Endpoint Protection

Is getting a SEP 12 client to work (unmanaged and goes through a Blue Coat proxy server) more of a challenge than with SEP 11?  Even with all of the proxy server URL exceptions specified in TECH162286, it appears every 12.x version I've tried thus far has difficulties downloading anything via LiveUpdate beyond the catalog listing.

For newer versions like the latest SEP 12.1.2, I usually first install an unmanaged client on a test VM to see how things go.  The 12.x client not being able to update its virus defs from the get-go is very disconcerting to me.  In contrast, unmanaged SEP 11 clients required no modifications on our proxy servers and worked straight off to get their virus defs.  Yah...I'm still running SEP 11.0.5 in our environment and was hoping to upgrade to 12.1.2 since it's supposedly compatible with Win8 but this issue just makes me lose confidence in going further.

If an unmanaged SEP 12.x client has difficulties getting its virus defs, I wonder if the SEPM server will do any better?  I would think many of you are running behind proxy servers for Internet access so figured I must be missing something in our environment.  Just can't figure out what.

Did you see this:

How to configure an unmanaged Symantec Endpoint Protection 12.1 client to use a proxy for LiveUpdate

http://www.symantec.com/business/support/index?page=content&id=TECH168551

Did you set the authentication?

Iy will be better if you be a little bit more Focused on the Query, its bit confusing. If your SEP 12.1.2 is not updating virus defifitions, no matter you are using Proxy, firewall, etc there are ways to find the root cause of the issue.

Please post the Liveupdate Log of machines which are not updating, we will analyse. Also while updating are you getting any LU Error? If yes do share that as well.

Thanks...this KB article sheds some light on what's happening although I feel it points to a bug in the product.  The default is to use the Windows Internet Options proxy settings which I've set in IE so you'd think LiveUpdate should know the logged in credentials to get out to the Internet but this doesn't seem to be the case.

Our proxy server requires NT authentication so the only way I could get SEP 12.1.2 to update was to use the custom proxy option to explicitly specify our proxy server/port and my user credentials.  However, this won't fly in our environment because user account passwords are set to periodically expire (i.e. account lockouts will occur when LiveUpdate continually tries to use an old password).

If we're forced to always run SEP 12.x in managed mode, will the virus defs update OK should a user take their laptop home?  We have a few users that work more often at home than at the office so have to make sure SEP will be kept updated regardless of where the user is.

it essentially uses browser settings so it depends on if you changed those or not.

Also, you could setup another location for when users go off the network to use the browser settings.

If we're forced to always run SEP 12.x in managed mode, will the virus defs update OK should a user take their laptop home?  We have a few users that work more often at home than at the office so have to make sure SEP will be kept updated regardless of where the user is.

Default settings should allow LiveUpdate to run on a schedule if the clients cannot connect to their management server. (By default LiveUpdate skips running if there is a good connection to the SEPM--the opposite is also true.)

The difference between 11.x and 12.1.x is that LiveUpdate changed for the SEP clients. For 11.x, SEPM and SEP clients use Windows LiveUpdate; for 12.1.x, SEPM still uses Windows LiveUpdate, but the SEP clients now use LiveUpdate Engine (which you will see referred to as LUE). I haven't investigated the operational differences in great detail but this could explain why there's a difference.

There is also a note in the "Known issues and workarounds" section of the 12.1.2 Release Notes (p 17 of the PDF) that may have something to do with what you're seeing, though I don't think you mentioned an error message:

Configuring an NTLM-enabled proxy to be used with HTTP basic authentication causes client LiveUpdate to return an error on the clients that run Windows XP/Vista (2750314)

Windows XP/Vista removes the authentication credentials that are submitted when you configure Symantec Endpoint Protection to use an NTLM-enabled proxy with basic authentication on the HTTP(S) host. This removal causes the client's LiveUpdate to return an error message.

There is no workaround.

Another alternative might be to whitelist traffic to the Symantec LiveUpdate servers (liveupdate.symantec.com, liveupdate.symantecliveupdate.com) on the proxy.

sandra

FYI: When I had asked one of our security guys to whitelist Symantec LiveUpdate traffic for this test, he had entered my test VM's "hostname" but apparently our proxy server wanted an "IP address" instead.  After this was done and I returned the LiveUpdate tab's proxy options back to default, my unmanaged SEP 12.1.2 client successfully updated its virus defs!

Glad that worked!

sandra