Endpoint Protection

Hi,

Our company has around 4000 clients, spread across 40 remote sites with slow WAN links. Our central data centre holds the only SEPM installation and clustered SQL db. No site has more than 1000 clients and there are no clients at our central data centre.

Everything is running v11 mr4 and fully updated.

All internet traffic has to route through our central data centre, so there isn't a bandwidth saving in getting any kind of updates directly from the internet at remote sites.

From what I've read I think the best bet in our scenario is to leave the only SEPM/SQL installation at our data centre and use GUPs on local servers at each remote site - this will efficiently provide the definition updates.

My question is what's the best way to go about client updates? Obviously we don't want large client updates going over the WAN for each client...

Would local LUA distribution centres (on the same local servers as the GUPs) be able pull down a single copy of a new client from either the central SEPM or the internet and push it out to local clients?

Or should we just look at deploying client updates outside of the Symantec suite using our package deployment software?

Or does anyone else have any other recommendations?

Any advice would be much appreciated!

Thanks,
turnipfarmer

You have the right approach.

1) Use GUP's at every site for the clients to get updated from there and not get to SEPM for that.

2) Also, If you have this server as dedicated for Symantec works then recommended to install LUA on it to save bandwidth if the mobile users launch luall.exe.

3) According to your topology, you can publish the updates from the LUA to the other servers from where the clients can fetch it for that group.

4) Designing the policies can be  time taking and will obviously require complete n\w link details

If you have file servers at each site, push SEP by Group Policy. It's supported but not well documented by Symantec. This may help:

https://www-secure.symantec.com/connect/articles/creating-transform-mst-file-control-installation-symantec-endpoint-protection
 

If you are talking about upgrading the clients from their existing version to the latest version, then a local deployment in the sites is always recommended.


I would recommend to export install packages from SEPM and deploy them locally in each site. You mentioned your packaging software for deploying the packages...if it is able to deploy executables then you can use the single exe feature while exporting the packages.

If MSI packages are supported then you can uncheck the single exe box while exporting the packages.

Cheers,
Aniket

Hi,

here are some important best practices:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009012721190648

Regards,

Hi,

Thanks for all the good advice!

I've read the best practices thing too, that was really good!

Just a couple more questions about LUA if you don't mind, does this setup make sense?
-Install both GUP and LUA on a single dedicated server at each site
-Configure both GUP and LUA to pull updates from the central SEPM (ie GUP for definitions and LUA for client updates like SEP mr5 if it came out)
-Configure necessary policies (including network location awareness etc) for clients to pick up definitions from local GUP and client updates from local LUA

Or do I need a central LUA as well as central SEPM?

Or am I misunderstanding the capabilities of a LUA completely? :/

In which case I need to export the package then deploy it separately (would prefer not to if I can just use LUA!)?

Thanks again :-)

I think LUA part you have got it wrong.

LUA cannot reteive updates from SEPM
SEPM can download updates from LUA
GUP can only download updates from SEPM
LUA can only download updates from Internet or another LUA
 

Vikram's analysis is correct. You'll need a SEPM at each site, and some extra mouse clicks by an admin, in order to deploy updates locally.

Or an ordinary domain-member Windows file server and domain-member Windows clients. In which case, Group Policy, or, likely, your deployment software, are valid deployment options. And if you have anywhere from 10 to 1000 clients on your remote sites, I'm betting you can use either.

In which case, have a look at this article if you want to use GPO:

https://www-secure.symantec.com/connect/articles/creating-transform-mst-file-control-installation-symantec-endpoint-protection

and after Symantec approves it, this article, for ANY install method:

https://www-secure.symantec.com/connect/articles/startup-scripts-and-sylinkdrop-better-together

HTH

More or less you have the concept clear .....

1) GUP and LUA on the same server.
2) GUP taking defs from SEPM and LUA taking it from the internet or another LUA where the SEPM is.
3) GUP doesnt give policy updates, Just the defs. The clients get the policy updates from SEPM

Sandeep (et al), the OP was asking about SOFTWARE updates, not DEFINITION updates, across multiple sites linked bylow bandwidth connectivity. To my knowledge, neither SEPM nor LUA offer a solution for that. 

The OP will have to rely on the "package deployment software" he currently uses, assuming it's optimized for mulitple sites, or some other supported technology, like Group Policy.

Sandeep (et al): Agreed?

Using Clientremote.exe ( Migration and deployment wizard located in CD2 ) in each location or using 3rd party deployment will be the best solution in your environment.
Configuring LUA in all 40 locations just for Client updates will be more tedious and will require too much administration.

@Jeff....Yeah, That's out of scope of SEPM and GPO can help here.

Cheers guys, that's cleared it up for me. Much appreciated :-)

Think we'll go with just GUPs in each site, SEPM in the centre and 3rd package deployment solution for software updates.

Just hope the client > SEPM traffic for logs/policy updates is minimal!

The policy updates are in KBs...So more or less negligible.
There will be a little spike in between when the GUP will download the definition from SEPM ..but I think that should be fine... 

Hi,

I have a similar query, have a central SEPM site with two management servers and SQL clustered DB. I have 10-15 remote locations with around 500 clients each.  The central management servers have connection to internet through a proxy and will download signature via internet. My queries are as below -

1) Do i need to setup remote SEPM sites for these locations ? Or do i stick to one central site ? We were thinking of having additional management server at each site which connects to central Database. Each location will have defined management server list which will restrict communication to only local management servers. Is this a good idea ?

2) If the above stands good, how do the signature updates work ? Once they are downloaded to central management server , are they automatically distributed to each management server in the remote location ?

Any other thoughts would help.

Thanks,
Ravi

Start from this article:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009012721190648

regards,