Endpoint Protection

I currently run a simple environment, two symantec-client-security servers , one in each site, 100 clients.

- they are all sorts of versions, from 8.x, 9.x to 10.x

I would like to roll out Sym Endpoint Protection but I don't like what I'm reading about managing older SCS clients (mainly that it doesn't / cannot do that).

The ones running 10.x will upgrade to SEP just fine, mainly they are XP/Vista systems.

but the rest.... what options can you suggest? 

- I cannot drop the old legacy client, they need to be up to date and their hardware will never be able to run SEP.
- I suppose the old clients can run liveupdate, but that's not bandwidth friendly nor easy to manage.
- I would prefer to not run two systems, SCS + SEP , that just seems like a nightmare.

I have migrated SAV 9.x to SEP without any problems. What comes to using liveupdate to update old 8.x and 9.x clients, the support just ended for 9.x and for 8.x it has ended long time ago. They can only update through SAV server via VDTM. Leave the other SAV server running until you get all the clients updated. 100 is such a small number of clients that you can go through the normal couple of unsuccessfull migrations by hand.
- Jukka

I would leave one parent server running. Let it run LU, then let the children with SAV update from it via VDTM like suggested.
You can run the console on ANY COMPUTER! You can run it from a notebook or workstation on your network, or a server, etc.
It's an old wive's tale that the SAV console should run from a server. Ideally, you do not run it from a server. I always ran the SAV console from my workstation(s) and never did load it on a server.
For our migration here, I updated a few computers at a time to SEP, the remainder, being SAV 10 clients, updated as always from the remaining parent server. Once it's setup, SAV is pretty well self-suffecient, so no nightmare at all. Set it and forget it, just check now and then to see that everything is current.
SEM CAN receive the LOGS from SAV. So in that respect, you can watch SAV and SEP via the SEM management system. You just can't change settings or do updates. And honestly, how often do you need to make changes in SAV? Get your settings right, and leave it alone. I've left them running for months, never changing a thing and only looking to see that updates were working (as I ran a script to download the VDB file to the master/primary, which then went to parents, then to the children via VDTM)
In other words, IMO, SAV is so hands-off that you can afford to keep a SMALL server or even a WORKSTATION running SAV server, and have the children use it as their parent for updates of defs, then setup SEM for log forwarding from SAV and run a hybrid system until you get them all converted.

I've run 200+ clients under a parent that ran on an ordinary windows XP workstation computer, it wasn't even server class. You can install SAV's server version on any Windows computer, doesn't have to be a server.