Video Screencast Help

SEPM Server is connecting to all clients on the network

Created: 11 Sep 2012 • Updated: 17 Sep 2012 | 13 comments
This issue has been solved. See solution.

I have a structure of several sites across the USA and Canada, I have GUP's set up for every site so that the definitions can be distributed locally, but when I did a NETSTAT on the SEPM server, it was showing it was connecting to all clients on the netork, how can I rectify this?

 

Windows environment, 2003/2008 server

Windows 7 and XP on the Client ends

Comments 13 CommentsJump to latest comment

The Conquistador's picture

I want the PC's to get the updates from the local GUP and ONLY the GUP, I DO NOT want it reaching out to the SEPM server, right now, BOTH appear to be happening. As I am looking at the netstat, more and more pc's appear to be connected. I want these connections broken and isolated ONLY to the GUP for updates.

It is even connected to some servers that do not even have SEP installed.

.Brian's picture

On what port?

The clients will still check in with the SEPM to upload logs and get policy.

In the LU policy for GUPs, select the radio button for Never under Maximum time that clients try to download updates from a GUP before trying the default management server

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

.Brian's picture

And you confirmed clients were receiving def updates as opposed to uploading logs?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

The Conquistador's picture

The updates are current....I see the defs which are from today....

I am not sure what you mean about uploading logs

.Brian's picture

The client activity logs will be uploaded to the SEPM on 8014 as well. There is always going to be activity between client and SEPM.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

sandra.g's picture

The clients can still properly be getting updates from GUPs and still need to connect to the SEPM during the heartbeat. They will send back log information to the SEPM at that time. GUPs do not handle that kind of data.

sandra

Symantec, Information Developer
Installation, Migration, Deployment and Patching
User Protection & Productivity, Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best help

.Brian's picture

Run a wireshark capture on your SEPM.

Set the following filter to check for full.zip downloads:

(frame matches "(?i)full.zip" ) && (tcp.srcport == 8014)

Set the following filter to check for deltas (.dax)

frame matches "\.[Dd][Aa][Xx]" && tcp.port==8014

Either of these will indicate the client is getting updates from the SEPM. If you don't see packets for these filters, it is likely just the client sending back logs.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SOLUTION
Cameron_W's picture

As others have stated the clients will still continue to connect to the SEPM to send back logs, even though they are downloading content from its respective GUP.

Now if you are seeing a very large number of active 8014 connections then you are most likely in PUSH communication config. Changing to PULL mode in Clients->Policies->Communication Settings will have the clients fully disconnect until its next heartbeat. Below is documentation on the heartbeat process.

http://www.symantec.com/docs/TECH191617

 

 

If I was able to help resolve your issue please mark my post as solution.

cus000's picture

Try method as suggested by Brian.

 

You may also run debug mode and check the debug.log for more details.