Endpoint Protection

 View Only
  • 1.  How does Push mode work

    Posted Aug 12, 2009 06:17 PM
    In SEP how often does the client communicate with the server to keep the connection open? 
    How does the 'keepalive' between the client and server work ?  - Does the client send tcp keepalives over the http/https connection; use icmp pings; or some other method?


  • 2.  RE: How does Push mode work

    Posted Aug 12, 2009 07:00 PM
    In Push Mode : The client establishes a constant HTTPconnection to the management server. Whenever a change occurs in the management server status, it notifies the client immediately

    On the other hand In Pull Mode The client connects to the manager periodically depending on the frequency of the heartbeat setting. The client checks the status of the management server when the client connects.


    In either mode, the client takes the corresponding action that is based on the
    change in the status of the management server. Because it requires a constant
    connection, push mode requires a large network bandwidth. Most of the time you should set up clients in pull mode.
     
    A heartbeat is the frequency at which client computers upload data such as log
    entries and download policies. A heartbeat is a protocol that each client uses to
    communicate with the Symantec Endpoint Protection Manager. The first heartbeat occurs immediately after the client starts. The next heartbeat occurs at the heartbeat frequency that you set.
     
    The heartbeat frequency is a key factor in the number of clients that each Symantec Endpoint Protection Manager can support.


  • 3.  RE: How does Push mode work

    Posted Aug 12, 2009 08:14 PM
    For references go to chapter 26 of SEP administrator guide


  • 4.  RE: How does Push mode work

    Posted Aug 13, 2009 12:50 AM
    Completely right. Just wanted to throw in a link that confirms what is said above:

    http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/22462c88e78bea1b8825731d005c78da?OpenDocument

    Also just wanted to emphasize too the importance of only using push mode when you have a very small network, as the connection will stay open constantly. It is much better to use pull mode that uses the "heartbeat" method. Otherwise you will eat up your bandwidth : (

    Cheers
    Grat


  • 5.  RE: How does Push mode work

    Posted Aug 13, 2009 09:53 AM

    Sorry to be so picky, but if I may ask, can some provide some more details.

    Prachand said that it is a "constant HTTPconnection" however a different Symantec tech support employee told me that in Push mode the connection is checked by the client to the manager once per minute.   Once per minute is not the same thing as "constant".  Does anyone have exact details?

    Regardless of whether it is constant or every minute, how is the actual keepalive done?  For example, does the client send an empty ACK packet, does the client try to icmp ping the manager??

    Peterpan - was chapter 26 a typo?  My chapter 26 in the SEP administrator guide that came with MR4 MP2 is called "Basic Antivirus and Antispyware Policy settings" which has nothing to do with push/pull mode.



  • 6.  RE: How does Push mode work

    Posted Aug 13, 2009 10:28 AM
    Read it somewhere long before

    Pull mode
    In pull mode, the client connects to the manager periodically, depending on the frequency of the heartbeat setting.
     
    This procedure repeats indefinitely(smc.exe initiates it by reading sylink.xml file)
    . In pull mode, the number of agents that can be supported on a single server is dependent on the server performance, network bandwidth used for agents, server communication, and heartbeat frequency. In general, the less frequent the heartbeat, the more agents the server can support.
    ·         There is no maximum to the number of clients that can connect to a given Management Server in Pull Mode

    In push mode, the agent establishes a persistent TCP connection to the server. If the client cannot connect to the management server it retries periodically, depending on the frequency of the heartbeat setting When there is a change in the server status, the server notifies the agent
    whenever new changes are there in SEPM, the server would disconnect the connection with the clients, when the client tries again, it knows that there is a change, this happens in both the modes whenever the change is applicable.
    . Logs are sent from the client to the SEPM server based upon the heartbeat internal set. Due to the persistent TCP connection, push mode is more intensive than pull mode.

    smc.exe sends the http request to the manager whever new requests are available, i mentioned above how its done..


  • 7.  RE: How does Push mode work

    Posted Aug 13, 2009 10:56 AM
    Please refer to Page 347 of the Admin Guide for  SEP MR4MP2


  • 8.  RE: How does Push mode work
    Best Answer

    Posted Aug 13, 2009 11:16 AM
    In Push mode the heartbeat process lasts for the whole interval. There is only 5 seconds between heartbeat stop and next start.

    If you can genearte the sylink log you can have a better understanding of it

    How to enable Sylink Debugging for Symantec Endpoint Protection (SEP) in the registry

     

    http://service1.symantec.com/support/ent-security.nsf/docid/2008041812561948