Endpoint Protection

Hi Forumers,

Im just new here in my job as a Symantec consultant.

I just want to know and very need of your expertise regarding this:

Here is my scenario:

The Group within the SEPM has clients with mobile users. Moving from one place to the other. I am planning to build a GUP whenever they move on the other office. And get the updates on that GUP. and even when they are out of the office they would still get the updates on the liveupdate server. and when they move on the main office they will get the updates on the main sepm.

How am I going to set this? since I believe that there is a location awareness but they are on the same group? so meaning when they move from an office they ip subnet changed and back to its default ip subnet when comes back to the main office.

Please help me to decide what's the best configuration. Thanks.

configure multiple GUP , as and when client connects to different subnet the client wil locate the GUP in its subnet for content update.

How to allow Symantec Endpoint Protection clients in a remote location to be managed by a Symantec Endpoint Protection Manager that's behind a NAT device

http://www.symantec.com/business/support/index?page=content&id=TECH93033&locale=en_US

Check this thread

https://www-secure.symantec.com/connect/forums/manage-offline-systems

Check this Thread for undstanding GUP"s configuration may be help

https://www-secure.symantec.com/connect/forums/gups-configuration

let me check on this..

maybe i miss out some details..

SEPM>a GROUP> CLIENTS with MOBILE users> - when they are in this main office they get updates from the main server

Plan: if possible

-Create a GUP? on a separate group? - no clear policy configuration on this because do i still need to set the location awareness? and communication settings if i able to create it?

-SEPM>a GROUP> CLIENTS with MOBILE users> how to set the location awareness if GUP is on the other group? It will be automatically move the client once detected a different subnet from the main office?

in that case you need to create a location awareness , which will have different LU policy where GUP will be configured.

the location awareness might be IP based

hmm the clients are on the same group as clients on the main office....

yes locations are within the group.

HI,

More about Location Awareness in Symantec Endpoint Protection (SEP)

http://www.symantec.com/business/support/index?page=content&id=TECH97369

Best Practices for Symantec Endpoint Protection Location Awareness

http://www.symantec.com/business/support/index?page=content&id=TECH98211&locale=en_US

Hi,

ok. will try this first.. then will revert to you about the result.

Hello,

Check these Articles:

Configuring mobile computers to automatically download definitions when disconnected from the Symantec Endpoint Protection 12.1 Management console

http://www.symantec.com/docs/TECH177361

Managing locations for remote clients

http://www.symantec.com/docs/HOWTO55419

and

check these Threads:

https://www-secure.symantec.com/connect/forums/configuring-roaming-computers

https://www-secure.symantec.com/connect/forums/clients-connecting-wrong-gups

https://www-secure.symantec.com/connect/forums/location-awareness-and-ip-address2

https://www-secure.symantec.com/connect/forums/sep-location-awareness-examples

Hope that helps!!

Mithuns answer above looks to be the best so far.

Your LiveUpdate policy for when clients are off the corporate network should look like this:

and this is what your Location Awareness policies would look like:

Note the Location independant settings at the top and then per location you will have policies assigned. These examples should show you what you are looking for when reading the links in Mithuns post.

Hi,

You should think of Multiple GUP list

New features and functionality in Symantec Endpoint Protection Release Update 5 (SEP RU 5) Group Update Provider (GUP)

http://www.symantec.com/business/support/index?page=content&id=TECH96417&locale=en_US

Best Practices with Symantec Endpoint Protection (SEP) Group Update Providers (GUP)

http://www.symantec.com/business/support/index?page=content&id=TECH93813

We have a video as well to learn more about location awareness:

Configuring location awareness in SEPM console.

http://www.symantec.com/connect/videos/location-awareness

If GUP's are not availble then following article can help you to learn what next can be done.

Configuring mobile computers to automatically download definitions when disconnected from the Symantec Endpoint Protection 12.1 Management console

http://www.symantec.com/docs/TECH177361

Still can't manage to resolve my problem..

Still cannot configure the GUP and location awareness (when IP subnet changes) in the same group with main office clients while still contacting SEPM server when connected to the main office.

Hi,

GUP and Location awareness are two different concepts.

Could you please confirm what challenges you are facing while implementing GUP's?

What conditions have you configured for location awareness?

Hi Chetan,

So, does it mean that I cannot use GUP and Location awareness at the same group of clients?

What I want to achieve here is that I want to set the client A location awareness policy when outside office network and GUP when in a remote site and when in the main office is SEPM server all in the same group.

Is it possible?

What I set now is this.

Both Location Awareness and the Muliple GUP options can be applied to the same groups at the same time, but they are different technologies so it's recommended that you have a clear idea of where one ends and the other begins.

As it goes, my recommendation would be to use Location Awareness purely for determining if a client is connected to your network or not.   The Muliple GUP option (if properly configurerd) will automatically ensure a client machine connects to the closest GUP, whereever they are in your network.

@SMLatCST: Well said.

@joash theory: What you want is definitely possible.

You would want to define locations like this (with the relevant criteria):

The LiveUpdate policy for each of these locations should look like this:

Outside the office network:

Main office location:

Remote office location:

If you don't mind that the remote location PCs download updates from the SEPM once in a while, then I suggest you listen to SMLatCST and combine the remote location & head office location into one 'Domain connected' location and define that LU policy to get  updates from SEPM and GUPs simultaneously. Tell clients to retry the GUP for at least 7 days with enough definitions and you'll minimise downloads of definitions from the SEPM for the remote site.

Hope these pictures clarify things for you.

Hi Ian_C.,

Thanks for your support, the screenshots and suggestions you've presented really helps me view it and manage clearly the policies I want to implement.. it is a wonderful to have a forum like this... I already set the policies and already manage to organize the location awareness for each live updates settings. all in one group..whew!  Now I'm on monitoring progess if the bandwidth will lessen the spikes due to huge updates from the main office.

Thank you so much! 

- Joash Theory