Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Symantec End point 12.X

Created: 31 Oct 2012 • Updated: 05 Dec 2012 | 23 comments
This issue has been solved. See solution.

We have 1200 remote site with 7 computers per site and each site will contact our corporate office only. Remote sites won’t contact each other. Also the remote site will keep grow (per year 90 new remote site). Each site has own domain and all are different forest.

Bandwidth per site will be 128KBps

Now we have plan to rollout SEP 12.1 for all the remote sites.

Our Major concern is Virus definition update. For us there is no necessity for daily update, weekly definition update is more enough.

I have below queries

 

    • Can we go for Managed computer or unmanaged computer? ( we do have Altiris 7.1 for endpoint managements)
    • Since i have plan to use GUP, but i have no idea about be the upper limit for multiple GUP.
    • If there is no upper limit in GUP, can we go for virus definition update from SEPM or Live update administrator?

Comments 23 CommentsJump to latest comment

Ashish-Sharma's picture

HI,

Can we go for Managed computer or unmanaged computer? ( we do have Altiris 7.1 for endpoint managements)

https://www-secure.symantec.com/connect/articles/unmanaged-detector-sep-121

Best Practices with Symantec Endpoint Protection (SEP) Group Update Providers http://www.symantec.com/docs/TECH93813

Group Update Provider(GUP): Sizing and Scaling Guidelines

http://www.symantec.com/business/support/index?pag...

 GUP Videos

https://www-secure.symantec.com/connect/videos/gro...

https://www-secure.symantec.com/connect/videos/gro...

Thanks In Advance

Ashish Sharma

 

 

pete_4u2002's picture
  • Can we go for Managed computer or unmanaged computer? ( we do have Altiris 7.1 for endpoint managements)

managed is the way to go, the reason is the polic and other information of clients can be obtained if the clients are managed.

  • Since i have plan to use GUP, but i have no idea about be the upper limit for multiple GUP.

what is the number you thought of? why not have different LU policy and have GUP configured and assigned for the group.

  • If there is no upper limit in GUP, can we go for virus definition update from SEPM or Live update administrator?

it is better to use GUP , it will save bandwidth. Installing LUA at remote sites might be resource consuming

TORB's picture

If you allready use Altiris. Use your sitserver as GUP. You can create a rule that automaticly set all Servers that function as site servers as gup based on registry key for the task server plugin.

 

Torb

Syed saied's picture

HI,

First you will create a location wise group.

and then Create a GUP for each location. and apply the policy for the related group.

 

Regards,

Syed Saied

 

Thanks In Advance...

Syed Saied

If the suggestion has helped to solve your problem, please mark the post as a solution

ba_vivek's picture

Hi Syed,

if i'm downloading the update from Live update administrator, can we use GUP.

because in GUP its mentioned 

"GUP is client computer that downloads content from the SEPM" 

EssKay's picture

I am guessing you have the LUA for Altiris and other Symantec products?

The GUP requires to get its content from SEPM. The reason being is that the SEPM detemines the required deltas to generate for the endpoints which the GUP serves up. What you could do is have your SEPM leverage the LUA in the environment to get the source content updates from which it determines the deltas. In that way it will not have to go out to Symantec for content updates and save some bandwidth.

Regards,

Dean

Riya31's picture

Hi,

 

First would like to suggest you to install managed client so that you can centrally manage the clients.

Use single liveupdate policy add all the gups(one per subnet) in the policy with the help of multiple GUP and assign policy to all groups.

 

ba_vivek's picture

 

I would like to thank everyone for sharing your ideas.

After reading all the comments, I have come to below decision.

 

I got idea to create five groups in SEPM for 8400 endpoints and one system per site as GUP (2400 systems will act as GUP for their subnet)

So 2400 system only contact SEPM for the definition update.

Per day (2400/5) 480 systems contact SEPM for the virus definition, through this able to achieve the definition update weekly.

But where we can set to download the virus update at particular day/time

Ian_C.'s picture

But where we can set to download the virus update at particular day/time

Exactly. Scrap the GUP idea completely. You just don't have the level of control that you are looking for.

Instead, enable 3rd Party updates and use your Altiris infrastructure to deliver the updates. Here are the first few articles when searching for 3rd party content

The other options to be specific about day/time is to point all clients & the SEPM at a central LiveUpdate server using a schedule. Unfortunately, this won't scale well with 90 clients trying to download the full 120+MB of updates across a 128K line.

Please mark the post that best solves your problem as the answer to this thread.
Ashish-Sharma's picture

Hi,

Symantec Endpoint Protection Manager - LiveUpdate - Policies explained

http://www.symantec.com/business/support/index?page=content&id=TECH104435

How to configure LiveUpdate to use alternate sources through the Symantec Endpoint Protection Manager Console

http://www.symantec.com/business/support/index?page=content&id=TECH103706

Thanks In Advance

Ashish Sharma

 

 

pete_4u2002's picture

you cannot set to download at specified time

Syed saied's picture

yes you can set the download time in the advance Tab.

 

Thanks In Advance...

Syed Saied

If the suggestion has helped to solve your problem, please mark the post as a solution

ba_vivek's picture

Hi Syed,

I couldn't find the setting to set the download from SEPM in particular time .

in advance time there is option only to download from Live update administrator

Rafeeq's picture

If you are managing all the clients from one single console

then at each site make a single GUP to get the definitions from SEPM.

GUP can take defs only from SEPM. its lot better than allowing clients to take from internet.

ba_vivek's picture

i do prefer to go with SEPM for downloading the definitions but i m worring how to set the client to get the definitions at the specific time.

it would be really helpfull if any one help to identiy where to set the client to get definiations at specific time from SEPM.

 

ba_vivek's picture

Hi Ashish,

the given link is to set SEPM to when download need to start from internet to SEPM server only.

Also the second screen shot show for Live update server setting.

But my question is where to set the download setting for SEP client to get the update at specific time.

 

per my understanding :

if we go for Live update Sever : then we can't use  the GUP

if we go for GUP : we can't set specific the download setting for SEP Cilent that  when SEP client  need to download the update from SEPM server.

 

 

My scenario is, I have five different groups, per group around 1685 clients with different subnet and each subnet won’t contact each other.

I don’t want the entire clients should contact SEPM server, instead only 450 systems need to contact SEPM server weekly once to download the virus definition and that system need to distribute the definition to their subnet only.

 

 

Ashish-Sharma's picture

HI,

This setting also available in sepm server.

Check this thread

https://www-secure.symantec.com/connect/forums/system-running-slow

Thanks In Advance

Ashish Sharma

 

 

ajhay.siingh's picture

 

H Vivek,

First I will suggest you to consult with Symantec Solution Expert for your site design. 

Here my view on your site Design for SEPM server and clients using GUP:-

SEPM designed for update and administration policy on remote site clients. In your scenario as you described as I understand that you have 1200 Locations, each site has own domain controller and each site/location have 7 systems at present and in future it can be increase also per site, means total number of systems you have approx 8400 Systems across network.

So here is the design for remote location site to manage and update definitions including IPS signatures.

In your case only one SEPM Server is enogh for your all sites systems. First as your doubt about GUP Limit The 11.0 SEPM can support approx 50000 Clients per SEPM either locally or through GUP. in SEPM 12.1 Version you can manage up to 80000 clients per SEPM console with SQL Database Configured. With Embedded Database you can manage up to only 5000 Clients per SEPM.

Now the design as per your locations and number of systems considering WAN link 128 KBPS per site

1. you want to Manage all 1200 sites/locations with apprx 8400 systems. It can managed through single SEPM either 11.0 or 12.1 whatever version you have.

2. As you said no site connect to each other then you will have to configure 1200 group in your SEPM and each group you configure GUP, and the GUP will act your site domain controller.

3. No need to configure Live update Administrator as see you have very limited number of systems at per site. LUA configured to update thousands of clients to Remote site SEPM connected with Central site SEPM as secondary server. so in your case your site Domain ( Acting as GUP) will receive updates from SEPM as soon as new updates available. in 11.0 Version new updates is not more than 2 MB approx. your all sites GUP will receive updates from SEPM as soon as new updated available on SEPM, Usually Symantec releases 3 revisions per day. So this small WAN link your all sites GUP update these three revisions and immediately clients also update soon when Contact to GUP locally, If you don’t want these three revisions daily, configure live update settings in a specified time only then only one revision will update daily, as you said you wish to update once in a week, its not good practice, I will suggest update the clients daily, and the GUP receives updte daily from SEPM as new content is in compressed size and not more than 2 MBPS per new revision. When any clients becomes GUP , in first time it will receive full content size only once, late it update on incremental type in compress format. So GUP considered minimizing Bandwidths link load.

4 But as you have so many locations , you said no site connects to each other, if it is in policy defined, its ok, otherwise through if you have MPLS WAN link, any sites connect to any locations without passing traffic from your central site, in that case you minimize the GUP group on your SEPM from 1200 for your location number , and move your small locations to connectivity no directly from SEPM , you can route ur site to any other site GUP to receive update from site GUP. It will minimize the number of group on your SEPM. you can create Subgroup for these sites under main group. 

5. Pls configure another failover SEPM server with replication server at local site or at DR site with single database separately on other server or both SEPM have SQL database replicating each other as scheduled time defined for replication.

6. Configure MSL on SEPM for client in case of failure master SEPM clients automatically moves to failover server.

I described in detail the design of your remote site locations; I welcome the feedback and some changes from all other experts if any.

Regards,

Ajay Kumar Singh

ajay.singh@jalindia.co.in

9818410147

Regards,

Ajay Kumar Singh (Consultant- Information Security)

 

 

Ian_C.'s picture

@ajhay.siingh That is a very detailed and generally excellent answer.

2. As you said no site connect to each other then you will have to configure 1200 group in your SEPM and each group you configure GUP, and the GUP will act your site domain controller.

Like the original poster, I don't believe 1200 groups are necessary. Does every site have different requirements? Surely not! Group your workstations together into functional requirements rather. We managed 7500+ clients in one generic Workstation group because all policies apply to them together. We then havespecialised groups for a small sub set of workstations that requirement. Groups like Diagnostic / Testing and Highly secure.

All of that reduces the amount of groups, policies, locations and management overhead.

Please mark the post that best solves your problem as the answer to this thread.
ba_vivek's picture

Hi Ajay,

Thanks for the detailed information.

Creating 1200 group, i dont think so its not possible manually. 

correct me if i'm wrong, daily update will be 10 to 50 MB in size, So if my 1200 Servers contacting at the same time, then it will be endup with an issue.

So i have decided to go unmannaged client, virus definiation will pushed through third party client on weekly basis.

 

once again thanks everyone for sharing your thoughts.

Happy Diwali :).

 

ba_vivek's picture

hey Guys,

i found good options for my environment

i have configured SEP client to use my internal LUA and based upon the requirement i will kick it from Altiris to update the definitions.

Here is the configurations

Step 1 : installed LUA in my Data center and configured LUA to keep the definitions for two weeks

Step 2 : In SEPM console, checked in third party deployment and internal LUA. Unchecked the automatic schedule.

Step3 : configured in my altiris server -> under symantec end point protection ->Update content -> scheduled for my requirment.

Everything going smoothly.

Since LUA has ability to provide delta update to their client, so client getting only delta updates.

SOLUTION