Video Screencast Help

Installing LiveUpdate Server for SEPM

Created: 13 Jun 2009 • Updated: 21 May 2010 | 20 comments
praveenvarun's picture
This issue has been solved. See solution.

 Hi!

I am new to SEP enviornment.

I have to install an internal Live update server for SEP 11.0 at my site. I have a site with different remote locations which are connected to my central location which has access to Internet. All my SEP clients are at remote location. I want them to be managed locally from their remote sites through a Local SEPM server get UPDATES from their SEPM and each SEPM should recieve updates from This internal LUA configured at CENTRAL Location. 

I have already installed LUA and it is able to get updates from Symantec Site. But i'm confused that how will my SEPM at remote site will get their Product updates from this Server. And do i need to install SEP on my LUA also in order to protect it from Virus attacks.

Please Help!
 

Comments 20 CommentsJump to latest comment

praveenvarun's picture

 I am new to SEP enviornment.

I have to install an internal Live update server for SEP 11.0 at my site. I have a site with different remote locations which are connected to my central location which has access to Internet. All my SEP clients are at remote location. I want them to be managed locally from their remote sites through a Local SEPM server get UPDATES from their SEPM and each SEPM should recieve updates from This internal LUA configured at CENTRAL Location.

I have already installed LUA and it is able to get updates from Symantec Site. But i'm confused that how will my SEPM at remote site will get their Product updates from this Server. And do i need to install SEP on my LUA also in order to protect it from Virus attacks.

Please Help!

Vikram Kumar-SAV to SEP's picture

First ..you will have to install SEP client on LUA and SEPM servers to protect it from Viral attacks.

TO configure your remote sites to get updates from your LUa you will have to configure it in SEPM.
Admin -Server-Local Site (site-name)- properties-Liveupdate - Add Source Servers - Use a specified internal liveupdate server -ADD - 

Server name
The name of the LUA server. This name appears when you run LiveUpdate.

Description
This box is optional. You can type the descriptive information that is related to the server. For example, you can type the name of the site.

URL
This URL will be the URL that you will see in the distribution page of your LUA
eg. http:\\servename\clu-prod...

User Name
The logon name that is associated with the server. Leave this box blank so that users can log on and retrieve the files without typing information.

Password
The logon password that is associated with the server. Leave this box blank so that users can log on and retrieve the files without typing information.


Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

praveenvarun's picture

Thanks  Vikram Kumar.

But as said, i want all my client should pick their updates from SEPM server itself. Only the SEPM server will communicate with LUA for the updates.

I've already configured LUA but it takes too much of time to retrieve updates from Symantec site. I've also able to configure my first SEPM Server and deployed Client on my LUA so as to protect my LUA machine from any attack. Also my SEPM is able to get updates from LUA but my Client is not getting them properly from SEPM.  SEP on LUA shows three components: Antivirus and Antispyware protection, Proactive threat protection, Network threat protection. Everything is ok but the Antivirus and antispyware protection is not uptodate.

May be because there are no updates available in SEPM.

Also i found that when i checked my LUA activity monitor. IT shows download is running but i found most of the files skkiped while download.

Can you help me with this?

Vikram Kumar-SAV to SEP's picture

The above mentioned Steps that i mentioned configures SEPM to reteive updats from LUA and not the clients. 

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

praveenvarun's picture

 That part i've already configured and is working fine. 

I've a problem that, since i've deployed SEP client on LUA from SEPM, the SEP client installed on LUA is blocking SEPM server. I;m unable to Ping LUA server ffrom any machine until i disable Network Threat Protection.

I am unable to unblock it..... From where can i do this!!

Ajit Jha's picture

Hi praveen
try to understand what vikram is stating in his comment

Regard's

Ajit Jha

Technical Consultant

ASC & STS

Vikram Kumar-SAV to SEP's picture

So the the NTP firewall is blocking the traffic.
I guess your LUA would be on the default port 8080 
So configure firewall rule in SEPM to allow that in firewall.
Or check the traffic log on the lient and check what traffic it is blocking and ...create a rule to allow that traffic.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

praveenvarun's picture

FIREWALL Policy

Yeah NTP is blocking i've checked the log file of NTP on Client machine can u please tell me how can i configure the firwall rule......
I went through the firewall rules in SEPM >Clients> Firewall Policy but could not find how to do it.... 


Vikram Kumar-SAV to SEP's picture

http://service1.symantec.com/SUPPORT/ent-security....

Follow the doc. and in the same way add exception for port 8080 as well.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

praveenvarun's picture

 

Manual Update Method

Can we download Updates manually for Live Update Server as Download is very slow. Actually i've tried downloading updates on LUA but it failed after 70%., and there is no method to re-execute that schedule from 70%. If there is some way pls let me know. My LUA fails everytime.

If i can download these product updates on some other machine directly from Symantec site. And simply copy them to TempDownload folder of LUA or to Default Settings\All Users\Application Data......... path i.e. the Managed folder.

But again how will LUA will get to know about these updates So that it can Distribute and send them to clu-prod Directory..... 

Beppe's picture

Hi,

nobody is asking you how your network is big to give you the proper best practices.
do you have few big sites (>1000 clients per site) or a lot of small sites (few hundreds of clients per site)?
In the first case your SEP+LUA architecture is good.
In the second case you can install one only SEPM and some GUP's (Group Update Provider) to update your remote sites, this is reliable and easier to set up and mantain.

Regards,

Giuseppe

praveenvarun's picture

Hi Giuseppe.Axia

Yes I have 77 small sites with 25 clients at each site in different geographical region each one is connected to Central Location. I can think of Three Scenerios....

1st. installing LUA at Central location as this is the only site with Internet Access via Proxy. All other Sites having their own SEPM, will get update from this Internal LUA server only. I'll also install SEPM and SEP client on this machine so as to protect it from Attacks.

2nd. Install SEPM on this server get updates from Symantec server and send them to 77 Sites, these site also have there own SEPM which will update their local clients. 

3rd. As you said i can install SEPM at centre and install clients to all other locations and configure GUP for each site.

My concern is which one will be better. 

Do I really need to have LUA. What are the drawback in short.

Right now i have configured LUA. But it is taking so much of time and finally fails to download. Download content is around 860MB. Quite big
 

Beppe's picture

Here's my opinions:

- for sure you cannot install 77 (or 50, or 10...) SEPM... you will burn your brain to manage them and they will not work at all. For 2000 clients, one SEPM  works fine, it very depends on the connections you have...

- with one only SEPM you don't need LUA at all

- therefore, you have to use the GUP

Enjoy this:
http://service1.symantec.com/SUPPORT/ent-security....

Our Support is avaible in case you need to better tune your SEPM.

Don't forget to mark as a solution the most useful post for you.

Cheers,

Regards,

Giuseppe

SOLUTION
praveenvarun's picture

Need some more Suggestion

 But I want to control my update sent to my clients. AS some of them may create problem to my Application. Can you also provide me the list of Products and their contents.

What I've chosen are:

Symantec Endpoint Protection 11.0 (English)
Live Update Technologies.
Symantec Network Access Protection (English) 

Components:

Behaviour Crimeware, Firewall Policies, Antivirus definitions, Other software

Also I wanna control Each site locally. I only want to update them from my central location. 

Is it possible?

Beppe's picture

> But I want to control my update sent to my clients. AS some of them may create problem to my Application.
You can deeply control the definitions deployment only with LUA. Two ways:
1) half control: LUA downloads from our server when you want, SEPM from LUA when you want, SEP clients from SEPM as soon as possible (it depends if you are in pull or push mode).
2) full control: LUA downloads from our server when you want, SEPM and SEP only from LUA when you want.

> Can you also provide me the list of Products and their contents.
You should know better than me the list of products you want install and use... just select the name of the products in the LUA. It is not tricky. Eventually explain me better what you mean.

> Also I wanna control Each site locally.
Not clear. Do you want to control 77 (or just 50, or just more than two...) SEPM? Do you have a skilled IT administrator on each site? How are you picturing to synchronize their settings and policies? We are giving you a fantastic console, with a high flexibility and the ability to manage thousands of clients from one only place. You can also create multiple accounts to log on in the console, also remotely. Probably you don't know this product very well yet. If you have network performance issue just move to the pull mode with a proper heartbeat.

> Is it possible?
Yes, you can still shoot at the butterfly with the cannon.

Regards,

Giuseppe

praveenvarun's picture

Yes I want to control each site locally from their SEPM, and only want thier SEPM to get update from Central Location SERVER. 

My all site Engineers will manage SEPM and their clients from their site only. 

I have suggested my Head for GUP but he wants what i'm explaining you above....

They want all clients to be managed by their Regional SEPM only. 

But as the document suggest that you provided we should have least no of SEPM. But if we don't want replication can we go for 77 SEPM(s).


Beppe's picture

Yes, you can install 77 autonomus SEPMs but what are the advantages? Don't you like the full view and control of your organization?
Are you planning to train 154 persons (you need one back up person per site as well) to manage SEPM? Do you have good servers in so small sites? It seems a reach company, do you need a SEPM expert?
Do you know how flexible is the SEPM? You can create groups, domains of control and limited administrator accounts. It means you can "split" the control of one SEPM between your IT engineers. They can access remotely to the console just with the URL http://your_central_server:9090. If you have to add a firewall rules to all clients you can do it with few clicks instead of copy and paste the policies.
I am surprised you don't like such powerful features and you are going to install 77 SEPM without any real benefit but just because an unskilled boss has a fixed idea in mind.

Regards,

Giuseppe

praveenvarun's picture

 Thanks Giuseppe.Axia

I've configured my LUA and /sepm successfully... and i'm able to retrieve updates....

Only the problem i'm facing is that All my clients are showing PTP off and waiting for updates although they are upto date.I'm still pondering why is it happening......

Beppe's picture

If you have a new issue it is better for you to open a new discussion to better catch the community attention on the new issue.

Regards,

Giuseppe