I have Symantec Endpoint Protection Small Businnes Edition ver. 12.0.1001.95 installed on W7 32 bit and 64 bit.

The management console is on a W2008 R2 server, same version.

Some PC connect our network over a VPN connection, for this PC I have defined a group "Remote PCs" with a new LiveUpdate policy with a check on "Allow LiveUpdate to run on client computer". After group creation I have moved the remote PC to the new group.

With this settings the remote machines download any MB of data every day from the management console server.

The connection is  on service httpd.exe port 8014.

In the log C:\Program Files (x86)\Symantec\Symantec Protection Center\data\inbox\log\ersecreg .log all PC have the info PreferredGroup="My%20Company%5cLaptops%20and%20Desktops" .

Is there any issue to move a PC from a group?

How can I reduce the amount of data transferred to the remote PC?

Best regards

you can move clients between groups no problem with that

for your remote pcs; make them to get update from Liveupdate directly using internet.

this will reduce the traffic

Client computers automatically download virus definitions and other product updates from Symantec Protection Center. You can allow users who travel with portable computers to get updates directly from LiveUpdate by using the Internet.

Unchecking the "Allow Liveupdate to run on client computers" will force them to go only to the manager for updates.

Alredy set for the group "LiveUpdate policy Remote PC" . For the group "LiveUpdate policy LAN" the flag is not set. ""  "  "

My structure is:

My company -> LiveUpdate policy LAN

|-> Laptops and Desktops ->  LiveUpdate policy LAN 

|-> Servers ->  LiveUpdate policy LAN  

|-> Remote PC  ->  LiveUpdate policy Remote PC

I can't change the setting for the home group (my company).

In the log file mentioned above all PC have the PreferredGroup=My Company\Laptops and Destops, is this normal?

Preferred groups is only needed at the time of install

key this registry key on the remote pc.

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\LiveUpdate

the key on right UseLiveUpdateServer should be 1 for remote PCs

The key UseLiveUpdateServe r is set to 1.

The key EnableProductUpdates is set to 0. This mean the client download product updates from our server?

yes, create a new group, make a new liveupdate policy to use internet;

move the clients to those groups and test it . 

How can i see if liveupdate download directly from internet?

I have set the remote pc to download from internet but I see a lot of transfer data from management console to pc.

Is there a log file to trace comunication between management console (ie httpd) and client?

Yes you need to enable the sylink toogle.

the client might be taking policy updates from sepm not necessarily virus defs

u can enable the logging as per this document

How to enable Sylink Debugging for Symantec Endpoint Protection in the registry

hi

the sylink log report the right policy

<SSAProfile Version="5.0.0" SerialNumber="CF80-11%2f08%2f2010%2014%3a42%3a48%20162"/>

 this policy has liveupdate allowed every 4 hours.

The log show this download:

11/29 07:23:30 [2680] ************CSN=26667
11/29 07:23:30 [2680] <mfn_MakeGetPushUrl:>Request is: action=128&hostid=52ADC24FC0A801D60024C22B17BB4EAE&chk=FFB734C65A3EE1F60D3BC7AF409515EE&ck=38E4C16D0DE91A500086F180E26C2D0F&uchk=B892C435E1E1EAA583A73F5A535A4180&uck=B02B68A147EB2B8B1A35339021D0EBB4&groupid=4688CB39C0A801D6002A648C832B5773&mode=0&as=26667
11/29 07:23:30 [2680] <MaintainPushConnection:>http://SRVRI214:8014/secars/secars.dll?h=343D64A2E635801E4F0E2DCDAD85C98A58E0BDC11DC43BA4FBDA6E6E11AD0B5FC40A8466246C693EB42C18EEE7068C2BD3566D72034EE2B3CF579E4B490DEFF1DC3CD249847F372B259676F43B7EBC7B103A1D81709416FD0A3FCEEC86A6C7302E1FB2578AC94E36AA870A281DD6139A48B2BC0C5133D0A2E5B784B85A22A68C1DC470837E23D962086F0FCA1D1AA9B0418871171F9494CEAF26486BAC06E48F219FF538094D2D7B4818C885A35989830E0514C08D9A181B456DD9F3A5D5E0889D75D5D320C33146B08B15B989E176032FDAE149729C26E4008F0FAAF4ED71DDC40A7BCA16F5D547D3CE93BF2BA02485B11BBCA98A520424B080D86D044D4D1ABF855237F2F8D7D5AF9E7D627814A59C
11/29 07:24:17 [2684] SyLinkCreateConfig => Created instance: 0000000003F8D8B0
11/29 07:24:17 [2684] Importing ConfigObject: 0000000004055110 into: 0000000003F8D8B0
11/29 07:24:17 [2684] <LUThreadProc> Got ConfigObject to proceed the operation.. pSylinkConfig: 0000000003F8D8B0
11/29 07:24:17 [2684] <CRandomDelay::CRandomDelay()>
11/29 07:24:17 [2684] Random delay window: 0hour 5min 0sec
11/29 07:24:17 [2684] Computed random delay:0hour 1min 1sec 0millisec
11/29 07:24:17 [2684] </CRandomDelay::CRandomDelay()>
11/29 07:24:17 [2684] <LUThreadProc>Waiting for: 61000 milliseconds to start downloading LU contents
11/29 07:24:19 [2676] <CSyLink::mfn_DownloadNow()>
11/29 07:24:19 [2676] </CSyLink::mfn_DownloadNow()>
11/29 07:25:17 [2684] <LUThreadProc>Starting LU download.
11/29 07:25:17 [2684] <LUThreadProc>Got a valid context from GetCurrentServerEx
11/29 07:25:17 [2684] <LUThreadProc>Setting the session timeout on LUSession to 2 min.
11/29 07:25:17 [2684] <mfn_MakeGetLUFileIISUrl:>Requested Content Path is: /content/{1CD85198-26C6-4bac-8C72-5D34B025DE35}/101128002/Full.zip
11/29 07:25:17 [2684] <GetLUFileRequest:>IIS URL: /content/{1CD85198-26C6-4bac-8C72-5D34B025DE35}/101128002/Full.zip
11/29 07:25:17 [2684] <GetLUFileRequest:>http://SRVRI214:8014/content/{1CD85198-26C6-4bac-8C72-5D34B025DE35}/101128002/Full.zip
11/29 07:25:17 [2684] <GetLUFileRequest:>NEW download: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\LiveUpdate\LUF561D.tmp
11/29 07:25:17 [2684] <UpdateLUFileList:>Updating existing Download File List with : {1CD85198-26C6-4bac-8C72-5D34B025DE35}101128002
11/29 07:25:17 [2684] <UpdateLUFileList:>Updating existing Download File List Temp file name from:  to C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\LiveUpdate\LUF561D.tmp
11/29 07:25:17 [2684] 7:25:17=>Sending HTTP REQUEST to download LU file
11/29 07:25:19 [2676] <CSyLink::mfn_DownloadNow()>
11/29 07:25:19 [2676] </CSyLink::mfn_DownloadNow()>
11/29 07:25:19 [2684] 7:25:19=>HTTP REQUEST sent
11/29 07:25:19 [2684] <GetLUFileRequest:>IIS return=200
11/29 07:25:19 [2684] <mfn_DoGetLUFile200>Downloading LU file from server. Moniker: {1CD85198-26C6-4bac-8C72-5D34B025DE35}Server File Path:/content/{1CD85198-26C6-4bac-8C72-5D34B025DE35}/101128002/Full.zipLocal Path:C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\LiveUpdate\LUF561D.tmp
11/29 07:26:19 [2676] <CSyLink::mfn_DownloadNow()>
11/29 07:26:19 [2676] </CSyLink::mfn_DownloadNow()>
11/29 07:27:19 [2676] <CSyLink::mfn_DownloadNow()>
11/29 07:27:19 [2676] </CSyLink::mfn_DownloadNow()>
 

And the client download from internal server aprox 100 MB of data.

What's wrong?

I have changed the reg key

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\LiveUpdate\UseManagementServer = 0

and the client download only from internet.

Is there any issue setting this key to 0?

that should not cause any issue. hereafter it should take it from internet.