Endpoint Protection

Greetings, we're setting up SEPM (downloaded latest 11.0.6_MP1), we have a small environment of 50-60 computers spread across 4 locations, what I'd like is to not involve a Windows Server, but to just setup SEPM along with Central Quarantine and LiveUpdate server on my Windows 7 64-bit PC, but if I look through the specs I don't see Windows 7 listed for SEPM (but you can run the console from it).  Is this still the case?  I'd like to keep things simple if possible.

Also I see notes that in WinXP there was a 10 user limit (due to MS networking model), what does this 10 user or connection limit refer to and is it still the case for Win7?  Is this the number of users who can login to SEPM hosted on a WinXP machine, or is this the total number of clients that can be across the whole SEP system?  Why do the end client machines connect to the SEPM?

I would also have 1 (or more?) GUP at each site to provide updates to the PC's at their local LAN, does this factor in to the above at all?

Thanks in advance

James

I don't understand why do you need Quarantine server..Unless you have thousands of clients I don't see any use of it.

You can install SEPM on windows XP and manage 50-60 clients with some minor tweak..

( http://www.symantec.com/business/support/index?page=content&id=TECH91694&locale=en_US )

However you cannot install SEPM on Vista or WIn 7.

You may see this also:

http://www.symantec.com/business/support/index?page=content&id=TECH91694&actp=search&viewlocale=en_US&searchid=1291341281935 

Sorry but my understanding of the quarantine server was that it collected samples of possible viruses collected in my environment and submits them to Symantec for their analysis, was just trying to be a good citizen.  Do I need QS in order to do this?

Drag about Win 7 (don't care about Vista - it died a slow horrible death here and I have NO machines setup with it anymore...), are there any plans to have SEPM supported on Win 7?  Obviously now XP machines are going to finally start phasing out based on what I'm reading.  I can setup a temporary XP machine to do the SEPM part, but I'd rather this not be the long term solution.

Note that I currently have SAV CE with the primary server being my old Win XP PRO machine, my plan was to leave that running as is to maintain the SAV CE network until they're all migrated.  Is it possible or even recommended to run the SEPM on the same Win XP PRO machine that's hosting the primary server (and has SSC installed) under SAV CE?

Thanks

James

Thanks, that's a good piece of info.

Cheers

James

As for my knowledge, SEPM will not install on Windows 7! And for a good reason as Windows 7 is a client, not server, operating system including IIS limits.

It is supported on Windows XP for a small environment (upto 100 clients), so it would make sense to me that they should allow the exact same product (SEPM) to run on the newer version of Windows XP which is now Windows 7, so as to not unnecessarily burden a small shop with having another Windows server or additional (possibly unsupportable) burden on existing Windows servers.

What is Symantec's roadmap on this?  Are they working on supporting Windows 7 as the SEPM host, just like they support Windows XP for the SEPM host currently?

Cheers

James

I am not sure about this but I would not count on it. I can understand the logic though as, if you need to install a management SERVER, you should use a SERVER machine :-) For small environments you can use unmanaged clients.

OK, well I'll start off with a Win XP PRO machine as the SEPM host (depending on the response I get to my reply to "Vikram Kumar-SAV to SEP").

It's not practical that an environment with 50 users require unmanaged clients, and I shouldn't need a server class computer to run a simple management console and small database.  I realize the word server is in the function of SEPM, but there's lots of server functions that don't require a server class computer to run on - for instance a VNC server runs on standard machines, small databases such as used by Simply Accounting host the server function on a workstation machine, etc... and of course Symantec's own SAV CE's primary server runs on standard workstations as does SEPM itself on XP - the server function is just a function, it's your load and capacity that should dictate whether we need a server class machine.

My 2 cents

James

I agree with you to a certain point although IIS limitation does not make Windows XP a great management server. It might be an idea to add support for SEPM to Windows 7 which can be submitted to Ideas forum: https://www-secure.symantec.com/connect/security/ideas

Sounds reasonable, thanks for the link (didn't know about that one...).  I've added the idea, it says it's just awaiting administrator approval which I presume is needed before it's visible to everyone else.

Cheers

James

SEPM is more of a Server software.So It would be better to have it on a server OS.

However however you can have it on XP for now later you can move it to a Server OS as that will have no limitation.

Later people will be able to vote for this idea and eventully it might be tken in consideration by devs :-)

Have a good weekend!

I will NOT buy a Server to run SEPM for 100 users or less ..

SEPM will run on XP.. yes that is right WILL RUN on XP but WILL NOT run

on Windows 7... Tell me how that makes sense .. please ..

I have really like the software up to this point.. and I really like

Windows Xp .. but its days are numbered.. and yes if Symantec

does not get it's act together with EndPoint , the same I believe will occur.

Symantec you can not tell me that you can't make it run on Windows 7..

I am having more and more moving to Vipre Enterprise .. It so far

does everything , with alot less Cost and Bloat .. oh and yes

it does run on Windows 7..

Yes SEPM definitely will have to run on Windows 7 or the smaller shops will have to drop SEP at some point in the next 1-2 years, hopefully Symantec fixes this.

I created an "idea" at https://www-secure.symantec.com/connect/idea/windows-7-support-sepm-hosting for them to add this missing functionality, I assume the more people agree with it the better so perhaps you can go there and vote/agree with it?  This may help.

Cheers

James

Since I support SEP, I cannot really agree as many people will get burden with limitet connections in IIS...

I am sure in future releases, SEPM will support win 7 as well, but adding this to the Idea section is good option.

You'll have to forgive my ignorance as I'm fairly new at this SEP game (but been doing SAV for about a decade), when you say there will be a limit to connections in IIS, is this for the number of people who need access to the management interface (in SAV CE talk this would be SSC)?  If so, does this matter if you're only going to have 1 or 2 maximum actual management going to the SEPM console to do anything with it?

Or is this going to impact on the users who are just running the SEP client (but not opening the client or doing anything with it, it's just running on their computers to protect them)?

Or does this affect group update providers who are receiving/fetching updates from the SEPM machine to update the SEP clients running under them (in my case their geographical location)?

Cheers

James

The limit applies to open connections to the web server - IIS. SEP clients work by default in Push mode - that means that they remain in contact with SEPM server (using IIS) at all times and can get definitions, policies, etc. as soon as there is a change on the server. That means that only 10 clients (9 actually, as you need to connect to IIS when opening the console as well) can be connected to SEPM.

Of course they can connect in Pull mode - they will connect to SEPM every now and then (heartbeat period) and check for new stuff. If you have many clients you will need to change mode to pull and play with heartbeat interval, rendomization time, retry, etc. in order not to let all the clients connect at the same time and still you will not be sure that there won't be any "traffic jams". All in all your clients will get updates with delay.

Mind that it is not Symantec's limitation!

Ah, thanks for clearing that up for me.

But if I'm using GUP's, don't the clients get their updates from the GUP's?  Why would they be contacting the SEPM machine via IIS directly?

And on that, do the clients contact the GUP's for their updates via IIS as well?

In my satellite offices currently with SAV CE, I have a secondary server setup and all SAV clients report to it (for log updates and so on) and get virus def updates from the secondary server.  This reduces WAN load, reduces load on other Internet activity (we use VPN's), speeds up how fast they're updated, etc.  Only the secondary servers report to the primary server (except I think for virus alerts which may go directly...).  How is this different in SEP with GUP's?

Thanks for all your help

James

If you have GUP the client will contact the local GUP for definition updates for policy updates etc it will contact SEPM via IIS.

Clients used to uploads its logs to secondary server here client will not send logs to GUP it will directly send to primary server.

In PUSH mode the client will also keep a constant connection with SEPM

True, even with GUP clients will remain in contact with SEPM.

OK so the limitation is purely at the SEPM host due to IIS and Windows XP, the GUP's do not have the same limit (so for instance a GUP can have 25 clients or more under them with no issues).

Obviously I have some playing to do, I have no choice really but to start with Win XP running SEPM and tweak it according to the recommendations, and hope that by the time I have to move off of my last Win XP machine that Symantec has support for Windows 7 in this role.

One last question for now, the limitation with SEPM on Win XP and IIS and its' 10 connections, is not because the SEP clients are going to try to connect to SEPM via a Windows file share/SMB connection, if I understand correctly the SEP clients are going to do a pure IP connection to the IIS running on the Win XP/SEPM machine.  Is this right?  If so then I don't have routing worries for other LAN's as long as they can connect via IP.  Is this right?

Cheers

James

SEPm is is installed on and it installs its website on IIS and it distributes defs from its website.

Its does not use SMB etc it only uses IIS on port 8014(default)

Even without GUP with minor tweak as per the Document I have given above you can support 50-60 clients however I have seen more than 100 clients working with that setting.