Endpoint Protection

I need to understand how a SEP client make the decision of connecting to a external LiveUpdate server. I have SEP clients that are bypassing their assign GUP and the default management server and going straight to a external LiveUpdate server, while other SEP clients in the same physical location and same SEP groups are receiving their content from GUP. Pretty much looking for the logic behind the selection of the content source that a SEP client is making and not troubleshooting steps.

Do you have the option "Enable LiveUpdate Scheduling" checked on the Schedule tab?

If this is checked, they will go out to LU based on the schedule, regardless if they're set to use a GUP or SEPM for updates. Otherwise if it is unchecked, they don't.

when the client heart beat is active, it checks with the SEPM for the content. If policy/content available it makes request and downloads it. however when Liveupdate on client is active, the client will check with Symantec Liveupdate as you have enabled that option as well. In this time it does not check SEPM.

I see on your screenshot all 3 content download sources are active - SEPM, internet, GUP - this will bring confusion to client:S According to heartbeat they will try to connect to GUP/SEPM (if pull mode is set), then according to internet liveupdate schedule the will ask internet servers for updates.

Just as a bit of background:

Updating via LiveUpdate and updating via the GUP/SEPM are two separate operations that have their own schdeules.

Updating via LiveUpdate works in accordance with the LiveUpdate Schedule you have configured in your LU Policy.

Updating via GUP&SEPM works in accordance with the Heartbeat Interval assigned to the group to which the client belongs.

In SEP11, both operations will attempt to update whenever their respective schedules hit.  It's all a matter of luck as to which operation hits it's next scheduled run after new definitions have been released.  The first to do so will be the method the client uses to update.  As both operation types (can) work on intervals, some clients will grab the latest definitions via LiveUpdate, while others will see defs via the Heartbeat and download them via the GUP/SEPM.

Just be aware, in SEP12.1 a new setting was added to the LiveUpdate Policy -> LiveUpdate Schedule area called the LiveUpdate Skipping option.  This allows you to configure thresholds for when clients will attempt to use LiveUpdate (the default thresholds are "more than 2 days out of date" and "out of contect with SEPM for 8 or more hours").  This setting means you can enable all the LiveUpdate options, but that client will not perform a LiveUpdate unless it has been unable to contact a SEPM for 8+ hours and it is more than 2 days out of date (both conditions must be fulfilled)

Hi,

Plscheck with below link.

http://www.symantec.com/business/support/index?page=content&id=TECH102541

http://www.symantec.com/business/support/index?page=content&id=TECH104539

https://www-secure.symantec.com/connect/forums/gup-sep12

https://www-secure.symantec.com/connect/forums/single-gup-s-vs-group-update-provider-list

http://www.symantec.com/business/support/index?page=content&id=HOWTO55172&profileURL=https%3A%2F%2Fsymaccount-profile.symantec.com%2FSSO%2Findex.jsp%3FssoID%3D1359112800847rMeXLg72Pju2nc5N8Y5m07c223UhK2AUSLe59

 

http://www.symantec.com/business/support/index?page=content&id=TECH96419

According to your screenshot if liveupdate is run it will go directly out to external symantec to get updates "Use symantec default liveupdate server" If live update is scheduled or the user is clicking on liveupdate from client it will go out bypassing the GUP and SEPM. GUPS and SEPM only update device by pushing to the client when available or via heartbeat. If a request is made by the client to pull it will work it's way down the liveupdate list in your case default symantec liveupdate server. Also if you have the GUP set if client can't communicate with the GUP after a certain time it will go to alternative sources to get it's update as listed in your policy.

Hi Rigo, To make it short and simple for your SEP clients.

- 1) Uncheck the box "Use a Live Update server".

- 2) Inside your GUP policy when clickin the "Group Update Provider" button. - Put Bypass to "Never" if you won't allow your clients to bypass their GUP. - If you wish to set a bandwidth restriction for the download, do not put a lower value than 384kbytes/sec, otherwise your GUP may encounter sort of issues and difficulties to retrieve a Full.zip package for the clients which may needed when their definitions are outdated for a while (ie: user machine turned off for more than 2 weeks,etc ...).

- 3) Ensure your GUP has enough disk space available and your other SEP clients indeed as if there is not enough disk space on the drive partition where SEP is installed, it can provoke some unexpected behavior (ie: client retrieving all the time the same contents, unable to update cause or decompression error, corrupted definitions gettings created and vice versa, etc ...).

 

Kind Regards,

A. Wesker

Thank you guys. Everyones comment was right on. SMLatCST or  anyone else, can you point me to the tech article were your logic is explain. I have confirm this by some network testing, I just want to have a tech article to back it up.

This article for 12.1 states that with both options enabled, clients will attempt to use both sources for updates:

http://www.symantec.com/docs/TECH178257

The above article also explains the "LiveUpdate Skipping" options I mentioned earlier.  These are not included in the below article (which was written for v11):

http://www.symantec.com/docs/TECH140817