Video Screencast Help

GUP and Endpoint Status for Off-Network Clients

Created: 28 Dec 2012 | 4 comments

We are in the process of migrating our clients from Sophos to Symantec Endpoint Protection (12.1.2015.2015) and are trying to configure how laptops that are not always connected to the network receive their updates when off-site.  With Sophos, this was achieved through an update policy that stated to use the internal update manager as the primary location and to use an update repository that was located on a server in our DMZ as the secondary location.

Will we need to do something similar when using Symantec Endpoint Protection Manager or is the recommended method outlined in this article?  If we need to do something similar, where do we find documentation to accomplish this?  If the article is the recommended method, then we have followed that and created the policy, the location and assigned the policy.

Is there a way to find out the status of systems that are not on the network very often to ensure they are receiving updates and are not infected?

Thank you.

Comments 4 CommentsJump to latest comment

ᗺrian's picture

Basically you can create two different locations. One for On Network and one for Off Network. Assign an internal LiveUpdate policy to the On Network clients so they receive updates from the SEPM or GUP and assign another LiveUpdate policy to Off Network clients so they receive updates from Symantec update servers. The article is very good and will assist.

There is no way to check clients while off the network unless you have a SEPM in your DMZ. Otherwise you need to wait til they come back on the internal LAN.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

wrr123's picture

Can you point us to infromation on how to setup a SEPM in the DMZ and what the pros and cons of doing this are?

Thank you.

ᗺrian's picture

Best Practices: Configuring a Symantec Endpoint Protection environment in a DMZ

The biggest pro is that you can still manage clients while they're off the network by havig them connect to your SEPM. You will still be able to view logs, push updates, etc.

The biggest con is that you are more susceptible to attackers as per the article:

DMZ's are accessible from the Internet, so it is possible for someone to attempt to access (hack) into the server system that is running the SEPM through other vulnerabilities in the OS or other software running on that server.  If successful, they might be able to access SEP database, which contains information about every computer in the company's organization that is defended by SEP.  This includes the IP address, computer name and SEP version they are running (some older releases of SEP have known vulnerabilities) or which SEP clients have AutoProtect disabled or which clients have no firewall enabled.

For these reasons, Symantec recommends hardening the operating system on the server where Symantec Endpoint Protection Manager will be installed.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Ambesh_444's picture


Firstly u have to open port for DMZ zone (8014), So that your client machine can get connect with SEPM and can get updated on daily base...

Thank& Regards,


"Your satisfaction is very important to us. If you find above information helpful or it has resolved your issue. Please don't forget to mark the thread as solved."