Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Fresh Install of SEPM

Created: 26 Feb 2013 • Updated: 26 Feb 2013 | 23 comments

Need to verify that a new SEPM can be installed without having any affect on the current SEPM or clients? This new version will be installed a totally seperate server with different and name and IP than current SEPM. Anything to consider when installing a new SEPM that will eventually become the one and only SEPM? I plan on using the syslink drop utility to upgrade clients to the new manager. Also wondering what the pros/cons are to using the embedded db vs a full SQL install. Thanks.

Operating Systems:

Comments 23 CommentsJump to latest comment

.Brian's picture

Yes, that will work.

This document also gives a few options:

Overview of how to move the Symantec Endpoint Protection Manager from one machine to another

Article:TECH148555  |  Created: 2011-01-20  |  Updated: 2011-03-15  |  Article URL

How many clients do you have? If a small number than you can stick with embedded. SQL server requires a dedicated box.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

james012345's picture

Thanks for the reply. We have approximately 200 clients. I just wanted to make sure that there was no 'auto-discover' option that might conflict with the current SEP client/manager connection. My plan is to install the new SEPM (configured with the same policies), migrate the clients using the syslinkdrop, and then decommission the old SEPM. So there are no benefits to using the stand alone SQL as opposed to the new embedded DB? Thanks again. 

.Brian's picture

For 200 clients, stick with embedded. SQL would come into play if you have say 10,000 clients.

Also, with SEP 12.1.2 there is anew feature which lets you replace the sylink using the SEPM. See here:

How to deploy/update communication settings from your SEPM to your SEP clients machines with SEP 12.1 RU2

Article:TECH199124  |  Created: 2012-10-30  |  Updated: 2013-02-15  |  Article URL

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Sumit G's picture

Hello James,

For the 200 clients you not required to install the SQL Server. Embedded database is better for the same.

But kindly confirm which of SEPM Version you have and which of the SEPM Version you are going to install.?


Sumit G.

Ambesh_444's picture


Please check with below link.

Thank& Regards,


"Your satisfaction is very important to us. If you find above information helpful or it has resolved your issue. Please don't forget to mark the thread as solved."

james012345's picture

Our current SEPM is running 12.1 RU1. I would like to get 12.1 RU2 installed on the new SEPM. Here are some of my questions/concerns:

1. We have a number of custom policies that I would like to export from the current SEPM to the new SEPM. Does the export/import work across RU1 and  RU2 or should I install RU1, import the policies and then upgrade to RU2. Anything else I should consider with exporting/importing settings?

2. When installing the new SEPM I would choose the 'Install First Site' option correct? Even though it's really not the first site.

3. I thought about setting up the replication partner and creating a new SEPM that way but I did read on the Symantec site that once you break the replication you can never use replication again. Since we are decommissioning the old SEPM I would have to break the replication so I don't think that's a good option.

4. To use Reset Client Communication the clients need to be running version 12.x correct? Most of the clients are running 11.x.

5. For virtual clients Symantec states that 'Active Scans' pretty much do the same thing as full scans. Does anyone have anymore documentation on this?


Jason1222's picture

1.  The custom policies should import seemlessly.

2. Install as frst site, yes.  Are you going to be using DR or a Sylink replacement on the machines to point to the new server?

3. Correct.  There are issues when removing the "original server" as a replication partner.

This is a great place to gather all the information you might need to verify the possible scenarios:

4. Not sure what you mean, but this should help:


james012345's picture

In the 'Virtualization Best Practices' doc it says "Scheduled full scans are not required to secure SEP 12.1 clients." Does that apply to physical machines as well? Thanks again, good information here.

SebastianZ's picture

That would apply mostly for virtualized clients - in order to reduce the performance impact cause by similtanous scan operations on them. For physical machines scheduled scans are recommended in addition to autoprotect scan - these provide full scope of AV protection provided by SEP Client.

james012345's picture

Auto-protect scans are different from Active-scans correct? My understanding was that all systems run Auto-protect scans however virtual clients run Active-scans in addition to Auto-protect while the physical systems run Auto-protect and fulls.

SebastianZ's picture

Some information about scan types:

About the types of scans and real-time protection

Managing scans on client computers

Both Active scans and full scans are types of the scheduled scans.

pete_4u2002's picture

yes scans are different. Active scan can be run on all machines.

james012345's picture

Does the virtualization best practices apply to virtual servers? Just want to make sure becuase all the clients are running server operating sytems.

james012345's picture

Is there any documentation on running 'Active Scans' as opposed to 'Full Scans' on virtual machines. That's a big deal and there is no way that I can implement it without more docuementation from Symantec. The link above states that it's specifically for VDI and as I mentioned our clients are server VM's.

Rafeeq's picture

check this

Managing Symantec Endpoint Protection in virtual environments

james012345's picture

That is what I was looking for except that it doesn't say anywhere that Symantec recommends running 'Active Scans' as opposed to 'Full Scans' on virtual machines.

Rafeeq's picture

Active scan does not scan all the content. for VMs you need to run full scans.

have you checked the virtual appliance?

this improves the scan

james012345's picture

I don't know how helpful that would really be. If it resets the counter everytime new definitions are loaded (which is every 4 hours) then it would be costantly rebuilding the cache and before it could really be used new definitions would be loaded again. The virtual appliance is in addition to the SEP client on the VM correct, not in place of.

Rafeeq's picture

its mentioned in this document to run active scan instead of  full scan

james012345's picture

How about the pros and cons of having clients obtain definitions from the Symantec servers on the internet vs. the local SEP manager?

.Brian's picture

You would conserve bandwidth by having the SEPM hand out the defs. Also, you can setup GUPs at local sites to conserve even more bandwidth. Only the GUP would get the content from the SEPM than the GUP would provide the content to the clients locally.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.