Endpoint Protection

I have a Symanted Endpoint Protection Management Console 11 already running in my main Domain, Active Directory, Server, and it is working fine. I have a branch office in another building next to the main building where we are at.

I want to make all of the endpoints from this branch office building to communicate with a replicating server of SEP 11 in this building instead of using my main server, for network bandwidth sake.

How should I achieve this.

This server in the branch office building already is a Domain Controller and controls the DNS traffic and Active Directory querys from the endpoints in this same building.

How do I install and configure this server for this endpoints, updates and communication.

These kb articles should help get you started:

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/a04eda251f467978652574c6007a8deb?OpenDocument

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/e2ac3b646ae21969882573c20063533f?OpenDocument

Hi,

       The links mentioned above are extremely useful. In case you require further information you can open the CD1 folder from which you install the SEPM go to the document folder and you would find the administration_guide.pdf file this file has a detailed information about the features and functions of the endpoint components.

Hi,

        You also mentioned that the clients which currently communicate with the main server should communicate with the other SEPM server which you are planning to install. You mentioned that you are doing this to reduce the network choke up.

Please note that if you are planning to replicate between the two SEPM's for live updates so that the main SEPM server is not taxed you can go in for another option as well. This is known as the GUP(Group Update Provider). In this scenario a client machine within a group can be detailed to be a Group Update Provider. This ensures that the clients do take the definitions from the SEPM but take it from the designated client. Please check the link below.

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007092720522748

Both the links are too useful. With this I have just tested in my test lab. Its working great. I am planing to implement it for all my outside branches accross the country.

I've done this process already, follwing the Installation Guide in the Documentation folder in the SEPM install disk.

I receive an error when the databases are syncronizing:

"Unable to communicate with the specified server"

What does this error mean and how should I fix this to finish installing my second site for replication.

Also, when replication is done how can I configure the client PC's to communicate only with this second site server and not to my main site server.

Hi,

       Please check this link and let us know the status.

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/854bf5453c28b9b7802574e1002aa1e7?OpenDocument

The problem when creating the replication was a wrong password for the database in the primary site server. I was entering a wrong password.

It connected, it took a while to replicate and finish creating the database, and it finished successfully.

My only concern now is how to tell the client machines to connect, download updates and only look for this replication server (all the client pc's from my branch office which I want to connect and look for this replication server). Also to know how this works.

Also, how do they manage updates, does my replication site connect to the internet and downloads, like my primary site server does, or does it receive the updates it has to distribute from the primary server site.

Must I configure the replication server to receive it's updates from the primary server site?

If your client are communicating with the primary SEPM, you can edit the management server list for your client group and add the new server as a Priority 1 server and change the existing server to Priority 2.  If your clients are not communicating with the primary SEPM, you will have to replace the sylink.xml file on each client with the replicated server's sylink.xml file (assuming you've edited your management server lists to point to the replicated server, you can export the communication settings for the client group and use that sylink.xml file to replace the existing sylink.xml file on each client by using the sylinkdrop tool on CD2 or get the sylinkreplacer utility from tech support).

Hi,

       Please check the following link : -

http://service1.symantec.com/support/ent-security.nsf/docid/2008111302145548

For your question on how to manage updates on the replicated server, it's totally up to you.  You can have it get the updates from the primary SEPM or you can have it get updates from Symantec's severs (or even from a Live Update server that you can install).  It depends if you want two servers connecting to the internet to get updates or limit it to one server connecting to the internet and internally transferring updates to your replicated server. 

How do I configure LiveUpdate settings on my Replication Site, additional site, so that it receives updates from my primary site?

There's probably an easier way to describe this, but first, ensure your management server list for the group(s) that your replicated server is managing contains the replicated server's name (and IP address) as priority 1 in the management servers section.  Edit the live update policy for the group(s) and ensure under "server settings / Internal or External LU server" has the "use the default management server" option checked only.  Finally, under Admin / Servers, edit the replication partner's properties check "replicate client packages and LiveUpdate content between the local site and this partner site".

Hopefully a Symantec employee can confirm or deny this as I'm not 100% certain this truly forces the replicated server to get LU updates from the Primary SEPM.  From my past technical support calls, I remember disabling the last option so that the replicated servers would get updates from Symantec to reduce the bandwidth load to my Primary server's data circuit (and also for DR purposes in case my primary server went down).