Best practices when deploying Symantec Endpoint Protection client package over saturated 64k WAN links.
|Article:TECH132352|||||Created: 2010-01-10|||||Updated: 2011-12-22|||||Article URL http://www.symantec.com/docs/TECH132352|
How to perform remote Symantec Endpoint Protection (SEP) client package deployment over very slow WAN links
Installation package deployment times out or is corrupt
Slow or saturated WAN links
- The first step is to minimize the size of the client package being deployed. In SEP 11, the deployment package will always contain a bundled set of AV definitions. However, in SEP 12.1, it is possible to create a deployment package that does not contain these definitions. This will reduce the size of the package from c. 120MB to 40MB. In some cases it can be beneficial to ensure that the deployed package is as small as possible. Note however that if if the client package is deployed with no definitions, the first update cycle on the client will retrieve the full definition set. This update traffic must be accounted for - using a tool such as a local GUP or and internal LiveUpdate Administrator 2.x server hosting the definitions may be appropriate.
- Note the difference between a GUP and the LUA 2.x. The GUP will only retrieve content as it is requested, and will retrieve it from the SEPM. This means that it will always retrieve the smallest and most efficient package possible. It will not download any unnecessary content. An LUA is designed to apply updates generally to a mixed environment. It will update itself on a schedule, and will download all content available at that time. An LUA downloading 32-bit and 64-bit windows definitions only may download 4-6 GB of data per month. The equivalent GUP is likely to download less than 500 MB.
- Next - determine how the deployment will be performed. There are several options:
- Out-of-Band deployment.
- Here it is the Administrator's responsibility to arrange for the deployment of the package, often via technologies such as Windows Login Scripts, or using software deployment tools such as Microsoft SMS, Symantec Altiris, or similar tools.
- Managed deployment.
- When assigning a client package to a group, it is possible to configure a schedule for the download to occur. However, it is also possible to configure an alternate location from which to retrieve the client package. This means that the administrator can use Microsoft DFS or any other appropriate deployment/distribution task to copy the package to a local resource. The clients will then download the package from this local resource, without placing a load on the WAN interconnector.
- Out-of-Band deployment.
- Prepare the environment for deployment:
- In an environment with limited bandwicth, managing the content updates between the SEPM and the Clients is critical, as this will constitute the majority of the SEP-related traffic between the sites.
- It is possible to configure the clients to retrieve content from one of three locations: the SEPM (which can be proxied via a GUP), the Internet (Symantec LiveUpdate) or an internal LiveUpdate source. The Administrator should determine which of these update paths they wish to implement. Using GUP-mediated SEPM downloads is generally the most efficient.
- Configure all appropriate policies - including the Client Update policy, and export the client package.
- If you are going to use a GUP to manage the client update process, the system acting as the GUP must be the first system installed. It will begin to download the new content while the other clients are installed.
- Finally - remember that the clients should be rebooted before they are considered to be properly migrated. The deployment package can be configured to force a reboot. If this option is not selected, the Administrator should ensure that these systems will be rebooted as soon as possible after the upgrade is initiated.
Article URL http://www.symantec.com/docs/TECH132352