Endpoint Protection

 View Only
  • 1.  Client restricted from contacting SEPM - will it go to LU?

    Posted Jun 27, 2014 10:23 AM

    I don't nessecarily have a problem, I'm just wondering what happens if...

    A single LU policy is deployed that has both the default managment server and LU server selected for content retrieval.  This policy also leverages GUP's and the setting there is to never download update from the default managment server.

    My question is this; if the GUP is offline and the client is prohibited from contacting the SEPM, will the client attempt to contact the LU server or is that check box meant to be inclusive of all content sources other than the GUP?  If its true that the client will NOT download content from either source, does that also obviate the LiveUpdate Scheduling for clients configured to get content from GUP's?  The options for skipping LiveUpdate become moot for those clients.  True?

     

    (looking at you, SMLatCST smiley )

     

    Thanks guys!

    Will

     



  • 2.  RE: Client restricted from contacting SEPM - will it go to LU?

    Posted Jun 27, 2014 10:24 AM

    Only if you specify a schedule in the policy for it to go out to Symantec LU. Otherwise, it won't update. It needs to be told where to get updates from.



  • 3.  RE: Client restricted from contacting SEPM - will it go to LU?

    Posted Jun 27, 2014 10:33 AM

    Only if you tell it to go , untill and unless you have not set the policy in liveupdate, it will always go to SEPM

    these are the various methods clients will get updates

    How client computers receive content updates

    http://www.symantec.com/business/support/index?page=content&id=HOWTO80888



  • 4.  RE: Client restricted from contacting SEPM - will it go to LU?
    Best Answer

    Posted Jun 27, 2014 10:43 AM

     

    Client - Check for updates from SEPM during heartbeat

    SEPM - tells the client to get it from GUP 

    GUP is offine, Client will not get any updates.

    Since you have set the option do not bypass GUP, It will not take any upgrades from SEPM.

    This goes on every heartbeat.

    since you have set the liveupdate schedule...LU will run during that schedule , cleint will get update from internet.

    http://www.symantec.com/business/support/index?page=content&id=TECH96419

    Maximum time that clients try to download updates from a Group Update Provider before trying the default management server This option lets clients bypass a Group Update Provider if they try and fail to connect to the Group Update Provider. You can specify a length of time after which clients can bypass the Group Update Provider. When clients bypass the Group Update Provider, they get content updates from the default server  ( SEPM)

    Select one of the following options:
    • Check Never if clients only get updates from the Group Update Provider and never from the server. For example, you might use this option if you do not want client traffic to run over a wide area connection to the server.
    • Check After to specify the time after which clients must bypass the Group Update Provider. Specify the time in minutes, hours, or days.


  • 5.  RE: Client restricted from contacting SEPM - will it go to LU?
    Best Answer

    Posted Jun 27, 2014 10:49 AM

    Eerrrrr... Hi! laugh

    "Thumbs Up" to the posts above yes

    AFAIK, even when the GUP is not available (and the LU policy categorically tells clients to not revert to the SEPM for defs), the fact that the client is still in communication with the SEPM means it will never hit the (default) 8 hour threshold on SEPM comms in the "Options for Skipping LiveUpdate", and so will never update (or at least no do so until a GUP becomes available again surprise).

    Once enabled, I'm not aware of any facility for a client to ignore the "Options for Skipping LiveUpdate" thresholds under the LiveUpdate Schedule (you can always administratively kick off a LU attempt, but that's something different).



  • 6.  RE: Client restricted from contacting SEPM - will it go to LU?

    Posted Jun 27, 2014 10:59 AM

    Thanks Rafeeq

    So you are saying that if the client is instructed to NEVER download from the SEPM, it may still get content from the LU server if the GUP is offline.  That's a problem.  The entire point of leveraging GUP's is to ensure that clients will not saturate a WAN link attempting to update their content.  In this scenario that's exactly what would happen.

    The GUP is offine.  On the next heartbeat the SEPM informs the clients of new defs.  As the GUP is offline and the clients are prohibited from downloading from the SEPM, they all head for the nearest WAN link to get content from the default LU server and we get exactly what we're trying to avoid.

    I just want to make sure I understand this correctly.

    Thanks again.



  • 7.  RE: Client restricted from contacting SEPM - will it go to LU?

    Posted Jun 27, 2014 11:01 AM

    Only IF a schedule is actually set will they go out to Sym LU.



  • 8.  RE: Client restricted from contacting SEPM - will it go to LU?

    Posted Jun 27, 2014 11:01 AM

    Essentially, if your aim is to use Symantec LiveUpdate (or in internal LUA) as a failsafe backup method in case a GUP is offline for an extended period and definitively don't want clients to update via the SEPM (ever), then you'd have to take out/disable/uncheck the "LiveUpdate runs only if the client is disconnected from Symantec Endpoint Protection [Manager] for more than:" option under the "Options for Skipping LiveUpdate".

    The reasons behind this is that the LiveUpdate Engine has no visibility as to the state of the GUP.  When the LiveUpdate schedule hits, it doesn't check if the client failed to talk to the GUP or anything, it merely checks the "Options for Skipping LiveUpdate" thresholds and kicks off (or skips) accordingly.



  • 9.  RE: Client restricted from contacting SEPM - will it go to LU?

    Posted Jun 27, 2014 11:02 AM

    If you think it'd be of use, I'd recommend raising the ability for LiveUpdate to check GUP status before running as an IDEA on these forums.

    SEP11 never had the "Options for Skipping LiveUpdate", but they eventually made it in there so you never know!



  • 10.  RE: Client restricted from contacting SEPM - will it go to LU?

    Posted Jun 27, 2014 11:34 AM

    SEPM does not validate if GUP is online or offline, it gives out the list of GUPs  to get the updates from, The clients will keep track of the interval ( Bypass) ..Liveupdate schedule is local to the box, these settings are set in the registry when it reaches the schedule it will run Liveupdate.

    Just set one option which you are comfortable with , Symantec also does not recommend using too many liveupdate sources

    Why dont you try this option, which is in the liveupdate schedule.

    Options for Skipping LiveUpdate

    Specifies that LiveUpdate should run automatically at the next scheduled time if the checked criterion is met. If you check both options, the client computer must meet both criteria for the scheduled LiveUpdate to run on schedule. If the client does not meet one condition, then the scheduled LiveUpdate is skipped and an entry is made in the client system log.

    http://www.symantec.com/business/support/index?page=content&id=TECH178257