Video Screencast Help
Search Video Help Close Back
to help
Not able to make it to Vision this year? Get a sampling in the Best of Vision on Demand group.

Is SEP MR1 MP1 stable enough to install on a production server ?

Updated: 22 May 2010 | 17 comments
ndd's picture
ndd
0 0 Votes
Login to vote
Would you recommend installing SEP MR1 MP1 on a production server and SEP on clients (small SBS server with 20 users, upgrading from 10.x), or does it still have too many problems and should wait for MR2 ?.
 
I've been reading through many posts in this forum and the impression I'm getting is that while MP1 seems to have fixed many of the main issues, other posts seem to indicate that people are still experiencing  problems. Any recommendation ?
 
Thanks.
 
Normand
 



Message Edited by ndd on 03-25-2008 07:33 AM

Message Edited by ndd on 03-25-2008 07:34 AM

Discussion Filed Under:
,

Comments

pbogu's picture
25
Mar
2008
0 Votes 0
Login to vote
pbogu

yes you can use it, but my first recommendation is - only AV (without email scanning) on the server. and you may also have some problems if you use some strange in-house applications that will make problems with application and device control. but in general i think it's ready to go if you are not using nothing really strange

SKlassen's picture
25
Mar
2008
0 Votes 0
Login to vote
SKlassen

I agree with pbogu.  MR1 combined with MP1 fixed a huge number of issues with the original release version.  Especially if your coming from SAV, start with the minimum number of features and add more in as you have time to read up on them, test, and pre-stage your policies.
ndd's picture
25
Mar
2008
0 Votes 0
Login to vote
ndd

Thanks both for your replies. I'm a bit worried with performance and response time on the production server that would be running the manager. It's a Dell PowerEdge with 2 Xeon quad core 2.0Ghz, 4Gb Ram, Raid 5 Scsi drives, running SBS2003 Std. It is the only server we have and it's our do-it-all server (normal SBS roles: domain controler, file sharing, Exchange server, Backup Exec, Dns, Dhcp, etc for 20 users). It's presently our SAV server with clients running v10. I'm trying to figure if I'm about to do a big mistake by upgrading it to SEP 11 and running the SEPManager on it - can it take it ?
 
What gets me worried is that to prepare and test for the upgrade, I've setup a small test environment with 1 server (Intel P4 2.4Ghz, 2.0Gb Ram, SBS2003 with Exchange) and 5 pc's. Installed SAV v10 server, SSC and sav on 5 clients. CPU utilization was an average of 10%, memory utilization about 1.4Gb. Then upgraded server and clients to SEP MR1 MP1.  Since then, cpu utilization on the test server runs constantly at around 10-40%, with some peeks at 60-80%. Memory utilization is about 2.1Gb. Of course, my test server is not as powerfull as the production server on which it's supposed to be running. Any chances that the production server with its configuration and usage would also experiment the same high utilization issues ?
 
Thanks
 
 
pbogu's picture
25
Mar
2008
0 Votes 0
Login to vote
pbogu

hmm, i think it can be risky installing sepm on this machine, but this machine looks powerful enough to run SEPM as VMware server - this is the safest way if u ask me (2 CPUs for VM and about 1,5-2.0 GB RAM). i've recently done an installation on similar machine (VM) and it's working for about 100PCs (about 20 of them at remote sites). btw symantec themselves don't recommend installing sepm on DC

ndd's picture
25
Mar
2008
0 Votes 0
Login to vote
ndd

Sounds like an interesting option. I will try to search for more details on how to setup this kind of configuration - not familiar yet with vmware. I suppose this would require a full re-install of our server: vmware install  + SBS2003 install with currents apps and data + Server2003 install with SEPm (and the purchase of another ServerOS licence for the 2nd vm running SEP) ?
 
SKlassen's picture
25
Mar
2008
0 Votes 0
Login to vote
SKlassen

You wouldn't need to rebuild your box.  Use the free VMWare Server.  It runs as an application on your current OS install.  You are correct with your assertion that you would need a server license for the OS install in VMWare.
ndd's picture
25
Mar
2008
0 Votes 0
Login to vote
ndd

When you mention that it would be a safer solution in this case to use vmware, is it because vmware could prevent SEPm from affecting the rest of the server in the case where SEP would be experiencing high cpu utilization or lock-ups ?



Message Edited by ndd on 03-25-2008 12:23 PM

SKlassen's picture
25
Mar
2008
0 Votes 0
Login to vote
SKlassen

That's one advantage of splitting this off with VMWare, as long as you assign your VMWare instance to have usage of select processors/cores. 
 
Another is from a security standpoint that if for whatever reason, the host system becomes compromised, you at least have a little bit of separation to give you some time to get it fixed before the VM follows. 
 
The third one, which is my favorite reason, is for Disaster Recovery.  Traditionally one of the biggest problems with backups is that you have to restore to a machine with the same major hardware components or face a nightmare of blue-screens, lockups, and driver errors.  In recent years, backup products that allow you to do restores to dissimilar hardware, including some nice ones from Symantec, have become more common.  For servers they do tend to have one big drawback...cost.  With a VM, you don't have that issue, because all VMs have the same "hardware"...the same virtual motherboard, virtual disc controller, etc.  You can take a VM from a VMWare install on one machine and move it to another VMWare install on another machine and it will fire up without a hitch.
pbogu's picture
26
Mar
2008
0 Votes 0
Login to vote
pbogu

another advantage is if something brakes you can just reinstall VMware from scratch or you can play with it and do a lot of reboots and they do not affect your DC and other services.
imagine situation when something is going wrong and you have to reboot a server few times, if its your DC, fileserver and blah blah blah a lot of other services then i think you don't want to reboot that in production hours.

ndd's picture
26
Mar
2008
0 Votes 0
Login to vote
ndd

Thanks for the info about vmware. Pretty interesting option in this case. I will give it a try a see how it goes.
 
RBW's picture
01
Apr
2008
0 Votes 0
Login to vote
RBW

SEP and SEPM are much more complicated than their predecessors.  This appears to be due to their attempt to do much more than their predecessors.
There are some unpleasant surprises that create major problems quickly.  The biggest problem is that it takes a long time to learn how to make everything work.
I recommend starting in a test environment and use it there for some time to learn the features.  When you feel comfortable with your level of knowledge about the product, then gradually roll it out into production, but on just a few machines at a time.  You may also want to start with just the AV portion and then gradually add the rest of the product.
We run the SEPM server on a MS virtual machine to isolate it from other applications.  Also, we only installed the AV portion of the product on our servers.  The full product has been installed on our workstations.  As we learn more about how the product works we may install the rest of the product onto our servers, but unfortunately the product out of the box would not allow our servers to connect with each other creating problems such as not being able to obtain DHCP leases from the DHCP server.
ndd's picture
01
Apr
2008
0 Votes 0
Login to vote
ndd

Thanks RBW. Sounds like good advice, and that's exactly what I've been doing for the last 2 weeks when I've got some spare time. Installed a test environment with one server with SEPm and 5 clients. Then going through the documentation, forums, and setting up things according to people's recommendations based on their experience with the product and the problems they had to get around. 
 
I must say that I find the learning curve quite steep. I didn't have to spend as much time on the product when upgraded from v7, 8, 9 and 10. And the hardware requirements are so much higher thant v10 and previous. I have some installations where I don't even think I can install it on the existing SAV server (SBS Server with all of the regular tools installed- DC, DNS, Dhcp, Exchange, Backup, etc), requiring maybe a new box and server OS to run it - which is not really an option in many of these installations. So I'm even starting to look at other alternatives like McAfee and Trend if this migration project is going to cost too much man hour and hardware resources in order to stick with SEP.



Message Edited by ndd on 04-01-2008 11:17 AM

tekwerker's picture
01
Apr
2008
0 Votes 0
Login to vote
tekwerker

Depends on what you mean by 'stable'. It runs. It doesn't crash. So I supposed that's 'stable'. Unfortunately, the MR1 client prevented any network clients from accessing a database on server for a particular application. A mission critical application.
 
We were able to disable the client and get it to work...sometimes, but then it would stop working again. It's been like that for weeks. Application dev blames Symantec. The problem doesn't exist with other AV vendors. So we finally just uninstalled the client, and no problems... with the application.
 
Now RRAS is broken:
 
If I could start over again, I would wait until an 11.1 or MR3 or whatever. But don't listen to me, listen to the "I've done 60,000 deployments and everything is great and it fixed my bum knee and my wife loves me again" types.
Maggots's picture
01
Apr
2008
0 Votes 0
Login to vote
Maggots

If you're staring a fresh install on a fresh server maybe but do not install it on your main production critical server never ever. If you don't want problem, install it on a freshly install VMware server and configure it well before thinking deploying clients.
 
I think most of the problem the people have including mine, is that we had the orignal release and we had to update to MR1 which was a disaster for me. If you install and brand new 11.0.1xx MR1 MP1 on the Server and then deploy, you're good to go.
 
But the better solution is in my opinion,  to get in touch with the product Endpoint in the test environment but wait for 1 more month for the MR2 which is supposed to fix a vast majority of bugs. Then, you'll deploy a very fresh installation on all the production computer and that's the way to do it I guess. SEP seems to have very hard time with update and updgrade and everything that can affect it's configuration.
 
Good luck
ndd's picture
01
Apr
2008
0 Votes 0
Login to vote
ndd

In my case, it's going to be hard to get a fresh install scenario. Since our setup is a very small one, with only 1 SBS2003 server and 20 clients, it's going to be difficult convince management to put in a new server box and new OS ($$) because of the requirements of the new version of our AV system. I have a feeling the final scenario will be either we stay with v10.x for the next year, or we switch to a different product that can coexist on our SBS server without affecting productivity.
SKlassen's picture
01
Apr
2008
0 Votes 0
Login to vote
SKlassen

Symantec does have a tool to automate the RRAS fix.
 
 
I ran into the problem the first month SEP was out and figured out the fix on my own.  I haven't tried this tool, so cannot make any claim as to its' proper function.
Mike T's picture
02
Apr
2008
0 Votes 0
Login to vote
Mike T

I would wait for MR2, and since SEPM has a history of obilterating SBS servers, I would read every knowledge base article on the subject. Go through this forum and read the past issues, the fixes, the "I learned this the hard way" stories, etc.  And for goodness sake have a complete backup of your SBS read to go, on at least two different types of media.
 

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
270,017