Endpoint Protection

Hi Guys,
I have the task of setting up the managed AV for our enterprise.

Our company consists of a head office and 4 state offices, all connected via VPN.
The Head Office and each remote state office has an install of Endpoint Protection Manager.

My bosses would prefer that all servers obtain updates from a single internal liveupdate server rather then each polling symantec liveupdate servers for updates.

Basically, this is my plan.

Install SEPM on each management server, install LUA on a head office VM.
Have each SEPM poll the internal liveupdate server for updates.
All clients to use their default management servers for updates.

There is no real bandwidth saving in setting up the remote state offices to download updates from the liveupdate server rather then Symantec however it gives us a little more administration over which updates are downloaded and which are distributed.


Does this sound like a decent plan?
Any advise or tips based on similiar setups (main office, remote offices on vpn, single liveupdate server)

Edit: The main reason I ask is that in previous versions of SAV, a server installed with SSC could be setup to provide updates to secondary servers without the use of Liveupdate administrator. Is this still possible? or is LUA a necessity to setting up centralised internal update downloading.

I guess your main site can (SEPM)  download the definitions directly from Internet.
Since you are planning to install SEPM on all sites.I guess you will definitely have replication between them.
In that case you can confiure content replication so that  only the SEPM on the main site will download the definitions and it will be replicated with other SEPM consoles and the clients will will retreive the updates from their respective SEPM servers.

If you are planning for LUA.Then you can have LUA in one location and you can configure all the sepm consoles to retreive defs from the LUA.
But even in that case bandwidth utilization will be the same or even more as all the SEPM's will pull full definitions from LUA (Using VPN).

What really matters is How many Clients you will have in these locations.
If it is 100 or less Clients per location you can go with GUP.
So that means only one computer will contact main SEPM for definitions and others will downloads defs from that GUP ( Group Update Provider).
The other clients will connect to the main SEPM server but for just policy updates and that is negligible and you can also set hearbeat interval for 4-5 hours.

GUP will be a good option is you have less clients on VPN as installing SEPM will require a server and all the resouces however GUP is just a normal client that can be anybody.

If you had SAV topology in your 5 offices last time, GUP or Group Update Provider is your friend.
It replaces SAV secondary server role for distributing defs to the client machines.

But multiple SEPM pointing to a central LUA is a good idea too.
As you can replicate them for consistencies.

Hi Guys,
Since posting I have decided to go down the route of a group update provider. In each of our state offices we have a file server which isnt really doing much, this was going to be the local SEPM manager. Rather then having 5 SEPMs (4 SOs and 1 Head Office), I think it will be best to just have one SEPM in the head office, distribute install packages to the local file servers where the clients can execute these (no vpn bandwidth) and touch base with the SEPM manager via vpn.

Ill setup the file server onsite as a Group Update Provider and have local clients poll it rather then a SEPM.

My biggest concerns are bandwidth use. I dont want any major communications between 8pm and 5am over the VPN.
Additionally, I would like to know how I can schedule product updates as I know group update providers cannot provide product updates, only defs etc.

If anyone can answer these questions I would be gratefull.

Our state offices only have around 30-40 clients - Here I think GUP will be more efficient, and only 1 SEPM will be heaps easier. The only issue is product updates over the VPN.

A. Can I schedule my Group Update Provider to recieve updates between certain times - ie. 8pm - 5am.
B. When SEP recieves a product update, seeing as clients are obtaining updates from the GUP, how can I schedule client product updates to happen between this 8pm to 5am slot. Is there a way I can publish a product update to a local file rather then every client having to obtain it over the vpn?

Thanks, replys are much appreciated.

I think if you have seperate Live Update Server that will download live updates periodically and distribute it to the server as well as clients you can go for seperate Live Update Administrator to dedicatedly perform such activities.

As the SEPM will download the definition it will push it to all the Clients (GUPs in our case).
By default SEPm downloads the definitions every 4 hours.
However since you want that it should download the definitions between 8-5.You will have schedule the SEPM console to download the Definitions daily at any time you wants between 8-5.

Product Update.
You are correct GUP is only for Definition update.It is the SEPM that downloads the product update.
Once SEPM has the product update you can schedule the update on the groups so that clients get the product update anytime between 8-5.
This update is a delta file which is very smaill as compared to Client package.

However if you want to publish a product update to a local file rather then every client having to obtain it over the vpn you will have to export a client install package for that version.

After that you have two options on the local file server
1.Put it in a shared folder so that the clients can access and install it.
2.Use Clientremote.exe ( From CD2) and push the package from that server.