Video Screencast Help

SEP Global Layout

Created: 05 Nov 2012 | 2 comments

My current SEP deployment for some 50k endpoints is a SEPM in the US and a SEPM in Europe and both have a pretty even split 50/50 for the number of endpoints.  I am not currently replicating any data and all endpoints are imported via active directory OUs and then each locatuon specific OU has its own GUP policy so I have a few hundred LU policies to manage.  For this reason location awareness is next to impossible without creating a location policies in hundreds of OUs.  The issue is that inheritence is turned off because the location specific LU policies I have, so there is no top down policy push available.

 

Therefore, it is decided that when we deploy 12.1.2 we will be moving away from AD structure to a manul SEP based structure.  I was just curious the layout that some folks use for a large scale deployment such as this.  My plan would be remove the SEPM in Europe and use a single point of management.  I was thinking to use some 3-4 SEPMs to manage all the endpoints as 2 is recommended beyond 25k endpoints I believe.

 

While the infrastructure is part of it, my bigger concern is over the group structuring for such an environment, I want to keeps things fairly simple while remaining structured.  Coming from the AD layout, this is a huge configuration change.  My current thougt is to have Domain Controllers, US and International under My Company.  Then under International and US have Workstations and Servers.  This would be a super basic esy to manage design as compared to what i have now, but that is what concerns me.  Is this too simplistic of a layout?  Should I divide the systems up a little more?  This is where I am really looking to try and gather information.  What are some layout/configurations that others are currently using?

 

Any and all ideas are welcome and appreciated.

Comments 2 CommentsJump to latest comment

.Brian's picture

Using a pretty similar layout except about 11k clients and 80+ GUPs. Also did away with the AD sync to simplify it.

Broke it down by regions (Americas, APA, AME, Europe, etc etc) Than the location name and type of computer.

So for example:

and the process repeats for each region.

Each group has inheritance broken because of various policies that may be needed at one location but not another and so on. Pretty easy to manage but can become time consuming.

What you describe should work for you.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Ian_C.'s picture

We only have 7000+ workstations, but this works for us.

We have 60+ physical locations spread throughout the world, some with home based ADSL link or 128K satellite links.

Server have different SEP groups /folders because of different centralised exclusions. They do share the same policies though. DMZ servers are not visible here. They also only have one location, corporate network connected.

For workstations we dump them ALL together into one SEP group / folder. We have no big requirement differences for ultra secure vs. normal office worker or mobile vs. desktop. We have sub groups for diagnostic purposes. For workstations, we have two Location awareness options. Corporate network connected or public

We use a multi GUP list which seems to get the job done.

 

I would say that the security requirements for your workstations should dictate the groups and their policies. There are others that have posted that they use ±80 locations.

This is just to give you an idea that your 'super basic easy to manage design' should be OK.

Please mark the post that best solves your problem as the answer to this thread.