much of its performance will be related to the size of the “Java Heap”. Modifying the settings that control the size of the Java Heap will improve the performance of a wide variety of the functions performed by the Symantec Endpoint Protection Manager.


Adjust the Java heap space assigned to the SEPM service and consoles.

  1. Stop the Symantec Endpoint Protection Manager service.
    Set the following two registry values:
    HKLMSystemCurrentControlSetServicessemsrvParameters     JVM Option Number 0=-Xms1024m     JVM Option Number 1=-Xmx1024m     JVM Option Number 2=-XX:MinHeapFreeRatio=40     JVM Option Number 3=-XX:MaxHeapFreeRatio=70
    Start the Symantec Endpoint Protection Manager service.
    JVM Options 0 and 1 are the Java minimum and maximum heap sizes for the SEPM. You cannot increase either of these beyond 1024m; if you do, the SEPM service will not start and you cannot login until the value is set back down. This is an inherent limitation of the Java Virtual Machine. For more details on these values, see “Technical Information” below.
  2. Adjust same settings for the local SEPM console; edit the following batch file to reflect the registry values above:
    %ProgramFiles%SymantecSymantec Endpoint Protection Managerbinsesm.bat
  3. To effect the same changes for the SEPM remote Java console, follow the instructions below:
    Go go http://sepm-server-name:9090
    Right-click on the link “Symantec Endpoint Protection Manager… Download & Login” and choose to “Save Target As…” (you may have to download and install Java before you see this link).
    Save the .jnlp file to your desktop, and open with a text editor
    Change the initial-heap-size, max-heap-size, MinHeapFreeRatio, and MaxHeapFreeRatio to match the registry changes above.
    Save your changes, and use the .jnlp file when launching the SEPM remote Java Console.

Note: The additional RAM will be allocated immediately following the service restart. You may see an immediate (but temporary) rise in disk and cpu activity as the page file size is increased. The max size varies from about 1200MB to 1400MB depending on OS and the state of the machine.
Technical Information

The Heap Size for Symantec Endpoint Protection Manager is specified with two values, stored in the registry.
JVM Option 0 specifies the minimum size of the Java Heap JVM Option 1 specifies the maximum size of the Java Heap.
The default value for JVM Option 1 is 256 MB, while the default value for JVM Option 0 was reduced from 256 MB to 64 MB in SEP 11 MR2 to reduce the memory footprint of the application in smaller environments – the application will automatically increase the size of the Java Heap as required until it encounters the configured maximum size.
These values can be increased to better suit the available resources on the computer; performance can be optimized by following the guidelines below:
The Java Heap starting value () must not be larger that the Java Heap maximum value (). If the working size of the Java Heap exceeds the available physical RAM, the computer will begin paging the Java Heap. This will dramatically increase Disk I/O and reduce the overall performance.
Note: Always allow for at least 256 MB to be allocated to the Operating System. For Example: On a computer with 1 GB of RAM, the maximum value for the Java Heap should not exceed 768 MB.

The value of MinHeapFreeRatio and MaxHeapFreeRatio modify garbage collection characteristics (the ratio of free space to live objects within the heap).  The values specified in this document are the defaults for JVM and they provide a good mixture of performance and reliability.

SEPM Performance tuning document.



How to Migrate Symantec Endpoint Protection Manager to a New Server

How to Migrate Symantec Endpoint Protection Manager to a New Server

this is a mix of information taken from the Symantec Forum and Support Case area

“How do I move Symantec Endpoint Protection Manager from one server to another with a different IP address and Host name”



Follow the steps below to move Symantec Endpoint Protection Manager from one server to another with a different IP address and Host name:

1. Install Symantec Endpoint Protection Manager on the new server

2. In the Management Server Configuration Wizard panel, check Install an additional site, and then click Next

3. In the Server Information panel, accept or change the default values for the following boxes, and then click Next

4. Installing and configuring Symantec Endpoint Protection Manager for replication

Server Name

Server Port

Server Data Folder

5. In the Site Information panel, accept or change the name in the Site Name box, and then click Next

6. In the Replication Information panel, type values in the following boxes:

Replication Server Name


(The Name or IP address of the old Symantec Endpoint Protection Manager)

Replication Server Port


(The default is 8443)

Administrator Name


(The Username used to log on to the old console)



(The password used to log on to the old console.)

7. Click Next

8. In the Certificate Warning dialog box, click Yes

9. In the Database Server Choice panel, do one of the following, and then click Next

Check Embedded database, and complete the installation.

Check Microsoft SQL Server, and complete the installation.


now choose your db engine


10. Log in to the new Symantec Endpoint Protection Manager (SEPM) and ensure that all the policies are Migrated sucessfully

11. Click Policies

12. Click Policy Components

13. Click Management Server Lists

14. Click Add Management Server List

15. Click Add > Priority and a new Prioriry would get added named as Priority2

16. Add the Old server under Prority2 and add the new one under Prority1


Assigning a management server list to a group and location

After you add a policy, you need to assign it to a group or a location or both. Otherwise the management server list is not effective. You must have finished adding or editing a management server list before you can assign the list.

To assign a management server list to a group and location:

  1. In the Symantec Endpoint Protection Manager console, click Policies .
  2. In the Policies page, under View Policies, click Policy Components > Management Server Lists.
  3. In the Policies page, under Tasks, click Assign the list.
  4. In the Apply Management server list, check the groups and locations to which you want to apply the management server list.
  5. Click Assign.
  6. When you are prompted, click Yes.

17. After the sucessful Migration uninstall the old Symantec Endpoint Protection Manager (SEPM)