Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

multiple sepm deployment

Created: 27 Aug 2014 | 14 comments

Hello,

I am currently working on a task to do a company deployment of SEP 12. Currently we have multiple sites world wide that have their own SEPM and different version of SEP 11. Each site can range from only 10 clients to 1000 clients. Would the best option be to have one SEPM that manages all clients or are there better options? Thanks in advance.

Operating Systems:

Comments 14 CommentsJump to latest comment

.Brian's picture

Setup a SEPM in your central location (or two for failover/LB) and use GUPs at each site to distribute content to the clients.

How many clients total do you have? How many sites have their own SEPM?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Manipillai's picture

For the sites which have less than 200 clients you can setup GUP , those clients will still report to single sepm but definition will be provided by GUP.

For the clients >500 you can setup another sepm if you are using SQL you can go for failover load balancing.

If all client going to report to single sepm band with is the concern.

>MK

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

AJ_01's picture

You can create the GUP for the remote location.

Port 2967 is require to open for the contact between GUP and local clients

Best Practices with Symantec Endpoint Protection Group Update Providers

Article:TECH93813  |  Created: 2009-01-05  |  Updated: 2013-09-18  |  Article URL http://www.symantec.com/docs/TECH93813

Configuring the Group Update Provider (GUP) in Symantec Endpoint Protection 11.0 RU5 and later

Article:TECH96419  |  Created: 2009-01-28  |  Updated: 2012-04-23  |  Article URL http://www.symantec.com/docs/TECH96419

As .Brian said you can create the failover Server for the backup of SEPM feature.

Installing a management server for failover or load balancing

http://www.symantec.com/docs/HOWTO26807

 

Regard

AJ

Mudit Kumar's picture

Hi,

You can consider Single SEPM as an option as remote locations will not have more than 1000 systems. For definition update you can look for GUPs at each of your remote location so that not all computers come to SEPM which will increase your network bandwidth over WAN or the network being used.

Policy data is not that big in size that it will cause any bandwidth issues and same goes with logs as well (if you are not configuring NTP logs).

Following article is written by one of the experts and has some very good suggestions, i would suggest you go through this:

Title: Top 10 Symantec Best Practices - Deploying Symantec Endpoint Protection Architecture
URL: http://www.symantec.com/docs/TECH92051

Thanks & Regards,
Mudit Kumar
 

kazu1548's picture

Thank you for all the helpful replies.

 

How many clients total do you have? How many sites have their own SEPM? 

Right now we have about 2000 total clients with 8 remote sites of which 4 sites with independent SEPM.

 

The thought of using GUP is very intreguging with all the benefits of saving on bandwidth. I was wondering does a GUP have to be in the same SEP policy to be able to push out needed definitions? Like if a server is in a certain policy that only has Antivirus and Antispyware Protection but is a GUP will it be able to push out definition updates to clients with Antivirus and Antispyware Protection and Network Threat Protection? Or will it only be able to push update to Antivirus and Antispyware Protection? 

.Brian's picture

For that size environment 1 SEPM will get it done (although two would be nice if you have resouces for failover/LB)

Yes, the GUP will hold the content for all the components and will be able to push out to clients regardless of what components they have installed (or don't).

Top 10 Symantec Best Practices - Deploying Symantec Endpoint Protection Architecture

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

AJ_01's picture

Yes GUP client will be in same group and getting the same policy.

GUP has only work to share the defintion to assigned client and will provide the definition to Antivirus and Antispyware Protection and Network Threat Protection and PTP.

As you have mention that you have only 2000 clients at 8 branches. So it will be easily manage with single SEPM. But you can also be arrange the fail over.

You can first assign the GUP to all remote site then after the successfull and smoothly site will be work then you can remove the other SEPM server.

Regard

AJ

d-doug's picture

I can speak from experience and tell you that you do NOT want more than 2 or 3 SEPMs and you do not want less than 2.  I once set SEPMs up for every location (over 20) and all hell broke loose.  Corrupted database, blind clients, it was horrible.

Nowhere does it say the maximum number of SEPMs however the tech I worked with a few years ago said the max is about 8. 

Use GUPs, they're easy and painless.  I use SCCM and/or print servers as GUPs.

 

 

 

.Brian's picture

Last I read max number for replication was 5. I had 4 once but that got ugly as well...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Lakshmi Narasimha's picture

HI. We have created sepm in my organization .and out 1000/ 400 cleints are connecting SEPM

but aroung 600 client are showing RED screens like updates pending might not be connecting SEPM server. some thing like that.

Please suggest me how to resolve these 600 quickly . any tools for  connecint and removing errors in registry some thing like.

Sumit G's picture

@Lakshmi

For client end what the error message shown when you open the sep from shiled?

You can run the symhelp to find the reason of issue for troubleshoot it

Download the Symantec Help (SymHelp) diagnostic tool to detect Symantec product issues

Article:TECH170752  |  Created: 2011-09-29  |  Updated: 2014-07-14  |  Article URL http://www.symantec.com/docs/TECH170752

Regards

Sumit G.

Lakshmi Narasimha's picture

Hi Sumit. I did this but not got the resolution .

Some of the clients showing greens those are not showing in sepm also

 

Sumit G's picture

These client are image client?

You can replace the sylink file manually on single client if it work then apply the restoration of sylink on all clients.

--Edit--

Restoring client-server communications with Communication Update Package Deployment

Article:HOWTO81109  |  Created: 2012-10-24  |  Updated: 2013-10-07  |  Article URL http://www.symantec.com/docs/HOWTO81109

Regards

Sumit G.

Lakshmi Narasimha's picture

I am not aware to create this sylink. but As per artical. I did previous some of the server . but I am getting below error most of the server. Logins are same given . and also im able to login..

there is no easy methods like. Fix.vbs like any scripts.

 

 "For detailed information about possible solutions, see the following Symantec Technical Support Knowledge Base article: "Error: Login to [computer] failed. The client could not be installed on the remote computer." ."