Endpoint Protection

I have a structure of several sites across the USA and Canada, I have GUP's set up for every site so that the definitions can be distributed locally, but when I did a NETSTAT on the SEPM server, it was showing it was connecting to all clients on the netork, how can I rectify this?

Windows environment, 2003/2008 server

Windows 7 and XP on the Client ends

I want the PC's to get the updates from the local GUP and ONLY the GUP, I DO NOT want it reaching out to the SEPM server, right now, BOTH appear to be happening. As I am looking at the netstat, more and more pc's appear to be connected. I want these connections broken and isolated ONLY to the GUP for updates.

It is even connected to some servers that do not even have SEP installed.

On what port?

The clients will still check in with the SEPM to upload logs and get policy.

In the LU policy for GUPs, select the radio button for Never under Maximum time that clients try to download updates from a GUP before trying the default management server

Port 8014

100% are on port 8014

And you confirmed clients were receiving def updates as opposed to uploading logs?

The updates are current....I see the defs which are from today....

I am not sure what you mean about uploading logs

The client activity logs will be uploaded to the SEPM on 8014 as well. There is always going to be activity between client and SEPM.

The clients can still properly be getting updates from GUPs and still need to connect to the SEPM during the heartbeat. They will send back log information to the SEPM at that time. GUPs do not handle that kind of data.

sandra

Run a wireshark capture on your SEPM.

Set the following filter to check for full.zip downloads:

(frame matches "(?i)full.zip" ) && (tcp.srcport == 8014)

Set the following filter to check for deltas (.dax)

frame matches "\.[Dd][Aa][Xx]" && tcp.port==8014

Either of these will indicate the client is getting updates from the SEPM. If you don't see packets for these filters, it is likely just the client sending back logs.

As others have stated the clients will still continue to connect to the SEPM to send back logs, even though they are downloading content from its respective GUP.

Now if you are seeing a very large number of active 8014 connections then you are most likely in PUSH communication config. Changing to PULL mode in Clients->Policies->Communication Settings will have the clients fully disconnect until its next heartbeat. Below is documentation on the heartbeat process.

http://www.symantec.com/docs/TECH191617

It appears as if the spikes are around 2PM EST, not sure if that helps.

any scheduled task/activity?

replication/liveupdate?

Try method as suggested by Brian.

You may also run debug mode and check the debug.log for more details.