Endpoint Protection

 View Only

  • 1.  SEP Client deplyment to remote offices - best practice?

    Posted Jun 25, 2009 04:24 AM
    Hi, our business is distrbuted around the world with many small branch offices (less than 100 users in each).

    we are surrently running SAV10 and looking to upgrade to SEP soon. Can someone advise on best practice on deplying clients over the WAN? Most of you offices are connected via 2Mb MPLS WAN.

    I know you can use the push wizard, but dont fancy that over the WAN. Also GPO is a possibility.

    We will only have one SEP mamnger based at head office.

    Any suggestions appreciated.

    Thanks.


  • 2.  RE: SEP Client deplyment to remote offices - best practice?

    Posted Jun 25, 2009 05:30 AM
    https://www-secure.symantec.com/connect/forums/deploying-sep-client-installation-package-over-wan

    I hope this is what you want..


  • 3.  RE: SEP Client deplyment to remote offices - best practice?

    Posted Jun 26, 2009 09:53 PM
    How fast would this take if say using 2Mb MPLS WAN?
    thanks...


  • 4.  RE: SEP Client deplyment to remote offices - best practice?

    Posted Jun 27, 2009 06:42 AM
    clwoody,

    Good morning,

    You may install the manager to your server like a regular first installation. Refer,
    http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/ac120aa7be3e522688257346007dfe45?OpenDocument

    After installing the manager, client installation packages can be created from the manager. Refer,
    http://seer.entsupport.symantec.com/docs/305173.htm

    To obtain ClientRemote.exe,
    1. Copy it from \Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin
    2. download CD2 of SEP, \Tools\PushDeploymentWizard.


    Run the ClientRemote.exe in each remote location (preferrable from a server). Please note, you need to login with Domain Administrator account to push packages to other clients. Also make a copy of client install package locally available to bring down the network traffic in your WAN.


  • 5.  RE: SEP Client deplyment to remote offices - best practice?

    Posted Jun 27, 2009 03:25 PM
    We install SEP across 6 sites, some connected with bandwidth like yours, using the usual combination of:
    • DFS install shares to contain the Setup files
    • DFSR to replicate the setup files efficiently and in near-real-time to branch office servers, and
    • GPOs with custom MSTs to install the feature sets we want.
    We restart servers after hours using Task Scheduler to get them updated ASAP, and workstations by asking people to reboot (works with 60% of the people). Patch Tuesday or the occasional crash takes care of the stragglers. There's enough randomization that we've never seen a bandwidth shortage, but our largest site is 120 machines with gigabit, so that's not a very large site.

    Once you get it set up the way you want, it takes only a few mouse-clicks to push updates. Group Policy can also handle the problem of upgrading from (for example) MR3 directly to MR4 MP2, skipping MR4, using a Symantec-supported upgrade path. Set the Package to do a Replace install...remove the old version, then install the new one. Then you don't have to do MR3 to MR4 to MR4 MP2 because MR4 MP2 is installing to a machine with no prior SEP version on it at all.

    As a bonus, when it's done, no restart is needed. If it's needed, it's already happened before the user ever logs on.