Endpoint Protection

We have a problem that I have yet to find a solution for.

We have:

-One SEPM
-Less than 500 clients, mostly VM's that are SAN based

When the clients use SEPM to pull their definitions, no matter what settings we choose, they all attempt to update at the same time - which kills our SAN.

It would be nice, if we could tell SEPM to only update a certain amount of client at a time.  It isn't the download that kills us, it's the IO on the SAN when they all attempt to install at the same time.

Currently we are working around this using Live Update Administrator, and only allowing it to publish updates once per day.  Unfortunately that leaves machines vulnerable to zero day attacks etc.

Most of these machines do not, and cannot have access to the Internet, so scheduling random 'Live Update' sessions is NOT an option.

Any ideas, or could I suggest this as a new feature?



Thanks,

Mike

For your situation, I would change the heartbeat to Pull Mode, and then set the heartbeat interval to an hour with an hour randomization interval.
This would make it so the clients heartbeat in at more random times, therefore would download the defs at different times.
To do this:
Clients
choose your group
Policies
Communication settings
Choose Pull Mode
Set Heartbeat interval for your designated length of time   (hour recommended)
Also set the Randomization to your designated length of time  (hour recommended)

~Zoidberg

@zoidberg,

are you sure that setting hear beat will let clients to download defs at diff interval.
as far as I know, when manager has defs, it is pushed to the clients..no matter what hearbeat intervals are
am i missing something? let me know your thoughts

That is true for Push mode.
In Pull mode, there is no open line of communication between the SEPM and SEP, so there would be no way the manager could force contact.
The client opens the communication when it heartbeats in, therefore recieving the information that has the new policy and/or update so it will then  ask for the update from the manager.

Zoldberg,

i attempted this last week with the same results.

We are on Pull mode.  The clients all still check in in or around 20 mins of eachother...

Example:  My test showed that even though the heart beat is every hour, all the clients downloaded and started installing defs within 20 mins of eachother.  I need to be as finite as to say, only distribute defs to 10 machines, wait 15 minutes and hit the next set.  Something similar would work too, such as the randomization being more spaced.  Out of 3-500 clients, I should not logically see all of the updated within 2 hours if it's actualyl randomized properly, or maybe logically is the better word.

Does this make sense?

tested in my test environment
i installed a client as unmanaged
set the hart beat to 100 mins
exported the client install settings
made the clent manged
updated with 20 mins
i'm sure liveupdate nothing to do with heartbeat.
any inputs?

To be clear, there are two different settings. 

1. Use SEPM to give your clients content updates
2.  Use Liveupdate to do the same, which goes around your SEPM to the Net' or an Internal Live Update Server, the latter of which is not best practices per Symantec.

We are doing # 2, due to the lack of options within SEPM's update setup.

There is no option to tell each client to run a LU at X:XX time.
The best option to help you with this would be to set a bit higher of a heartbeat interval and the same for the randomization.
We release defs (normaly) about once every 4 hours(ish) so maybe doing the hearbeat once every 3-4 hours would help out the clients checking in at the  same time.
As for your 15 clients checking in....was that at the exact same time, to the second? Or was it within the same minute?
Also did you give it a few days or was it the first time they checked in for this?  how long did you keep this policy in place before reverting back to the LU Admin?

 I think the best way in this occasion is install a internal live update server and in the live update policy do the following settings
in server settings tab deselect both management server and GUP
Select use a liveupdate server
then select use internal liveupdate server
click on add and provide the details of the internal liveupdate server and click ok
Select schedule and do a scheduling as required.
Remember in SEPM you can assigning a policy to a group only to individual client it is not possible
So if you want to update the clients in a group of 10 clients clients also should be grouped in the same fashion and no inheritance also should be present

Below docs can help you in configuring LUA
Configuring Distribution Center in LUA
Installation and configuration of LUA
Installing and configuring LiveUpdate Administrator 2.x

Remember not to install SEPM and liveupdate server in the same physical machine because it can cause performance issues..
ref:LiveUpdate Administrator 2.x and Symantec Endpoint Protection Manager on the Same Physical Server

I am aware there is no option, I was requesting such a feature.

Not the exact same time, no...but within 2 mins of eachother, which did not allow any of them to complete the install before all the others had started, hitting us with the same IO issue. 

I could not allow the policy to play out for more than that first failure of intended setup.  Continued progress that direction would have led to further issues, causing me issues - if you know what I mean.

AravindKM,



This is ALREADY what we have in place.  However, it doesn't allow us to only rely on SEPM, which is Symantec's best practices.

Also, relying on LUA, does not allow rapid defs to be distributed, and we are constantly hit with zero day attacks.