Endpoint Protection

Community,

I have 2 SEPM's at version 11.0.6300.803 that support 5000 plus clients. My SEPM's are in push mode with a 20 minute interval and a 5 minute randomization. I also have a primary workstations group created along with 3 autoupgrade groups, RU6a, RU6 MP1 and RU6 MP3. I recently decided to move all of the clients (300) in the RU6 MP1 group to the RU6 MP3 group and delete the RU6 MP1 group all together....hope I didn't lose you. Every since I did that I've had clients reporting incorrectly and my SEP clients are eating up the bandwidth on the WAN. Has anyone ever seen this and is it really the SEP clients eating up the bandwidth?  One more note; on the day I made the change our HTT team starting using Altiris that morning to patch machines.

We update clients manually on WAN links.

Copy the latest SEP package to any machine on WAN link Group then use Symantec Push Wizard deployment.

use GUP server to update the client virus definition and use GUP throttling feature.

and make sure all Clients have same SEP version otherwise GUP server download multiple definition for different SEP version

In push mode, heartbeat interval (20 minutes) is only relevant for sending client logs to the SEPM. Content (and package) changes as well as policy updates are sent immediately to the client.

If you push 300 clients in an autoupgrade group without schedule, all 300 clients are trying to upgrade nearly simultaneously. No wonder they are eating up your bandwidth.

I would do the following:

• Change to Pull mode. In this way content, policies, and logs are all depending on heartbeat, and you don't have a permanent HTTP connection between every client and its SEPM.
• Set an appropriate heartbeat for Pull mode.
• Enlarge randomization interval.
• Create an autoupgrade schedule with a generous interval.

All the interval and schedule settings depend on your network.

As Mohammad Altaf Khan wrote, think about GUPs for content distribution (but they are not able to distribute client packages).

Guys,

Thanks for the quick responses. I've set my SEPM's to pull mode, increased the heartbeat interval to 30 minutes but left the randomization to 5 minutes. Greg, I will increase the randomization after allow the clients to receive the new policy and seeing how the bandwidth changes. I spoke with my team lead about setting up GUPS for definition distribution and he's on board. If I move all clients from the RU6 MP1 group into another group and delete the RU6 MP1 group, will that corrupt or cause communication issues with the clients that were moved??? We recently had a client that was trying to download 700MB of data, which is unheard of for a SEP client. This is what brought about my original post. 

Hi,

it seems in this discussion, we are only guessing what's going on and trying solutions not based on real evidence.

SEP clients are connecting to the SEPMs thanks to the Symantec Web Server installed under IIS, a standard http connection, usually to our custom port 8014.

First confirm that the issue is related to the SEPMs, i.e. is the high traffic going thru the port 8014?

Second, enable the IIS logging for the 5 virtual folders of the Symantec Web Server, analyze the logs and check what the clients are downloading and how many times. The two possible scenario are: big and multiple downloads from the "Content" virtual folder or big and multiple downloads from the "Packages" virtual folder.

Depending of what is downloaded from the clients, the resolution change. For example, if the traffic is related only to the deployment of the SEP client package, the GUP won't help you since it is meant only for the content.

There are also known issues in RU6.xxx that you won't be able to fix without a migration to an higher version but proper diagnostic is needed to confirm it.

Beppe,

I've confirmed that port 8014 is indeed the issue. The Networking team removed the SEPM's from the MPLS and the network bandwidth dropped tremendously. I'm looking at the IIS folders and there are actually 6 folders. In order to activate the IIS logging, do I enable the check box for "Log visits" or is this setting somewhere else?

Please, enable log visits in the properties of the single folders, not at web site level.

I am not sure the size of the download is logged by default or not, double check it in the settings of the IIS logs.

Thanks for the help! You assisted in resolving my issue.