Endpoint Protection

We are having bandwidth issues and we are looking at all angles but I would like to be able to see if SEP Clients/SEPM may be contributing to the Bandwidth issues. How can I measure the speed(s) of SEP Cleints/SEPM to determine if it is presenting a problem or not. Including updating the GUP's and the Client updates.

A lot of the time we do see PC's going to LiveUpdate sites without even going to the local GUP's. Not sure why that happens either.

I don't think there is setting either on SEP client or SEPM to do so.

But there are work around for that. You can take a trace between the server and the client using wireshark or netmon and then check the amount of bandwidth used on a particular port.

From what I remember if the GUP is down or not updated and you have the client an option to go to SEPM or internet then the client jumps  the GUP and move to SEPM or goes to the internet.

How is policy configged?

To go to GUP

Signle GUP

The third option

2 Boxes Checked
Use Default Management Server
Use LiveUpdate Server
Radio Button
Use the Default Symantec LiveUpdate Server

Here you go

Please make following changes in the liveupdate policy

Please disable liveupdate scheduling. Also please uncheck "Use LiveUpdate Server". It looks like these setting are the root cause of the issue. Also enable "use Group Update Provider" and assign appropriate GUP.

What's wrong with the scheduling? We typically use that and update every four hours.

To the best of my knowledge Scheduling is applicable only for liveupdate server. Default liveupdate server is Symantec Internet liveupdate server. (It is possible that you can install a liveupdate server in your network and point to it.) It is not possible to schedule updates if you are using GUP or Management server for updating the clients. Clients will receive updates whenever it contacts SEPM and an update is present(The client will reach SEPM in each heart beat).

So, all in all, it's pretty pointless to even have it on.

Unless you have clients going off network and needing to update...

So I think I will just turn it off across the board.

Do they need to update from Symantec LU while off network? If not, you can turn it off.

Hi

How your roaming clients take the update from the Internet or th GUP

Regards

GUP

What's with the thumbs down patrol in this forum, if people have something to say, say it. Thumbs down offers nothing.

Nothing new on here. Some need to get over it and move on.

OK, I have done these

Disable liveupdate scheduling. 

Uncheck "Use LiveUpdate Server"

I hope it helps.

Hello,

if you disable the "use LU sever", your clients won't connect to external LU servers; if they were doing so, there was a reason and we don't know it yet. If your clients will remain out-of-date after that policy change (because the real issue has not been found and fixed), you need to verify the entire content flow LU > SEPM > GUP > client. Doing that is a well established procedure however, if you are not confident with SEP sylink and debug logs, it will be more comfortable for you to have closer Symantec Support assistance.

 your clients won't connect to external LU servers;

I don't want them to, I want the GUP to get the updates, and the clients to get the updates from the GUP. I think I just neglected to change it when I had to rebuild my entire SEPM structure a while back.

The GUP's should come back to the Management server and get the updates, then the clients should get the updates from the GUP and ONLY the GUP instead of bypassing it.

No problem, it is a legitimate configuration; what I am saying is that just disabling the LU option is not a solution, but most likely it will unreveal the real issue.

Thank you. I just know that SEP/SEPM can be big time bandwidth hogs. If I can reclaim a good amount of bandwidth it would help considerably.

Generally speaking, SEP consumes high bandwidth when it is wrongly configured/scaled.

Yes, I am hoping to make modifications so that it is better configured.

Do you have any other suggestions that can help to optimize performance and reduce bandwidth?

Have you seen the GUP whitepaper?

Attachment(s)

SEP_GUP_Whitepaper_1.1_2.pdf   1.41 MB 1 version

It's probably worth noting that the suggested change to remove the "Update via LiveUpdate" option is unlikely to make any difference to you current network load.  The main reason for this is that you appear to be using SEP12.1.* and have enabled the "Options for Skipping LiveUpdate".

To be fair, these are enabled by default, but they mean that SEP12.1.* clients only ever go off to Symantec for updates if they cannot contact the SEPM for more than 8 hours and are more than 2 days out of date (making it a handy for the "SEPM has blown up" scenario).

This all brings up back to your primary issue, troubleshooting bandwidth issues...

Can you clarify the issue?  Is this high network load apparent in your internal network, or on the gateway, or both?

You might try using perfmon on your SEPM to start collecting logs of the traffic seen on your SEPM.  The below is a good start (the perfmon counters still exist in later versions of Windows so is still applicable):

http://www.windowsnetworking.com/articles-tutorials/windows-2003/Windows_2003_Performance_Monitor.html

As Brian mentioned right at the start, there are a few tools out there for monitoring network usage.

I think what I did helped a bit. Things seem to be going better.

So far so good

I was waiting with baited breath for the defs to be old and outdated, but it looks good.