Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Deploy definitions with SEPM over http(s) or anything else?

Created: 03 May 2011 | 7 comments

Hi,

we use Symantec Endpoint Potection 11 for our internal Windows 2003 and Windows 2008 servers.

We have two networks (10.0.40.0 and 178.15.52.0) and want to deploy the virus definitions for all servers in both networks. Both networks are using the same domain. The only problem is, that the management/deployment server just knows the 10.0.40.0 network. It is not possible to put this server in both networks. So the SEPM does not recognize the client installation on the servers in the 178.15.52.0network.

The question is:

Is it possible to deploy the virus definitions to the servers in the 178.15.52.0 network anyway? Is there any soloution to do this? Over the http(s) protocol or anything else? How can we configure our networks/ports etc to reach the other systems?

Thanks in advance for any answers!

Martin

Comments 7 CommentsJump to latest comment

Chetan Savade's picture

Hi,

Check the following articles :

Which Communication Ports does Symantec Endpoint Protection 11.0 use?

http://www.symantec.com/business/support/index?pag...

Ports and Protocols to be allowed when using a proxy in a SEP environment.

http://www.symantec.com/docs/TECH131843 

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

symantecav's picture

Hi Chetan,

the ports 80 and 443 are open. Port 8014 is not, but I don't need 8014 if port 80 is open, correct?

But it is not the only problem to open ports, because the deployment server and the client are in different networks. The SEPM can't see the clients in this network. The articles are not saying anything about that problem :(

Is there any opportunity to get this work?

Thanks in advance!

Chetan Savade's picture

Hi,

It's possible if those two networks can communicate with each other.

I hope you can access 172.15.x.x network from 10.x.x.x network, have you done any intervlan routing ?

If you are able to access that network then 172.15.x.x network  should get discover while running migration and deployment wizard 

Deploy package manually on one machine on 172.15.x.x network  and check that machines communicate with SEPM or not ?

One SEPM can even manage two different domain clients if those two domain have trust and communication.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

symantecav's picture

No I can't access the network directly. We have a aquid proxy and a port forwarding between these networks. Is it possible to push or pull the virus definitions over a web proxy?

Chetan Savade's picture

Hi,

As per your comment "the ports 80 and 443 are open. Port 8014 is not, but I don't need 8014 if port 80 is open, correct?"

Yes, it's correct.

How many clients do you have under 172.15.x.x network.

Check this article

Ports and Protocols to be allowed when using a proxy in a SEP environment.

http://www.symantec.com/docs/TECH131843 

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Go_Beavs's picture

If the two networks cannot communicate it will definately be more difficult to achieve.  You may be able to use the third-party distribution method.  Check out Page 156 of the Administration Guide all the way to the end of the chapter.  It walks you through how to set this up under different circumstances.  But if these clients are not managed by this SEPM, that means they can't get policy updates making this option very difficult to use more than likely.

More details like:

  • How many clients are on the 172.x network
  • Are these clients unmanaged or managed by a different SEPM
  • How do they currently get their updates

would make it easier to make other suggestions.  A LUA may be an option as well depending on the nubmer of clients you need to update.  If there is just a few, each client running LU on its own is more efficient than having a LUA.  On the flip side of that though, you would need to put in place a new policy on these clients to retrieve their updates from an LUA, which is more work in itself if the clients are unmanaged.