Endpoint Protection

All,

We are running SEP MR4-MP2 (11.0.4202) in our environment.  Our current setup is for a SEPM in each geography for clients to communicate with and then local GUPs in each office.   I was informed by our networking team that traffic to our SEPMs is very high with very large data transfers to SEP clients.  In fact it was enough traffic to bring an offsite location offline on our WAN.

My confusion is that because we having clients use local GUPs for definitions that traffic should be fairly minimal to the actual SEPM servers.  Is there a way for me to track on the SEPM what is actually being sent to SEP clients so I can see what is generating the huge amount of traffic?  If I look in the Client-Server Logs on the SEPM I can see a lot of references to "The client has downloaded the content package".  Does this mean that clients are still grabbing definitions from the SEPM and not the local GUPs?

ANy help in troubleshooting this would be greatly appreciated.

Thanks,
Jeff

Title: 'Troubleshooting Content Delivery to the Symantec Endpoint Protection client'
Document ID: 2008092511045348
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2008092511045348?Open&seg=ent


Title: 'How to confirm if Clients are receiving LiveUpdate content from Group Update Providers (GUPs)'
Document ID: 2009110311145748
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2009110311145748?Open&seg=ent

    THe most likely scenario is your Liveupdate Policies are not correct.

Keep in mind both the GUP and the clients connecting to it need the same LU policy
That's right, the GUP needs to have his IP/Hostname in the GUP part of the LU policy to function as a GUP.

Please check this is the case.

Also on the GUP you can run netstat -abn to check that SMC.EXE is listening on TCP 2967 (means the GUP is indeed working as a GUP and listening for client requests)

Regards.

 I think your SEPM is distributing MR5 delta packages to the Clients. Since this cannot be done from GUPs so it would go through SEPM.

Can you double check whether you assigned any packages to the groups for upgrading the clients.If present remove it. 

Refer this article also
SEPM & SEP Client bandwidth troubleshooting
This will be able to give more informations.

In LU policy whether there is an option for bypassing the GUP after a particular time?
If es assure that GUPs are on and running.
Also assure that your clients and corresponding GUPs are present in same Group.

Thanks everyone for the quick response.  Let me clarify a couple of things.

1.  Both clients and the GUPs are in the same group using the same Live Update policy.  So the GUPs do know they are GUPs.
2.  At this stage I am not even sure definition traffic is the cause of my issue.  So I want to find a way on the SEPM to see what is being downloaded to clients and generating the traffic.
3.  I do not have any installation packages tied to groups, so I know the auto-update feature is not what is causing this.

As for the RU5 delta packages to clients, not sure this is relevant since my machines are primarily MR4.

What I really need right now is a way to look on my SEPM and see what it is actually doing when clients connect to it.  Like I said, I found a lot of "The Client has downloaded the content package" in the Client-Server log but not sure this corresponds to definition distribution.

Thanks,
Jeff

Actually, I was incorrect about one thing, the servers functioning as GUPs are not in the same group as the clients as i initially wrote.  These GUPs are actually my company file servers which are located in each office and have different auto-protect settings than my clients.  But the GUPs are using the exact same Live Update policy as my clients which specifies the file server to be a GUP.  My understanding is that a GUP does not have to be in the same group as the clients it serves it only has to use the same Live Update policy.  Otherwise this would be a horrible design as you would need a different GUP for each and every group in your company.

You are correct that the clients and the GUP need only to share the same live update policy. Some other questions I have what OS is the GUP running? Is the windows firewall enabled on the GUP or are you using the SEP firewall? Did you verify the GUP has started on the PC/Server by doing a netstat -abn to check that SMC.EXE is listening on TCP 2967. Also on an MR4 client you can look in the “View Logs > Client Management > System Log. Look for entry “Start using Group Update Provider (proxy server) <gup name="" host=""></gup>” to determine which GUP is being used.

Which is the version of your SEPM and clients.If your SEPM is RU5 and clients are MR4 and you are using multiple GUP option in live update policy ,clients will not be able to get the correct policy. 

Can you give us some more clarification.

Which is the version of  SEPM ?
Which is the version of clients?
Whether all your file servers are in same group?
 Are you using multiple GUP option in LU policy?

Again, thanks to everyone for the help.  I seem to be getting questions asked regarding items I already mentioned, so let me summarize them again in hopes this helps.

1. SEPMs are all MR4-MP2 (11.0.4202)
2. Clients are a mixture of 11.0.2020, 11.0.4202 and a couple RU5 that we are testing.  The log entry  "The client has downloaded the content" are showing up for all three versions and isn't necesssarily showing up at the time when the client downloaded defintions.
3.  We only download definitions once a day (4am) and I keep 10 revisions of definitions on the SEPM
4.  I GUPs local in each office using the same Live Update policy as the clients.  When running netstat -abn on a GUP it shows smc.exe listening on the proper port.  I also have tons of contect updates (as expected) in the SharedUpdates folder on the GUP
5.  I have no installation packages attached to any group

My first step is to see WHAT is causing the traffic.  Definitions make the most sense if they are being pulled from the SEPM instead of the local GUP, but I need a way to determine if this is the case and then go from there.  I do know that MR2 clients will by-pass a GUP if they cannot connect to it, which may be causing some of my problems but I need a way to determine if that is what is happening.

Basically I want to determine what is causing the traffic instead of assuming it is definitions.  Is there a way on the SEPM to see if a machine is downloading definitions from it SEPM instead of the GUP?  Anything in the logs I can use or something I can look for.  I have WireShark on the SEPM but there is a ton of traffic (as expected) so trying to determine what is definition traffic versus just normal traffic from a client checking-in is difficult.

Thanks,
Jeff

I think these logs can give more information regarding this.Run this in one of the client
SylinkWatcher and SylinkMonitor - tools for real-time debugging of SPA 5.x and SEP 11.x