How client computers receive content updates
|Article:HOWTO55172|||||Created: 2011-06-29|||||Updated: 2011-12-16|||||Article URL http://www.symantec.com/docs/HOWTO55172|
When you add and apply a LiveUpdate Settings policy, you should have a plan for how often you want client computers to check for updates. The default setting is every four hours. You should also know the place from which you want your client computers to check for and get updates. If possible, you want client computers to check for and get updates from the Symantec Endpoint Protection Manager. After you create your policy, you can assign the policy to one or more groups and locations.
The content distribution methods that you use depend on the following factors:
For example, if you have a very large number of clients, you can use Group Update Providers to ease the load on your management servers. You can even set up internal LiveUpdate servers using LiveUpdate Administrator, if necessary.
For example, Mac client computers get updates only from an internal or an external LiveUpdate server. Only Windows client computers can get updates from the management server or Group Update Provider.
For example, some users may travel with portable computers that connect intermittently or not at all to your network. In this case, you can allow the client computers to get updates directly from a Symantec LiveUpdate server using the Internet. See Table: Content distribution methods and when to use them.
Table: Content distribution methods and when to use them
When to use it
Symantec Endpoint Protection Manager to client computers
The default management server can update the client computers that it manages. You might have multiple management servers in your Symantec Endpoint Protection Manager network. The site that includes the management servers receives LiveUpdate content.
This method is configured by default after management server installation. You can also combine this method with a Group Update Provider.
Group Update Provider to client computers
A Group Update Provider is a client computer that receives updates from a management server. It then forwards the updates to the other client computers in the group. A Group Update Provider can update multiple groups.
Note that Group Update Providers distribute all types of LiveUpdate content except client software updates. Group Update Providers also cannot be used to update policies.
Setting up a Group Update Provider is easier than setting up an internal LiveUpdate server. Group Update Providers are less resource-intensive and so reduce the load on the management servers.
This method is particularly useful for groups at remote locations with minimal bandwidth.
Internal LiveUpdate server to client computers
Client computers can download updates directly from an internal LiveUpdate server that receives its updates from a Symantec LiveUpdate server.
You use the LiveUpdate Administrator utility to download the definitions updates down from a Symantec LiveUpdate server. The utility places the packages on a Web server, an FTP site, or a location that is designated with a UNC path. You configure your management servers and client computers to download their definitions updates from this location.
If necessary, you can set up several internal LiveUpdate servers and distribute the list to client computers.
For more information about setting up an internal LiveUpdate server, see the LiveUpdate Administrator User's Guide.
You can use an internal LiveUpdate server in very large networks to reduce the load on the Symantec Endpoint Protection Manager. You should first consider whether Group Update Providers would meet your organization's needs. Group Update Providers are easier to set up and also reduce the load on the management servers.
Use an internal LiveUpdate server if you have Mac clients and you don't want them to connect to a Symantec LiveUpdate server over the Internet.
An internal LiveUpdate server is also useful if your organization runs multiple Symantec products that also use LiveUpdate to update client computers.
You typically use an internal LiveUpdate server in large networks of more than 10,000 clients.
For more information see the Symantec Technical Support knowledge base article LiveUpdate Administrator 2.x and Symantec Endpoint Protection Manager on the Same Physical Server.
Symantec LiveUpdate server to client computers over the Internet
Client computers can receive updates directly from a Symantec LiveUpdate server.
Use an external Symantec LiveUpdate server for the client computers that are not always connected to the corporate network.
Symantec Endpoint Protection Manager and scheduled LiveUpdate are enabled by default, as are the options to only run scheduled LiveUpdate when connection to Symantec Endpoint Protection Manager is lost and the virus and spyware definitions are older than a certain age. With the default settings, clients always get updates from Symantec Endpoint Protection Manager except when Symantec Endpoint Protection Manager is nonresponsive for a long period of time.
Third-party tool distribution
Third-party tools like Microsoft SMS let you distribute specific update files to clients.
Use this method when you want to test update files before distributing them. Also, use this method if you have a third-party tool distribution infrastructure, and want to leverage the infrastructure.
Intelligent Updater files contain the virus and security risk content that you can use to manually update clients. You can download Intelligent Updater self-extracting files from the Symantec Web site.
You can use Intelligent Updater files if you do not want to use Symantec LiveUpdate or if LiveUpdate is not available.
To update other kinds of content, you must set up and configure a management server to download and to stage the update files.
Figure: Example distribution architecture for smaller networks shows an example distribution architecture for smaller networks.
Figure: Example distribution architecture for larger networks shows an example distribution architecture for larger networks.
Article URL http://www.symantec.com/docs/HOWTO55172