Endpoint Protection

Hello everyone,

after i read all documents and some of the discussions here i still don't have the master plan ;)

We currently have 8 sites (and server groups). 7 sites have one parent server and one secondary server.
1 site (HQ) has 1 parent server and 7 secondary servers. We have about 400 clients.

The clients are associated to the parent servers and get their virus updates from them.

I want to keep it like that. So what are my possibilities ?

I think possibility 1 is that i install the SEPM on every parent server (HQ Site on 2 servers for high availability) and the secondary servers are just clients in the server group? The clients need to be attached to the SEPM Server that was their server before (and get their updates from the server to avoid traffic). I think multiple sites distributed is ok for us.

Possibility 2 is that i have 2 SEPM Server at the HQ site and Liveupdate servers at every site except the HQ to provide the clients with updates like before. GUP is to small for us.

Can i associate the SAV 10.1.5000 clients to the internal Liveupdate servers so that i can perform this step before i start migration ? Because when i first migrate all servers to SEP where will the old clients get their updates ? Do i have to set their update behavior to get updates from the liveupdate servers from Symantec first ?

I don't yet see the advantages except for reporting issues. The migration seems to be much more difficult than before.

For client deployment i want to use a combination with Active Directory and the Push Service.

First the software deployment through AD and then the push service to get the reach the people who are never at the office (we have many mobile workers).

Thanks for your answers
Stephan

I suggest your Possiblity1 minor corrections.

1. There is no Primary and secondary server concept in SEP all the branch office servers will work as a replica partner. So it may require a huge bandwidth to replicate.
                 It is better to have a group update provider in every branch office (We can assign one computer as the group update provider for the purticular group)
                 Otherwise install SEPM as primary servers at all the locations and you can manager the servers using the web console.   (http://SERVER_IP_ADDRESS:9090) and you have to install and configure a Live Update administrator at your HQ to provide the updates for all the branch office servers.


Required ports to open

9090                  for Web console
82                       for SEP client mamagement and reporting.
8080 or 7070   for Live Update Administrator
                
  

Thanks for your fast answer.

I think i will go with your second suggestion.

Is it possible to have two solutions installed while migrating ?

So that i first update all the clients and assign them to the SEPM Servers and then migrate the servers ? Because it should be no problem to have a coexistance of the antivirus server 10.1.5000 and the SEPM Management Console or am i wrong about this ?

I think i want to use the location feature to assign the clients to the right SEPM server. So there is a location for every physical location.
So that i have one big group for all the clients and assign them via the ipaddress to the server next to them.

Can it work like this ?

Edit: I have a test environment with 1 Server and 3 Clients
1 Client has SSC installed
I tried to import the settings but i get the error "Can't connect ....". I've seen that many people have this problem. Is there a final solution now ? i couldn't find one.


Thanks
Stephan

When you install SEP it will automatically remove SAV.

What do you mean import?

It depends upon your capacity of your network

my suggestion is to keep the existing server (SAV CE 10.x)as it is and install the SEPM in a seperate hardware first and start migrating the clients. when ever the migration completes then you can remove the older version of SAV.

This will be an easy process of migration.

Regards

Arul Prakash.A

@paul

not installing the client just the managment console. Then the SAV Server remains.

@arul

I think i will go this way. Seems to be the best solution.

I will install 2 SEPM at the HQ. One W2K8 x64 Server and one W2K3 Server.
Set Locations for every branch office (except HQ) to update from a GUP which will be installed on a server at the branch office.
But there is one question. How do i install a GUP? I couldn't find anything about it. Only how to configure it in the policies. Can i install a GUP without installing SEP on the server ? At the branch offices we have about 20-50 clients.
Or is a liveupdate server a better solution ? Looks like this is oversized.

And another issue:
I installed the client fresh via group policy. And it installed the firewall which i deselected while building the deployment package.
Another client which had SAV 10.1.5000 installed also got the same package via gpo and runs WITHOUT the firewall.

Did anyone experience this problem ?

Thanks for your answers
Stephan

The existing clients won't associate with the new SEPM server until the new client software is installed on the clients. Once that occurs, they will associate with the new SEPM server.

To configure GUP.

Login in to  SEPM


Policies ->   LiveUpdate - Add

New liveupdate policy

In this new pop-up window you can enable the option "use Group update provider as the default live update Server "

Sepecify the Ip_Address of the PC which you are planning to assign.

Create groups for different location and Create client installation pacakage and install on one client and configure that client as the GUP.

Later start migrating the SAV in that location and install it with the package created for that group.
By this deafult the client will take the update from the GUP server and the policy from the SEPM which will reduce your bandwidth conusmption.

Thanks for your answers.

I did one mistake:
The client which had the GUP role did not have the same LiveUpdate Policy assigned like the clients.

The GUP server has to be in the same location (or must have the same policy) like the clients which ask the GUP for updates. After i set the IP address right, the GUP opened the port and acted as GUP.

But this isn't mentioned in the manual. And it's also not the best solution because my GUP is also a mail or file server and maybe needs other policies like a laptop or a pc. Now it gets the same policy.

Is there a workaround for this ? That the GUP delievers updates although it isn't in the same location ?

So is it possible to have the same branch server working as a GUP and having SEPM installed on it ? So each branch office can be managed separately and taking updates from HQ server. And in this scenario do i still need liveupdate on a HQ ?

The clients get their updates from their standard SEPM (if there is an SEPM at each branch office) and don't need a GUP installed. Problem is that roaming user (a colleague from HQ which logs in with his notebook at the branch office) gets the updates from the HQ SEPM server. So there is unnecessary traffic.

If you want to resolve that:
I think there should be no problem to configure a SEPM with SEP installed as a GUP. The server will get the updates from the same server but this should be only a disk space issue.

When you have a SEPM installed it already gets liveupdates, either from the internet or from an internal liveupdate server. So it depends on your site connections how you want to handle that. So yes. You will need a liveupdate server at your HQ.

Read page 108:
ftp://ftp.symantec.com/public/english_us_canada/products/symantec_endpoint_protection/11.0/manuals/administration_guide.pdf

There are some possible site designs.

I think i'm going live next week ;)

Last question:

I want to use a server as HQ Main Server

Intel Xeon Quadcore 3,17 Ghz
16 GB Ram
W2k8 x64

But it has also the role
DC
DNS
Fileserver
Arcserve Backup

Is it too much to add SEPM to this server ?
I can also use a separate SQL server instead of the local one.

 Do you have any application running on IIS if yes then which mode it is. Is it on 64 bit mode or 32 bit mode if your application is using IIS on 32 bit mode do not install SEP as it will run if IIS is in 64 bit mode .
As microsoft allows IIS to run in only 1 mode.

Other than that I do not see any issues with running it on a DC,Fileserver,DNS and Arcserver server.

You can install SEPM database on any SQL server local or remote its not an issue atall.

Ok i started deploying clients via AD & RemoteInstall.

But i encountered one problem. If notebooks that were installed via RemoteInstall get the policy to install SEP. They install it again instead of skipping it !

So the same msi package is used for remoteinstall and AD. Normally msiexec would recognize that it is already installed or am i wrong about this ? Please advise.

 In GPO deployment..once you have published a deployment each time the user logs on it will re -run the instllation.So once all your clients have been installed you need to remove the Published deployment package but may be there would be a workaround that I am not aware of.

But i have some notebooks which are starting all the time and it isn't redeployed when the first install occured via GPO.

So there must be a mechanism where the gpo recognizes that it has been installed before.

I thought there maybe an entry in eventvwr but there isn't.

I guees via gpo, please create a script to check wehter symantec services are running already, if yes then skip installation.

Ok i'll try to.
Maybe i can perform this task with a WMI filter. Because i'm not sure if i can run a script before logon.

I dont think 'GUP IS TOO SMALL FOR US' is a vlaid comment - we have 10,000 clients and are planning to sue GUP's at every site - to administer and support 250 sites and 250 LU servers would be rediculous!

Ok after this thread came up with an answer i think don't belong here, i just want to say THANKS :)

I managed the deployment of 95% of our clients with the help of AD GPO Install (with wmi script) and enteo Netinstall.

As soon it reaches 98% i will update the last AV 10 servers (which keep the old clients up2date).

You all 've been a great help.

Greets
Stephan