Endpoint Protection

Hi,

I would appreciate any help I could get in designing a live update policy so thanks in advance for any suggestions.

We currently have SEP 12.1.2 deployed on all our clients and we have many sites around the world ranging from 20 – 250 users.  The majority of our clients are laptop users and frequently roam from location to location. 

My goal is to hopefully create a policy to allow users to:

1.       Receive updates from  the SEPM if located in the main office on same subnet as the SEPM

2.       Receive updates from the GUP in the appropriate subnet when travelling to other sites.

3.       Receive updates from the Symantec LiveUpdate servers when either of the above are unavailable (for example when in a hotel)

To try to achieve this I plan to nominate a single GUP in each remote site location and create a live update policy with the following settings enabled:

1.       Use the update management server

2.       Use the default Symantec LiveUpdate server

3.       Use multiple group update providers (and configure a policy to nominate a suitable machine in each subnet.  With a 3 hour time out period

I have several concerns with the proposed setup:

1.       The download preference , i.e. I am aware that the GUP’s would be searched first, if failed then the SEPM would be contacted, so this would work as intended, however with the Symantec Liveupdate checked, would this be seen as a priority and override the GUP feature?

2.       Also, I believe that the GUP list published by the SEPM would contain all the information required for the clients to identify a GUP on their subnet, however I believe they create their own local GUP list, has this filtered out those GUPs available on their own subnet, and how often does this refresh?  Would this stop the ability to roam to another site/subnet as the client would only have the GUP list for the previous subnet or would it retain all the available GUPs therefore allowing a roaming feature?

One further design we will need to implement is the explicit group update provider.  In one country we will have a single data centre able to speak to the SEPM via the VPN, and anything over 200 smaller site locations on individual subnets connected to the data centre via mpls, users will roam between these locations on a daily basis.  I believe that creating a GUP in the data center and applying an explicit GUP policy should work for this situation, however could this policy be used in combination with the original policy in this thread, or should the users be moved from their normal groups in the SEPM into a group where this explicit policy applies?

Thanks again.

Hello,

Appreciate you being very clear with explaination and requirements.

Here are the Answers.

1.       The download preference , i.e. I am aware that the GUP’s would be searched first, if failed then the SEPM would be contacted, so this would work as intended, however with the Symantec Liveupdate checked, would this be seen as a priority and override the GUP feature?

No. GUP would always get preference above others.

2.       Also, I believe that the GUP list published by the SEPM would contain all the information required for the clients to identify a GUP on their subnet, however I believe they create their own local GUP list, has this filtered out those GUPs available on their own subnet, and how often does this refresh?  Would this stop the ability to roam to another site/subnet as the client would only have the GUP list for the previous subnet or would it retain all the available GUPs therefore allowing a roaming feature?

Incase if there are roaming clients, I would request you to have these clients set under "Explicit Group Update Providers (GUPs) for Roaming Clients" which is the new feature of SEP 12.1 RU2

Check these Articles:

Understanding "Explicit Group Update Providers (GUPs) for Roaming Clients" in Symantec Endpoint Protection (SEP) 12.1.2

http://www.symantec.com/docs/TECH198640

Symantec Endpoint Protection (SEP) Group Update Providers (GUPs) Selection Examples

http://www.symantec.com/docs/TECH198702

Hope that helps!!

Hi Mithun

Thanks for your reply, thats great, it looks like i can achieve what i am after.

The first document in the link was one that i had read, however the second document is pretty much the confirmation i wanted to find.

This brings me onto the point about how symantec document their new products etc.  I always seem to find solutions to most problems from browsing the forums in posts from employees such as yourself whom link to useful articles and guides etc.  But generally it's pot luck that i find these documents or have to search through similar documents linked to in other threads that relate to many different versions of the same product with slight changes in them.

Is their a central repository or something that relates to individual products and versions? for example i browse to support - knowledge base - documentation - sep 12.1 -Live update - GUPs

I probably look really stupid here and am missing something really obivous, but navigating your web site is really difficult to find related articles.  For example on MS Technet you can pretty much find everything by drilling down into the product your interested in, whilst drilling down you can see all the available linked articles which allows you to quickly navigate and explore the product.  Here on symantec I find that I spend hours following link after link bouncing between threads hunting for related articles, there must be about 50 different pages i have read on GUPs by now which i still cant seem to find a central repository where they are all located and i can browse official documentation? apologies if im missing something really obvious here lol

I must add though that the amount of symantec employees responding to posts is excellent and you should be commended for your support.

Thanks

Hi,

Q. Is their a central repository or something that relates to individual products and versions? for example i browse to support - knowledge base - documentation - sep 12.1 -Live update - GUPs

--> Check this link here you can narrow down to specific product.

 http://www.symantec.com/business/support/index?page=landing&key=54619

You can always ask any query on this community, send PM to the Support Engineers if could not find required information/article.

Hello,

Appreciate it.

We surely understands the importance of Knowledgebase in Support.

I would suggest you to check this Article:

SymWise - Symantec KnowledgeBase and Symantec Support

https://www-secure.symantec.com/connect/articles/symwise-symantec-knowledgebase-and-symantec-support

In this Article, it has been made sure.. it has every link which you or any customer may be looking for.

Hope that helps!!

Im trying to do pretty much the same thing, so hopefully someone can help with this.