Video Screencast Help

Symantec EndPoint Protection 11.x Clients Updates from Management Servers Outside their Managed Scope

Created: 31 Mar 2010 • Updated: 18 Oct 2010 | 19 comments
This issue has been solved. See solution.

Symantec Guru's

I have a managed SEP deployment.  About 6 sites, all connected via a MPLS network.  All SEP Clients are pointed to their closest management server, the master server being located on the root of the hub.  Everything seemed to be working fine until a few days ago.  Now SEP clients are pointing to management servers outside of their management scope and being updated from these servers.  This is causing havoc on our bandwidth.  Even if I drag and drop them back into their own management server, after a while they back to the wrong server. 

These are all Windows pc's running the Novel client, not using Zen for any form of management or desktop customization.

A simple uninstall and re-install won't do as I'm manageing a complement of over 7000 clients.  It's taken me too long to roll out the client.

What can I do to fix this mess and force my clients to the correct management server(s).

We use LANdesk a magement tool, so registry and or batched scripts could be used in needed....

Etienne

Comments 19 CommentsJump to latest comment

AravindKM's picture

Do you have some clients in user mode?
If anything is present change it to computer mode
You can use a bach file also for this.(This batch file you can get from symantec support)

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

Etienne_Siemens's picture

AravindKM

All my clients are in computer mode. I have a call with Symantec for this, and the best they can tell me is to upgrade.  My customer won't allow me to do this, I need to fix the issue first. Also asking Symantec for that batch file is pointless...it doesn't exist when I ask.

Rafeeq's picture

It could be because of a bug ;any one in these two good to upgrade the clients to MU5

            Scheduled LiveUpdate still launches LuAll.exe although the "Use a LiveUpdate Server" option is unchecked

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid_p/2007121216360648

    Fix ID: 1652473Symptom: After migration, LiveUpdate still uses LuAll.exe to download content from an internal or external LU server, regardless of whether the Use a LiveUpdate Server option is checked.Solution: Scheduled LiveUpdate settings are cleared and the Symantec Endpoint Protection client uses the LiveUpdate policy from the Symantec Endpoint Protection Manager.LiveUpdate tries to contact external LiveUpdate Servers despite policy settingFix ID: 1678207Symptom: The Use a LiveUpdate Server setting is not honored, which causes Symantec Endpoint Protection clients to download content from external LiveUpdate servers.Solution: The Use a LiveUpdate Server setting is checked before attempting to download content.
Etienne_Siemens's picture

Hi Rafeeq

Let me explain in more detail.  I have about 7000 clients nationaly.  Each major region has it's own SEP Management Server from which local SEP clients of that region are registered to and recieve their SEP definition updates.  The management servers synchronize with each other from the main SEP management Server in the MPLS ISP site (has the bandwidth & access).  No SEP colients in any of the regions are supposed to update themselves accross a WAN link to another SEP management server.  This is how it has been working for quite a while.

Now about a month ago random SEP clients from regional branches are registering themselves with one of the other SEP regional servers (headoffice, not MPLS ISP site).  We are having no issues with clients not receiving definition updates, weither they do it from their local SEP management server (requirement) or another remote SEP management server (not supposed to happen).  If it was a few clients then I would simply uninstall and redo the SEP client.  This is however happening with about 2500 clients.

Is there a way to fix this, is it a know issue between clients and SEP management server? I have logged a call with symantec and they telling me to upgrade which is not an option, yet, until this current issue is resolved.

I have read this technote, upgrading is on the radar, but not to fix this issue.  How does it all go wrong stop working?  Once I have my clients reporting to the correct server then  I can upgrade.  The customer is actually closing off WAN network ports because of the additional traffic generated by SEP clients.

AravindKM's picture

Can you double check whether the MSL is correctly assigned to the corresponding groups?

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

Etienne_Siemens's picture

This is probably the most used phrase in IT (I have not changed anything).  The MSL is assigned to the correct corresponding groups.  From a configuration / infrastructure point of view, nothing has been changed or altered.  The only "new" thing be done is Windows patches.  Now I don't know if anything here as inadvertently triggered this phenomenon to occur within SEP.  All I want to do is force the clients back to their own SEP management servers.  Even if it means I need to run a batch file or some remote process every few hours.

AravindKM's picture

Whether it is gong and sitting in any particular group or it is random?

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

Etienne_Siemens's picture

It is choosing the SEP management server in the main office region.  Under the rest of the workstations group.

AravindKM's picture

Can you block clients for that particular group and see whether it is making any difference?

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

Etienne_Siemens's picture

I have tried this.  It has no affect, I can still see the SEP clients attempting to register with other SEPM servers.  I have actually blocked all SEP clients from the SEPM server in one regional site.  I see no other alternative than to upgrade.  I am also very seriously considering another Antivirus product.  It is highly embarassing that on such an Enterprise level, a bug like described above exists, with no hotfix.

zer0's picture

I realise you are frustrated but don't you think it is strange that you may be the only person in the world affected by this issue.
It is was a proper fault in SEP the forums would be ablaze!!
Whenever I have an issue like this I check the forums and the KB articles and then wonder how I could be the only person affected  :)

It is usually environmental, and something has changed if it was all working and is all suddenly broken.
Has any of the following changed?

- DNS
- Proxies
- IP addressing
- Gateways
- Master Server lists in SEPM
- Liveupdate policies in SEP
- Communication settings
- Locations

I would start off by getting Sylinkmonitor running on SEP clients that are connecting to the wrong management server.
Then you will have complete transparency of the communications between a SEP client and SEPM.
http://service1.symantec.com/support/ent-security....

I would also upgrade your SEPM's to the most recent version possible.

Z

John Cooperfield's picture

Some things you might try:

Uncheck "Remember last location" until this is resolved.  

Set up a test group, and give it a MSL with only IPs address(es), no machine names.

When a client is pointing to the wrong SEPM, open its Sylink file. 
Is there anything in there that relates to the "wrong" server?

Any DNS redirects / aliases ?   nslookups from client to servers, etc.

SMBguru's picture

We use Novell login client, upgrade to SEP RU6a on the servers, that locked everyone out of the management server because of the java issues i guess.  But, when trying to migrate clients to the new management server, only about half want to go and it is totally random.

At the same point we did just "upgrade" to MPLS VPN between sites and have had many problems with this.  I see all kinds of logs and issues on the routers pointing to these management servers and can only assume traffic is taking to long, so the client it pointing to a different management server then.

What routers are you using?  Ours our Cisco with Web Sense integration, and since SEPM uses http traffic, the IOS FW inspects it for compliant traffic type which seems to be the cause of the audit trails kicking in and causing some clients to hang and never go to the correct management server.

Now mind you we never had this issue before upgrade SEPM, but we also had PTP everywhere.  

I too would like to know how to force clients to the new server so i can take some old ones offline...

Etienne_Siemens's picture

Ladies and Gents, sorry 4 being so quiet on this post...I needed the "wheels of change" to turn.  I have a "solution / fix"...forgive my sarcasim...I'm throwing out Symantec and we're going with another product.  If this issue was on a small scale, hey, a quick run around would be ok...but I'm already breaking the 7500 user mark, we're seriously exposed without adequate protection...I can't afford all the indepth troubleshooting only 4 something else to stick it's head out....now comes the wonderful task of removing Symantec.  Thanks to everybody for the advice, it is really appreciated....

SOLUTION
zer0's picture

Your "management" won't allow you to upgrade but they will allow you to do a migration to another product!

Your first post was in March and you haven't worked out a solution in 6+ months?

You didn't even post up your Master Server List or any sylinkmonitor logs, or any of the info I was asking about.

I have a strange feeling that you are going to have similar "issues" with the next product.

Good luck

Rafeeq's picture

You should give a try by upgrading,  i'm sure that it would work.

Going to a diff product is again lot of unknown issues :) 

Vikram Kumar-SAV to SEP's picture

If you are using a Buggy Version that has known issues and has been fixed in a newer version then you cannot blame it on the product or support.

I agree your Management wouldn't have given you permission for migrating to latest version..

However they have to change their thinking at some point of time..because you can't just change a product just because you don't want to upgrade to newer version.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

_Brian's picture

I don't want to repeat what was said in the last 3 posts but they are spot on. I shudder to think what m environment would be like today if we were still on older/buggy versions.

And personally, if I was told to go to another AV solution after working on a SEP deployment to 8,500+ clients for the last 8 months, they would only see my backside as I was walking out the door.

I have a very similar setup to yours and of course had issues here and there but was able to work thru, mainly by upgrading to latest releases.

But best of luck. I feel SEP is still one of the best solutions out there. All products have their up and downs but I'm sad to see it did not work out for you.

Cheers

Brian

Etienne_Siemens's picture

Hi guys, I need to redeem myself....I do know I hadn't posted any logs & stuff...since my last post, these tasks were assigned to another engineer, who has since been releaved of her position, I did propose the whole upgrade option, it's so much easier.  Management wouldn't budge, they don't want Symantec...& I can't blame them. 

Now again, if this was a small organization, who was not exposed to any media coverage, no real hassels...in this case it isn't, we make the news quite often, and not 4 good things...so purely 4 mitigation and PR control, Symantec needed to go....I am still a supporter of Symantec products.

It's also kinda like a messy breakup, it's good to change the furniture and all....sure u get my meaning.

Thanks again 4 all the advice, I find these forums of great use and value.