Endpoint Protection

We've noticed that the traffic from the SEPM server to the clients (and maybe even the GUPs) does not get optimized on our WAN Acceleration system. We're assuming the defs are zipped up or encrypted or something before they are sent off.

Is there a way to turn this off so the traffic can get optimized? Pulling a 100 MB+ definition download across a T-1 kind of causes performance problems for everyone.

Thanks,

Ray

Hello,

Just a Doubt, What makes you think that unzipping def's or decrypting them will optimize the Traffic from the SEPM based server to the Clients?

The Definitions are signed to safe guard themselves.

Check the Following:

How To Optimize Endpoint Protection for Branch Offices using GUPs, Load Balancing, and Location Awareness

http://www.symantec.com/business/support/index?page=content&id=TECH94122&actp=search&viewlocale=en_US&searchid=1300464815085

Some basic guidelines for GUP hardware/software considerations are as follows:

1. Ensure that the machine being used to serve as the GUP has sufficient reserves of CPU/memory capacity to allow for its normal operations to continue while serving content to clients
2. By default, Windows is configured to allow a maximum of 5000 TCP connections simultaneously. With this configuration, the GUP is capable of serving 40 client connections per second.
3. Windows can be configured to allow a maximum of 65534 TCP connections simultaneously. With this configuration, the GUP is capable of serving approximately 180 client connections per second.

How the clients are configured to receive the updates? GUP will be a good option for controlling bandwidth..

  Have a look at this article .This may give you some idea for controlling bandwidth usage..

Tips For Installing SEP In A Low Bandwidth Environment

Hi Ray,

"Thumbs up" to the above advice.  Using GUPs and other solutions can really reduce network bandwidth usage.  There's really no need for all clients to constantly be retrieving large definition files, etc from the SEPM itself.

To answer your original question: the files sent to clients from the SEPM are not subjected to any special compression or encryption. They do have mechanisms in place to ensure that they have not been altered in transit, but these are no special proprietary compression technologies, etc, at play.

Hope this helps!

Mick

Thanks for all of the rapid responses. All employees are configured in User Mode. All employees assigned to a specific remote location do receive their GUP Location via their Active Directory OU and there is a GUP at each remote location. "Assigned to a specific remote location" is the operative phrase here.

We have a lot of people who float from location to location. For instance, my OU is pointed at the SEPM server in the main office because it's a LAN connection. When I go to a remote location and login to a computer, SEP, because of User Mode, points the computer I'm using directly at the SEPM server on the other side of a T-1, not the local GUP.

If the computer hasn't been turned on in a week or so, there is a huge download across the WAN. WAN acceleration is working very well on pretty much all traffic types except LiveUpdate, so we're assuming it's compressed or encrypted or something.

There are two conflicting responses here. One says they are encrypted and the other says they're not.

Thanks,

Ray

Hello,

Check this.

How to Use Location Awareness as Fault Tolerance for Content Updates

http://www.symantec.com/business/support/index?page=content&id=TECH94265&actp=search&viewlocale=en_US&searchid=1300467092686

Hi again Ray,

Sorry for the confusion: it arises from the use of a digital certificate, I expect.  A certificate is used to sign a message digest of the files so that SEP clients can check if the file they have downloaded is different than what was posted.  If the signatures match then the downlaod has not been altered.  (Signature and guard files are the protection mechanisms that were mentioned, above).

Thanks and best regards,

Mick 

Hi Mithun,

Unless I misunderstood that article, it doesn't help at all because my management server is reachable.

Mick2009, so individual uncompressed unencrypted files are being retrieved? If so, that's probably good news because we should be able to figure out how to make this work then.

Thanks again to all!

Ray

The definitions contained by the delta and full def files are compressed (using our own container). The client unpacks them when they arrive. I don't understand how being compressed or not matters... files are files, compressed or otherwise. But I don't need to understand it, honestly... Either way, if your WAN optimizer is trying to compress the files between locations, they won't be saving much (if any) bandwidth. 

You may want to look into our latest GUP features for the GlobalList operation. It will ensure clients always go to a GUP that's on their own subnet. Documentation is in the Administrator_Guide.PDF that comes with the install media. 11.0.5 and later use the GlobalList.

Thanks, Ryan! I never knew about GlobalList and it sounds like it will fix our issue if it works in User Mode or Computer Mode. We're on 11.6 MR2

A good WAN accelerator does not simply use compression, in fact it's usually the last thing it uses. Once traffic has passed through the device it learns its data patterns and any repetitive data patterns are retrieved from the local device rather than the far side of the WAN.

The problem with compression is it garbles the data patterns like encryption does so there's no repeatability and the data patterns don't mean anything.

In all of my years in IT, this is the only true magic technology I've ever seen. For instance, we send SQL transaction logs from SAP to the backup site across a T-1 hourly. It takes almost an hour to run and occasionally it takes more than an hour. When we put in the Riverbed boxes, it dropped to about five minutes. We honestly thought it was broken but the transactions were all there. On printing jobs, we typically see 98% of the data come from the local appliance with printing improvements literally of several minutes. For most types of traffic, "optimization" in excess of 50% is usually achieved. For highly repetitive files, such as those that compress well, it's not unusual to see WAN usage reductions in excess of 90%.

If the files came from the SEPM uncompressed, their raw size would be a lot higher and that would be a problem for most companies. But people with WAN accelerators would actually benefit dramatically. A check box would be nice. :-)

Thanks again,

Ray

You're welcome... I hope the GlobalLists work out for you.

As for the Riverbeds, I actually have worked with those in a few support cases (didn't realize that's what you were referring to)... not that I fully understand the intricacies. If I remember correctly, we had limited success with them because of the signed nature of our defs. SEP/LiveUpdate is really picky about  anything that touches our def files while they're in transit (for obvious reasons). I dont' remember the exact settings, but I believe the last Riverbed customer I worked with had to make some adjustments to keep our defs intact.