Video Screencast Help

How to Auto-Upgrade Remote Site Clients using IIS

Created: 16 Apr 2010 • Updated: 20 Apr 2010 | 30 comments
Language Translations
Vikas Rajole's picture
+12 12 Votes
Login to vote

Reduce WAN traffic and upgrade failures by using an IIS server in a remote site.

Please refer the below exhibit.

Site1 has SEPM.

Site2 and Site3 are remote sites having a Windows server with IIS.

Configuring a remote site, in this case Site2 or Site3.

The name of the Server is Site2.

Step1.1: Create a folder on local drive and copy the setup.exe created using SEPM.

Step1.2: Create a virtual directory in IIS on Site2 server.

Step 1.3: Make sure the Virtual Dircetory has the correct 'Local Path' where the setup.exe is saved.

 

Step2: Verify that the package can be downloaded without any permission issue.

To test this, type the client package url for e.g. "http://site2/SEP_client/setup.exe" in a web browser.

You should get a file download doalogue box. Click cancel.

 

 

Step3.1: Goto Install Packages under Clients tab in SEPM. Click on Add client install package.

Step 3.2: Select 'Downloadthe client package from the following URL (http or https)' and type the URL of the client package hosted in IIS of site2 and click 'Ok'.

e.g "http://site2/SEP_client/setup.exe"

The Site2 clients will get the package from the Site2 IIS server.

Comments 30 CommentsJump to latest comment

Andy Scott's picture

Thanks for the tip, I haven't thought about  deploying an upgrade this way.

Question: Could that setup.exe be a patch file instead? i.e RU5 to RU6a ?

Also file:// in order to use a local network share would be ideal. I have remote sites with GUP's only.

+1
Login to vote
Vikas Rajole's picture

Yes it can be a upgrade package like RU5 to RU6a.

-

Vikas -- Don't forget to mark your thread as 'solved' with the answer that best helped you!

+2
Login to vote
Vikas Rajole's picture

Yes it can be a upgrade package like RU5 to RU6a.

-

Vikas -- Don't forget to mark your thread as 'solved' with the answer that best helped you!

+2
Login to vote
steffen910's picture

thanks for u r article

+1
Login to vote
Symanticus's picture

how to make that one single exe package ?

/* Infrastructure Support Engineer */

+1
Login to vote
Andy Scott's picture

Export it from the SEPM console under packages

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/c741ec26fa674b1e8825738a0076abf3?OpenDocument

+1
Login to vote
Symanticus's picture

Thanks man,

this is just what I've been looking for.

Special thanks to the Original poster for creating such a great tute for all of us.

/* Infrastructure Support Engineer */

+1
Login to vote
phil8690's picture

What an excellent document thanks very much, just a quick question what is the best way to handle different client versions.  For example do i need to create a website for 32bit and one for 64bit clients or can the SEPM server supply a package that contains both.

+1
Login to vote
Vikas Rajole's picture

You could create another virtual directory for 64bit package.
For Example if you refer Step 2. The path would look like http://site2/SEP_win64bit/setup.exe
Configure the same path in Step 3.2 when you add a 64bit package.

-

Vikas -- Don't forget to mark your thread as 'solved' with the answer that best helped you!

+2
Login to vote
Nate S's picture

This seems like exactly what I have been looking for.  Thanks!

One question, however.  Is there any way I could set up 2+ install packages to a group, and then depending on where the clients are located, they would just pick the best path?

I dont separate my offices into separate groups because we all use the same settings, but I don't want all of them to pull from the remote server, but from each of their respective local IIS servers.

+1
Login to vote
J.Bonner's picture

@Nate,

I would still recommend using groups for each remote site.

All groups will still use the same settings if they are configured to use shared policy files (which is the default). So you would only have to make policy updates in one place.

And by using groups, you can take care of assigning the respective local IIS servers to each group.

It's a WIN-WIN scenario.

Jon

+1
Login to vote
geva's picture

I've just stumbled across the post and it gives me a good idea as to how to best setup the deployment.  Like you, I'm only using one site, as well as having users who roam between sites.

DNS has a cool feature where if a host has multiple A records, it will return the one in your subnet first.  Meaning you could create a DNS name called "SEPUpdates" which would resolve to the IP of the IIS server as described above.  You then just need to set all of your IIS server roots to replicate; perhaps using a RoboCopy script or NTFRS/FRS-R.

Let me know if you want more clarification.

Greg

0
Login to vote
krayzie's picture

when you do the find unmanaged clients for site2? do you use SEPM from site1??

is there anything special you have to do to use the site2 installation file??

 

thanks

0
Login to vote
Vikas Rajole's picture

Hi,

 

This setup is for managed clients. This to upgrade a managed SEP client to new version.

The SEP client should be communicating with SEPM.

Thank you.

-

Vikas -- Don't forget to mark your thread as 'solved' with the answer that best helped you!

0
Login to vote
ss_alvi's picture

can we make this kind of setup for SEP SMB 12. how much bandwirth required. and when remote site update from central server how much data will copy for one client

0
Login to vote
Chetan Savade's picture

Hi,

Such configuration is not possible with Small Business Edition 12.x

This option is available in SEP 11.x 

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

+1
Login to vote
ajhay.siingh's picture

HI Veekee,

excellent document and steps suggested by you. I was unware about this step. through this step no issue for WAN traffice except logs and policy communication by SEPM. same method also for SEP 12.1?

 

Regards,

Ajay Kumar Singh (Consultant- Information Security)

 

 

0
Login to vote
Chetan Savade's picture

Hi Ajit Singh,

It's applicable in SEP 12.1 EE also.

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

0
Login to vote
ajhay.siingh's picture

HI Chetan,/Veekee

yesterday I did same practice for remote site client. those updated succesfully with upgrade version clients setup through IIS and keep reporting to SEPM. Thanks all for best practices

 

Regards,

Ajay Kumar Singh (Consultant- Information Security)

 

 

0
Login to vote
Bongani Macheke's picture

Hi guys

 

I followed all the steps above and I can even get to step 2 succesfully, I'm not getting any errors but the upgrade does not work at all. Is there something that I missed? Please please help.

 

_original.jpg
0
Login to vote
Chetan Savade's picture

Hi,

Screenshot shared by you is the same screenshot shared in this article.

Could you please share your environment specific screenshot? Could you please check upgrade schedule as well?

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

0
Login to vote
Bongani Macheke's picture

Hi Chetan,

 

Please find the attached screen shot from my browser. My upgrade schedule is from 15:30 to 00:00 over 1 day the current time is 15:36.

Thanks,

Bongani Macheke

Capture.GIF
0
Login to vote
Bongani Macheke's picture

Hi Chetan,

 

Please find the attached screen shot from my browser. My upgrade schedule is from 15:30 to 00:00 over 1 day the current time is 15:36.

Thanks,

Bongani Macheke

Capture2.GIF
0
Login to vote
Chetan Savade's picture

Hi,

As per screenshot it seems that you are trying to upgrade to SEP 12.1 RTM (12.1.671.4971).

Could you please confirm upgrade path?

Also, have you checked by increasing distribution upgrade period.

If possible uncheck upgrade schedule as well to test it.

Let me know you are testing in test environment or it's production environment?

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

0
Login to vote
Bongani Macheke's picture

Hi

 

Thanks for the great help it actually works very well! I just need help with one final thing: pulling a success/failure report on the SEPM.

 

Thanks again!

0
Login to vote
Chetan Savade's picture

Hi,

You can pull the reports as per business requirements.

About the different types of Symantec Endpoint Protection Manager Reports

http://www.symantec.com/docs/TECH95538

About Computer Status reports and logs

http://www.symantec.com/docs/TECH95541

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

0
Login to vote
USECredit's picture

Would it be feasible to set this up on an Windows XP or 7 machine that is always on?

Reason for asking is that it wouldn't be the least bit practical in my situation to put a server at our branches, the largest of which has 7 computers total. However, most of the branch offices have one machine that is only used for about 30 minutes and would be an ideal candidate to use for managing the updates this way.

0
Login to vote
geva's picture

I am not sure about this, but I see absolutely no reason why you couldn't setup IIS on a Windows XP or 7 workstation and have it server the deployment package for you.

I considered doing this when I was having problems, but Symatec Technical Support advised me against it and suggested that I just make an install package and install from that.  This is exactly what I did, replicated the package to remote sites, and then installed from there using the Migrate & Deploy tool.

From what I understood... this remote package deployment is somewhat overkill depending on the network you are managing.  It will allow you to easily upgrade entire groups to newer SEP... however the Migrate & Deploy tool used with a freshly created package does the same thing.  As this package is not being accessed after install, it is not really going to have very much bandwidth influence.

+1
Login to vote
Chetan Savade's picture

Hi,

GUP can only provide definitions updates to remote clients.

To upgrade remote clients you will have to use other methods. As geva mentioned you can use Migration and deployement tool to deploy SEP packages as well.

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

+1
Login to vote
plumainwfs's picture

Just another thought, with 12.1 RU4 there is a setting where you can set the clients for a specific container in SEPM.

Choose clients container, Click on Tab Install Packages
Right Click on any package and should have an option for that package to change Download Source

Not sure if it would be a wise Idea to Create the Site mentioned above and both have 32Bit and 64Bit Client on site.

Then Schedule the Upgrade at a certain time, so all clients within that container will start looking at the provided URL and will automatically get the package from there.

I have not tested this out but how would a client know which package to download and install? or how the URL should look like?

Any thoughts on this is greatly appreciated as I am trying to Upgrade all clients from our remote sites 50+ Sites so meaning 50+ IIS servers temporarily created on the current GUPs.

0
Login to vote