Endpoint Protection

Hi all,

In our environment we currently have 7 different locations. We want our SEPM to be located at our datacenter (central to everything) although we the administrators are located at the Main Office.

• Main office ~300 users 50 servers connecting to a datacenter over a 1Gbps link 50 miles away, which the datacenter is the hub for all of our other networks.
• Datacenter: 70-80 servers no users. Connects to main office over 1 Gbps link and to remote location in another country over a VPN using an MPLS 30 Mb link.
• Remote office in different country 1200 users 30 servers over a VPN using an MPLS 30 Mb link
• A couple small remote locations over MPLS links  < 40 people.

My main questions are

1. Would having a central SEPM server be best in this scenario or would having a SEPM at each of our 3 largest locations (Main, Datacenter, Remote facility in different country) be best? It would be ideal if we could just have on SEPM server, but manage all these servers and clients, but I'm not sure if our bandwidth could handle it.
2. Could a 30 MB link handle 1200 clients from our remote location to the central SEPM server with definitions and all if we just use one SEPM server?
3. Can SEPM be setup so that delegation can be set so certain administators in remote locations can manage their stuff, but CANNOT be super users? Can SEPM be setup so that administrators are only limited to their respective systems?
4. Would GUPs be better for us in this situation or utilizing a liveupdate server or SEPM server for definitions management, etc.
5. An much network resources are used by SEP/SEPM as I cannot find any documentation talking about this. I do find documentation recommending the number of SEPMs based on your number of clients, where according to their documentation--irrespective of our network links--we should only have one SEPM according to documentaiton. How should heartbeat intervals be configured in this scenario?
6. When is it best to use GUPs over SEPM servers?

Included is a general example of our network layout.

Any information would be great, thanks everyone!

Due to the lower number of clients, you should be fine with one SEPM but I would highly recommend using GUPs at the remote locations so they don't need to come back over the VPN/WAN links for content updates.

Yes, you can setup limited admins and only give them rights to "action" specific groups for their locations only.

How to set access rights on all groups for a limited administrator in SEPM

SEPM has some bandwidth control capability as well:

Symantec Endpoint Protection Bandwidth Control for Client Communication

Can the SEPM 12.1.x application manage bandwidth

I've always used GUPs to provide content to clients. The SEPM can usually handle but where you have slower links it's highly recommended.

My main questions are

Would having a central SEPM server be best in this scenario or would having a SEPM at each of our 3 largest locations (Main, Datacenter, Remote facility in different country) be best? It would be ideal if we could just have on SEPM server, but manage all these servers and clients, but I'm not sure if our bandwidth could handle it.      

       Since you have less than 2000 clients having only one SEPM should comfortably do the job for you. but if you which to have a failover server I would recommend putting another server with your preffered DB(Both SQL/Embedded) 

Could a 30 MB link handle 1200 clients from our remote location to the central SEPM server with definitions and all if we just use one SEPM server?

                       yes this should be capable, but I would suggest you to use GUP to remote sites

Can SEPM be setup so that delegation can be set so certain administators in remote locations can manage their stuff, but CANNOT be super users? Can SEPM be setup so that administrators are only limited to their respective systems?

                  Yes GUP is best suited for this purpose

Would GUPs be better for us in this situation or utilizing a liveupdate server or SEPM server for definitions management, etc

           Yes with GUP don't need any additional Resource/installation/Maintanance, since any of your existing SEP client can serve as GUP

An much network resources are used by SEP/SEPM as I cannot find any documentation talking about this. I do find documentation recommending the number of SEPMs based on your number of clients, where according to their documentation--irrespective of our network links--we should only have one SEPM according to documentaiton. How should heartbeat intervals be configured in this scenario?

1. When is it best to use GUPs over SEPM servers?    if you are just looking for definitions to be pushed out of a server

See below inline I've tried to answer your question any further information needed. Let me know. 

Would having a central SEPM server be best in this scenario or would having a SEPM at each of our 3 largest locations (Main, Datacenter, Remote facility in different country) be best? It would be ideal if we could just have on SEPM server, but manage all these servers and clients, but I'm not sure if our bandwidth could handle it. - A single SEPM would be fine for this scenario although I would recommend a two SEPM server setup with replication for resiliance then if one goes down you constantly have a backup till repaired. Policies and control are only small in size the largest thing the SEPM would send is definitions and that's where GUPs would be better on the remote sites. 

Could a 30 MB link handle 1200 clients from our remote location to the central SEPM server with definitions and all if we just use one SEPM server? - A 30MB link would be fine for updating policies on the remote sites with the slower connections a couple of GUPs on site with rule to only update defs from the GUPs would prevent a bottle neck.

Can SEPM be setup so that delegation can be set so certain administators in remote locations can manage their stuff, but CANNOT be super users? Can SEPM be setup so that administrators are only limited to their respective systems? - You can setup administrators with different permissions so they can access only specific groups within the SEPM so groups would have to be setup on a per country or location basis and then access granted per administrator

Would GUPs be better for us in this situation or utilizing a liveupdate server or SEPM server for definitions management, etc.- I'd recommend GUPs for the sites with limited bandwidth and larger client basis 

An much network resources are used by SEP/SEPM as I cannot find any documentation talking about this. I do find documentation recommending the number of SEPMs based on your number of clients, where according to their documentation--irrespective of our network links--we should only have one SEPM according to documentaiton. How should heartbeat intervals be configured in this scenario? - On machines that are constantly on the bandwidth usage is not that large are they will recieve policy updates and keep up to date using smaller delta defs (a few KB) if the machines have been off the network then they will attempt a full def download (500-650MB currently) which will take some time over a slow network (negated by GUPs and having remote sites only update from the GUPs). Also pushing packages with defs installed over the network would use up bandwidth if you were installing SEP packages onto clients from the SEPM.

When is it best to use GUPs over SEPM servers? - GUPs are best for large sites and remote sites with limited bandwidth

Do the GUPs themselves pull from the SEPM server for updates, or do the GUPs pull straight from the internet individually?

They pull from the SEPM.

when a client request for for updates GUP will pull the definition from SEPM to serve the clients. when the SEP client which is promoted itself require updates it will pull it from other gups.