Video Screencast Help

SEPM 12.0 Bandwidth Throttling

Created: 15 Jul 2011 | 11 comments

Is it possible to limit bandwidth available to SEPM 12.0 like was done in SEP11 using IIS?

Comments 11 CommentsJump to latest comment

Beppe's picture


in SEP 11 it was not possible to limit the bandwidth. It was possible to do it in IIS which is used by SEP 11. SEP 11 sets IIS according to its requirements, any customization of non-Symantec component is up to you.

In SEP 12, IIS has been replaced by Apache brought with SEP 12 installation, you can set bandwidth throttling in Apache through configuration files but these activities are not supported hence, no official procedure from Symantec about it.



Paul Murgatroyd's picture

so, the honest answer is that yes, it will be possible.

Do we have the details today?  No, we don't.

It will require the addition of modules into Apache and then some configuration.

We are working on getting this documented, but it may take some time.

Out of interest, how were you configuring throttling in IIS before? (By connections or by bandwidth?)

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed:

BadAndy's picture

How soon before you'll have documentation on bandwidth throttling in Apache? There are two things in our company that kill bandwidth: Microsoft updates and Symantec updates. MS can be controlled using BITS but Symantec always seems to be the problem child when a new version is pushed out. 

I used bandwidth throttling in IIS for version 11. Limiting the connections wouldn't have accomplished anything for us.

Is it not possible to have bandwidth control in the SEPM console? I've wondered why that was never included since we switched to version 11 all those years ago. And not just for updates but a general control over bandwidth to say SEPM will only allow X amount of B/KB/MB out for updates, install packages etc....

Paul Murgatroyd's picture

No definite timescales, but it will take a little while.

We need to work out the best way to do it, and which modules to use to do so, then to fully document and QA it then deal with any issues that result - thats not a small task.

Bandwdith control built in is certainly something we can look at - there are also third party utilities that can be used to throttle traffic on certain ports, etc. 

Is your problem coming from product updates or definition updates?  If definition updates, are you using GUP's or not?

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed:

BadAndy's picture

I'm not sure if it's definition updates or product updates because I haven't seen anything in the SEPM console to show what each machine is pulling from the server.

We don't use GUPs because in quite a few sites we have multiple subnets and the servers are all on one subnet. We won't mark regular desktops as GUPs because they can end up being shut off or replaced without any notice. I do have LUA installed on all sites file servers with the appropriate LU policies applied to the groups. Locations under the main group are set up for machines that have x.x.x.x gateway address.

Since upgrading to SEP 12 (with the clients still at 11.0.6300), there are a lot of clients pulling something from the SEPM server and we have no way of knowing exactly what it is they're getting. I checked some of the machines that were pulling down 20KB-40KB per second and their definitions were only 1-2 days old.

StandAround's picture

I've been playing around with this,

 I have one or two sites where we only have 15 to 20 kb/s free before the line is overutilized, I'm still contemplating what else and how else I can control the traffic, maybe virtual sites that map to the same content, and different rate limits to the virtuals, that way I can accomodate different link speed

#Limit every user to a max of 20kb/s.

BandwidthModule On
ForceBandWidthModule On
Bandwidth all 20000
MinBandwidth all -1
LargeFileLimit .zip 2048 20000
MaxConnection all 2000
#ErrorDocument 510 /errors/maxconexceeded.html
#BandWidthError 510

<location /modbw>
 SetHandler modbw-handler

I think I'm going to want a GUP for my local LAN.

thomas_m's picture

I've done some testing with this module and was unable to get anything close to accurate on a 2003 server. Basically restricting bandwidth to 2MB/s actually restricted it to around 500KB/s. Have you been able to get it more accurate than that?

Symantec Technical Support Engineer, SEP, SAV for Linux<

Paul Murgatroyd's picture

Thats exactly the reason it will take us a little time to design, engineer and fully test a solution.

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed:

Aeropars's picture

I hope Symantec do look at this as a major downfall of their product. We have a large number of small sites (between 1 and 5 clients) where defining a gup is not practicle.

A good feature would be for the SEP client to look on its local subnet for another client with the latest definitions and to pull it form there before contacting the SEPM. Landesk use this technology to great effect.

BadAndy's picture

We took care of this by limiting traffic of port 8014 on the switch that the SEPM resides on. We shouldn't have to do it that way though when it could have been built into the management console during the what, 1 1/2 year long beta?

brett.simpson-123's picture

I gave this a try implementing the module. After about 4 days I had reports of PCs unable to get deltas from their GUPs. Basically I did the same thing except I made a 20 connection limit for the actual zip files so I could prevent to many GUPs from downloading zips at once. I think this inadvertently caused the GUP to not tell the manager that the delta was available so the PCs thought the delta wasn't available yet (if I understand how GUPs work). As soon as I removed the module the PCs updated.

I ended up not using the module and instead setup a second manager and told my GUPs to use it instead. If I could I would give it another try as I think the limit is what nailed me.

Keep in mind I have a 512KBps limit to work within for everything.

This is what I used which allows for layered bandwidth levels. If you decide to use this I would recommend not using "MaxConnection all X" option.

BandwidthModule On
ForceBandWidthModule On
Bandwidth all 112000

<Directory "../InetPub/content">

# MOD_BW Bandwidth Limiting
# 400KBps global limit for everything
# 20KBps limit per .zip download for file sizes of 1 byte
# Maximum connections set to 20.
    BandwidthModule On
    ForceBandWidthModule On
    Bandwidth all 50000

 <Files *.zip>
 BandwidthModule On
 ForceBandWidthModule On
 Bandwidth all 350000
 LargeFileLimit .zip 1 20000

    AllowOverride all

    Options none

    #Order allow,deny

    #Allow from all