Video Screencast Help

SEP-11 Policy for Laptop Users

Created: 04 Jan 2008 • Updated: 25 May 2010 | 5 comments
Can Any Body tell me how to Set the policy in sep-11 manager for Laptop Users
 
I want to set the policy for laptop users like if Laptop user is in Office Enviourment then he used to SEP-11 Management Server for Virus defination update
 
but when he is in Roaming or outside He used to connect to Symanetc server for Live update.......
 
 
Pl Help
 
 
Have a Nice day...................Thankx

Comments 5 CommentsJump to latest comment

jello's picture

Did you ever get an answer to this? 

 

This is an extremely important issue.  We've tolerated this problem with Symantec 10 for the last year and it's killing us.  With 1600 laptops coming and going from our networks, we're forced to live with the lesser of two evils:  Either configure them as managed and live with the fact that users who are off-LAN for several weeks get no updates, or configure them for live update to the Symantec distro servers and live with the fact that we get no centralized management and notifications.

 

There *must* be a better way... and I had hoped the SEP 11 would crack this nut... but my Techs tell me that the either/or situation still exists. 

 

Please tell me that my Techies just don't get it.  Or if they're right them is there at least a hack we can implement?  (managed configuration with a script that fetches and installed live-update when the user is off-LAN)?

 

~~jello~~

Message Edited by jello on 11-27-2008 03:50 PM
Mordac the Preventer's picture

[quote]

You would like to configure your mobile computers to automatically download virus definitions when they are disconnected from the network but. still update from the Management Console when connected.
[/quote]

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/ebe7903cbde2824b8825741f00776b77?OpenDocument

 

This KB is pretty straight forward.   You create two liveupdate policies.  One that gets updates from SEPM and one that gets updates from Symantec's liveupdate server.   Create location policies to define when the computer is on your network (if client can connect to SEPM is relative safe/simple for a rule like this).  Define your liveupdate policy appropriately to each location

 

It gets more complicated if you use SEP locations for other things (I use it to disable wireless when the wired adaptor is connected).   But it is possible even in that case to do both.

 

Regarding SAV10, it is possible as well.  Its a kludge but it works.  I dont have my config in front of me, but what I did was set the clients to update via VDTM every 60 minutes.   Liveupdate ran hourly.   I had an internal liveupdate server.  I pointed liveupdate config and my server as the first server and symantec's as the second (I'd have to look up the server name I'm using for symantec).  So while they are on my network it went to my liveupdate and when they weren't they went to symantec.  

zer0's picture

Jello,

 

I am about to tell you what you wanted to hear "Your techies dont get it" :)

Both SAV and SEP can be configured quiet a few different ways to get updates internally and also externally.

 

SAV will use VDTM by default and the laptops will communicate with their parent server for updates etc.

If they are also configured for liveupdate, then they will use that as well, but as their VDTM provided defs are always newer it will always just be a check with no download (or even blocked by your firewalls).

 

I usually set the laptops to continuous liveupdate every 30 minutes if defs are 5 days out of date so that gets you round the issue of unnecessary liveupdate checks.

I also set a policy that allows laptop users to click the liveupdate button themselves.

 

Alternatively you can run a SAV server in the DMZ and allow port 2967 traffic to it.

Then the laptops need to be able to resolve their parent server externally via dns. Or you can even do it via hosts file.

There are heaps of tricks you can do with DNS if you think about it.

Just make sure the clients have the right digital certs.

 

SEP is even better as the location awareness allows you to set different policies based on location and hence different update sources.

 

Z

 

 

ernieken's picture

Additionally we have the following problem: I created two liveupdate policies, one when the laptop is connected to the LAN where definitions are received via an internal server and one policy when the laptop isn't connected to the corporate LAN. Updates are coming than via the Symantec servers.
Problem now is that we use enforced proxy settings in our browser. Result: when there is no connection to the corporate LAN the proxyserver cannot be found and as Symantec Liveupdate is using these settings the symantec servers cannot be reached from abroad.
Anyone a solution for this?

ernieken's picture

Anybody an idea how we can solve this?
To resume: we work with a proxypac for IE that resides on an internal server. When the laptop is offline this internal server and thus the proxypac cannot be found. So websurfing is not possible and so updating the virusdefinitions neither.
Has anyone a similar situation? Solution?