HI,

Can we go for Managed computer or unmanaged computer? ( we do have Altiris 7.1 for endpoint managements)

https://www-secure.symantec.com/connect/articles/unmanaged-detector-sep-121

Best Practices with Symantec Endpoint Protection (SEP) Group Update Providers http://www.symantec.com/docs/TECH93813

Group Update Provider(GUP): Sizing and Scaling Guidelines

http://www.symantec.com/business/support/index?pag...

 GUP Videos

https://www-secure.symantec.com/connect/videos/gro...

https://www-secure.symantec.com/connect/videos/gro...

• Can we go for Managed computer or unmanaged computer? ( we do have Altiris 7.1 for endpoint managements)

managed is the way to go, the reason is the polic and other information of clients can be obtained if the clients are managed.

• Since i have plan to use GUP, but i have no idea about be the upper limit for multiple GUP.

what is the number you thought of? why not have different LU policy and have GUP configured and assigned for the group.

• If there is no upper limit in GUP, can we go for virus definition update from SEPM or Live update administrator?

it is better to use GUP , it will save bandwidth. Installing LUA at remote sites might be resource consuming

If you allready use Altiris. Use your sitserver as GUP. You can create a rule that automaticly set all Servers that function as site servers as gup based on registry key for the task server plugin.

Torb

HI,

First you will create a location wise group.

and then Create a GUP for each location. and apply the policy for the related group.

Regards,

Syed Saied

Hi,

First would like to suggest you to install managed client so that you can centrally manage the clients.

Use single liveupdate policy add all the gups(one per subnet) in the policy with the help of multiple GUP and assign policy to all groups.

I would like to thank everyone for sharing your ideas.

After reading all the comments, I have come to below decision.

I got idea to create five groups in SEPM for 8400 endpoints and one system per site as GUP (2400 systems will act as GUP for their subnet)

So 2400 system only contact SEPM for the definition update.

Per day (2400/5) 480 systems contact SEPM for the virus definition, through this able to achieve the definition update weekly.

But where we can set to download the virus update at particular day/time

Hi,

Symantec Endpoint Protection Manager - LiveUpdate - Policies explained

http://www.symantec.com/business/support/index?page=content&id=TECH104435

How to configure LiveUpdate to use alternate sources through the Symantec Endpoint Protection Manager Console

http://www.symantec.com/business/support/index?page=content&id=TECH103706

you cannot set to download at specified time

yes you can set the download time in the advance Tab.

Hi Syed,

I couldn't find the setting to set the download from SEPM in particular time .

in advance time there is option only to download from Live update administrator

If you are managing all the clients from one single console

then at each site make a single GUP to get the definitions from SEPM.

GUP can take defs only from SEPM. its lot better than allowing clients to take from internet.

i do prefer to go with SEPM for downloading the definitions but i m worring how to set the client to get the definitions at the specific time.

it would be really helpfull if any one help to identiy where to set the client to get definiations at specific time from SEPM.

Hi Vivek,

Check this thread

https://www-secure.symantec.com/connect/forums/scheduling-updates-symantec-endpoint-protection-manager

Hi Ashish,

the given link is to set SEPM to when download need to start from internet to SEPM server only.

Also the second screen shot show for Live update server setting.

But my question is where to set the download setting for SEP client to get the update at specific time.

per my understanding :

if we go for Live update Sever : then we can't use  the GUP

if we go for GUP : we can't set specific the download setting for SEP Cilent that  when SEP client  need to download the update from SEPM server.

My scenario is, I have five different groups, per group around 1685 clients with different subnet and each subnet won’t contact each other.

I don’t want the entire clients should contact SEPM server, instead only 450 systems need to contact SEPM server weekly once to download the virus definition and that system need to distribute the definition to their subnet only.

HI,

This setting also available in sepm server.

Check this thread

https://www-secure.symantec.com/connect/forums/system-running-slow

H Vivek,

First I will suggest you to consult with Symantec Solution Expert for your site design. 

Here my view on your site Design for SEPM server and clients using GUP:-

SEPM designed for update and administration policy on remote site clients. In your scenario as you described as I understand that you have 1200 Locations, each site has own domain controller and each site/location have 7 systems at present and in future it can be increase also per site, means total number of systems you have approx 8400 Systems across network.

So here is the design for remote location site to manage and update definitions including IPS signatures.

In your case only one SEPM Server is enogh for your all sites systems. First as your doubt about GUP Limit The 11.0 SEPM can support approx 50000 Clients per SEPM either locally or through GUP. in SEPM 12.1 Version you can manage up to 80000 clients per SEPM console with SQL Database Configured. With Embedded Database you can manage up to only 5000 Clients per SEPM.

Now the design as per your locations and number of systems considering WAN link 128 KBPS per site

1. you want to Manage all 1200 sites/locations with apprx 8400 systems. It can managed through single SEPM either 11.0 or 12.1 whatever version you have.

2. As you said no site connect to each other then you will have to configure 1200 group in your SEPM and each group you configure GUP, and the GUP will act your site domain controller.

3. No need to configure Live update Administrator as see you have very limited number of systems at per site. LUA configured to update thousands of clients to Remote site SEPM connected with Central site SEPM as secondary server. so in your case your site Domain ( Acting as GUP) will receive updates from SEPM as soon as new updates available. in 11.0 Version new updates is not more than 2 MB approx. your all sites GUP will receive updates from SEPM as soon as new updated available on SEPM, Usually Symantec releases 3 revisions per day. So this small WAN link your all sites GUP update these three revisions and immediately clients also update soon when Contact to GUP locally, If you don’t want these three revisions daily, configure live update settings in a specified time only then only one revision will update daily, as you said you wish to update once in a week, its not good practice, I will suggest update the clients daily, and the GUP receives updte daily from SEPM as new content is in compressed size and not more than 2 MBPS per new revision. When any clients becomes GUP , in first time it will receive full content size only once, late it update on incremental type in compress format. So GUP considered minimizing Bandwidths link load.

4 But as you have so many locations , you said no site connects to each other, if it is in policy defined, its ok, otherwise through if you have MPLS WAN link, any sites connect to any locations without passing traffic from your central site, in that case you minimize the GUP group on your SEPM from 1200 for your location number , and move your small locations to connectivity no directly from SEPM , you can route ur site to any other site GUP to receive update from site GUP. It will minimize the number of group on your SEPM. you can create Subgroup for these sites under main group. 

5. Pls configure another failover SEPM server with replication server at local site or at DR site with single database separately on other server or both SEPM have SQL database replicating each other as scheduled time defined for replication.

6. Configure MSL on SEPM for client in case of failure master SEPM clients automatically moves to failover server.

I described in detail the design of your remote site locations; I welcome the feedback and some changes from all other experts if any.

Regards,

Ajay Kumar Singh

ajay.singh@jalindia.co.in

9818410147

Hi Ajay,

Thanks for the detailed information.

Creating 1200 group, i dont think so its not possible manually. 

correct me if i'm wrong, daily update will be 10 to 50 MB in size, So if my 1200 Servers contacting at the same time, then it will be endup with an issue.

So i have decided to go unmannaged client, virus definiation will pushed through third party client on weekly basis.

once again thanks everyone for sharing your thoughts.

Happy Diwali :).