Endpoint Protection

Hello,

I have a situation where SEPM was deployed to two small sites, neither having knowledge of the other. This was originally done to minimise network overhead caused by definition updates and communications between the clients and the management servers. What wasn't realised at the time was that people from one site frequently work at the other, and when they do, their laptops "phone home" for updates, causing major network slow-downs, affecting their ability to connect to the Citrix servers at head office.

SEPM services are currently disabled until a solution can be found.

As far as I can see, there are three possible solutions:

1. Re-direct all SEP clients to the head office SEPM server and configure GUPs at each site. Pro: ease of administration. Cons: having to re-direct all those SEP clients. SEPM traffic between sites and head office.
2. Remove the SEPM server from one of the sites, and re-direct its clients to the SEPM server at the other, configuring a local GUP. Pro: No SEP traffic between sites and head offic . Con: having to re-direct several clients.
3. Configure a GUP at each site to serve laptops from the other site. Pro: Quickest solution to set up. Con: Not the most efficient setup.

I'm inclining towards option 3, seeing as the infrastructure is already installed and it's the quickest solution to configure, but any input would be appreciated. The critical thing is that, having made the policy change to use the correct GUP for each location, I need clients to start using them straight away, and not start taking updates from the SEPM unless the new policy has already kicked in, and they're on the subnet as the SEPM. What I'm trying to avoid is re-enabling the SEPM services and immediately triggering another network slow-down.

Questions:

• Is it possible to temporarily disable definition updates in order to make sure the that policy has been received first?
• Is it possible to restrict the hours during with the SEPM can pull down updates from the Internet, and during which the GUP can pull down definitions from the SEPM (i.e. not during office hours)?

GUP option seems to be the best one.  for laptop users you can configure another policy to take the defs directly from Interent as they will be roamng all the time 

as of now Increase the hearbeat PULL mode 

Minimizing network traffic from client-to-server communications in Symantec Endpoint Protection Manager 12.1

http://www.symantec.com/business/support/index?page=content&id=TECH164737

Managing remote clients

http://www.symantec.com/business/support/index?page=content&id=HOWTO81004#v46955274

Thanks,

I assume you mean option 3.

I've already configured locations (defined by IP subnet) for all sites, and an out of office location which applies if the laptop isn't on any of the site subnets.

How do I make sure that the new policy takes effect before the clients download any updates? And how do I make sure the GUPs and SEPM don;t receive their updates during office hours?

Tips For Installing SEP In A Low Bandwidth Environment

https://www-secure.symantec.com/connect/articles/tips-installing-sep-low-bandwidth-environment

Sooo, just to clarify, the GUP (whichever one) and the client attempting to use it, must be talking to the same SEPM.  That means only options 1 and 2 (those that include redirecting client to all talk to the same SEPM) will work.

It's also worth noting that even with GUPs, there is still communications between clients and the SEPM for policy updates, log uploads, and the like.  GUPs only proxy the definitions (which to be fair, are usually the heaviest on the network load anyway).

Now, onto your questions:

1. Yup, it's possible to block updates entirely.  Your options include either just stopping the SEPM from updating (so it has nothing new to distribute), or amending the LiveUpdate policy assigned to your clients to uncheck everything (so that they have no update mechnism).
2. You can always choose the schedule behind the SEPM updates.  More info in the below link:
   http://www.symantec.com/docs/HOWTO80823
   BUT, you cannot schedule the distribution of updates to the clients via the GUPs.  These will happen whenever a client is switched on, checks in, and is made aware of new content.
   However, you can throttle the bandwidth used by the GUPs, so perhaps this is sufficient (general bandwidth optiomisations article below):
   http://www.symantec.com/docs/TECH94122

The onyl way to truly schedule the update attemptes on the clients, is to get them to use LiveUpdate (and point them either at Symantec or at an internal LiveUpdate Administrator Server).

As of now you cannot schedule updates between  sepm and clients.  it all happens based on push / pull mode, 

sometimes it does not even look at those settings, if there are updates available , it would just push it.

To conserver bw there are few things we can look at

1 ) if you have assigned any autoupgrade package - remove those

2) SEPM should store more content revisions so that only deltas pushed to clients ( no of content revisions to keep) 

3) Clients take policy after they talk to sepm, you can export and import policy but thats manual process

http://www.symantec.com/business/support/index?page=content&id=TECH190053