Endpoint Protection

I have a group of computers (laptops) that always connect via VPN. Some of these computers don't connect to the VPN service very often. SEPM seems to want to contact these computers pretty often once they do connect. The problem is our firewall sees so much traffic from SEPM attempting to connect to laptops that are no longer connected to the system. Is there a way to purge the IPs of the laptop group? Or at least reduce the chattiness?

You can configure the computers to take update from the Internet , instead of SEPM


Title: 'How to configure mobile computers to automatically download virus definitions when disconnected from the Symantec Endpoint Protection Management console'
Document ID: 2008040214442248
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2008040214442248?Open&seg=ent

The only option I could think is of putting those computers in a separate group in sepm, and set the communication mode to PULL mode, with a heartbeat intervtal of 60 minutes.

http://clientui-kb.symantec.com/kb/index?page=content&id=HOWTO26845&actp=search&viewlocale=en_US&searchid=1282942373846

So the basic behavior of SEPM is to continue checking for a client on the last known good IP until the client somehow tells it the IP has changed? Is that what you guys are saying?

Some of these computers don't connect to the VPN service very often. SEPM seems to want to contact these computers pretty often once they do connect. The problem is our firewall sees so much traffic from SEPM attempting to connect to laptops that are no longer connected to the system

Is the issue , that, the  SEPM connects to the  laptops too often once they are  connected  back, or  it is that, SEPM is trying to connect to laptops, even when they are  not  conenected to the network???

SEPM continuously solicits the IP addresses of the disconnected VPN devices. So for example, I am looking at a device that hasn't been connected to VPN in a week (or the network for that matter) and I literally have thousands of logs showing SEPM trying to connect to this device. The problem is, its polluting my logs with unneeded information. It's basically being registered as a malicious hack because of the frequency of failed attempts. 

Oh I see. You  can edit the number  of days that the SEPM keeps the entry for the  clients not  connected to 1 day .See below:

Let's say that a user has not connected to the vpn system with his laptop in 31 days. On day 31 when the user connects will SEPM no longer send updates to that specific laptop?

It  will, just that  the  client, on  connecting  on 31st Day, would register itself back to sepm. If you set  that  setting  to 2 days, sepm, will only  try  to look for  that  client  proactively  for 2 days. if  the client, connects  after  2 days, it would  re-register  itself   with  SEPM ( on it's own- and internal process)...SEPM would  not  poll for it, after  2 days, TRYING to see, if  it  is  there........

This behavior seems different then what I was used to in SAV. I want to make sure I understand the process completely before I make the change:
1) I change that value to 2 days
2) Clients that have not been on the network in 2 days get dropped from SEPM
3) If i look for these clients, they will not show
4) The clients connect to the network on day 4 (just for argument's sake).
5) The clients then add themselves back to SEPM.
6) Everything is back to normal.

If the above process is correct, what group does the client associate with upon reconnection?

This  process  is  correct.

The clients  would  associate  themselves based on the group name in tghe sylink.xml file they have on them.

Ok, while I admit that sounds like a feasible solution, from a network standpoint that still seems like an inefficient use of the network. For the digital road warrior archetype user, that is a user that could appear on the network from anywhere, it would seemingly be more efficient to have a client pull oriented process rather then a server push type process. Right now, what you've helped me to identify is the server push process where the server is opportunistic and always tries to initiate the send.

Is there a way to setup a client pull process for road warrior types where the clients constantly look for the SEPM and want to "pull" data when they can successfully see it as opposed to what the system is doing now? Your earlier link that seemed to relate to this, is broken.

Edit: I found the document by searching, "HOWTO26845."

As I mentioned earlier, in  my  post, you  have to  configure  clients  to PULL mode, instead of  PUSH mode, which is  default  communication settings.

 

See, this link :

 http://www.symantec.com/docs/HOWTO26845

Thank you!