Endpoint Protection

Hi,

Does anyone know if it is possible to automate group membership based on domain membership within an Endpoint Protection environment? Basically we have 1 primary endpoint protection management server setup for the entire enterprise, and we have created 2 secondary management servers to split up the load. We want all machines in domain 1 to go to secondary management server 1, all machines in domain 2 to go to secondary management server 2, and all machines in any other domain to continue going to to the main management server for updates.

Because our images are used throughout the enterprise we cannot create multiple installers, one for each domain. Also, we don't want to have to manually move computers form the main group to their sub groups, we want it to happen automatically.

For example, when the client is installed no a new computer in DOMAIN1, we want the management server to see this new client, and based on its domain membership move it into FOLDER1. Again, if the computer belongs to DOMAIN2, auto-move it to the DOMAIN2 folder. If the client belongs to DOMAIN3, DOMAIN4 or DOMAIN5 we want it to stay in its our original folder as specified by the installation package.

Thanks for any help.

I think you Can Setup this by using Location specific settings. You can Setup the conditions for location by using the IP address of the SUBNET that belongs to one domain.

You will need to create Groups depending on the Doamin & you can setup location settings by defining the conditions for that location.

for that You can go into the SEPM > Create a group & for the Group go into the policy tab & then go to manage location & specify your condition there.

I hope this should help you.

 Hi,

   I am not sure how you have setup the load balancing here, but it seems quite unusual and may not be the best option.

However, to answer the question, this would be quiet difficult wihtouth changing the disk image used. (the original sylink.xml file can be used to change group membership).

Do you only want them to be on a specific group so you would be able to change the management server list and have them connect to a particular SEPM? If that's the case it might be easier to achieve this using different localtions (it would be quiet easy to have a location per domain, with each it's own Mangement server list).

Thank you for the replies guys.

JL-S: Basically we have 1 management server for about 4500 clients and it is using A LOT of bandwidth out of head office and we find definition updates are going out too slowly. In order to resolve this we have setup two new management servers are replica servers on off-site locations for our second and third largest domains.

We simply want all DOMAIN1 computers to get definitions from NEWSEPSRV1 and all DOMAIN2 computers to get definitions from NEWSEPSRV2, and have all other clients belonging to all other domains to just keep doing what they're doing...getting defs from the main management server.

Kavin mentioned that we can setup conditions so that clients in X domain or subnet get automatically put in X group, and then I assume we can setup a policy for X group to get definition updates from the local server, correct?

Is there a better way we should be going about doing this? The long and short of it is, we want to take 2 domains and give them their own SEP management server to distribute definitions to its local domain, without administrative effort (without us having to constantly sort out clients).

Well, in this case you can do that with DNS, 

   Use the same hostname for both servers and depending on which DNS server you hit (which is probably going to be a DC from your domain, or anyway would be given by DHCP info) , you point them to a different IP.

From what you describe the best way to do this would be by setting up Location Awareness based on the IP range of the clients and multiple management server lists and priority settings.  I will see if I can write up a short document on the specific steps you will need to follow as well as a solution for troubleshooting bandwidth issues between SEPM and SEP clients. 

Here is a quick slapped together article that might help you out.
Troubleshooting SEPM & SEP bandwidth issues. https://www-secure.symantec.com/connect/articles/sepm-sep-client-bandwidth-troubleshooting

Here's the article I mentioned that can help you with location awareness and multiple management server lists. 

http://www.symantec.com/connect/articles/location-awareness-using-multiple-management-server-lists

Let me know if anything needs clarification or any other assistance is needed.

Thanks for your help guys, location awareness is definitely what we were looking for. We have set it up for testing purposes for now and will be going live with it hopefully later this week. I appreciate your help & the guide!!!

Glad to help zoneseek.  If you like the solution please mark it so others will be able to find it useful.

If you need anything else feel free to PM me.