Endpoint Protection

 View Only

  • 1.  Why does SEPM contact clients in Pull mode?

    Posted May 24, 2012 09:53 AM

    We have a fairly large deployment of 25k+ clients, all in Pull mode. Server is RU6 MP3, and we plan to move to 12.1 in a couple of months.

    Via a physical firewall, we see occasional instances of the SEPM server(s) initiating contact with clients. It affects a very small minority of clients, seemingly at random. My understanding of Pull Mode was that all connections are initiated by the client. I have devised a possible explanation, and I would be grateful if someone with more klnowledge / experience could confirm.

    At the Heartbeat, the client checks in with the server and posts its log files, reporting in effect "I am client ABC with Definitions DEF, using Policy GHI and I have (no / some) infections to report." The client posts its logs to a folder on the server, from which they are processed to the DB. If, in processing to the DB, the server realises that the client policy has been updated, it will send the client a new policy. If the client connection is still open, the policy is delivered via that connection, but if there is a sufficient lag between the client posting the logs and the server processing them to the DB, the client connection will have been dropped so the server has to open a connection back to the client to send it a fresh policy.

    Can anyone confirm if my explanation is accurate, or can you offer another explantion for the SEPM initiated connection?



  • 2.  RE: Why does SEPM contact clients in Pull mode?

    Posted May 24, 2012 10:02 AM

    The SEPM should NEVER contact the client (even in push mode).  Unless you are pushing out a new installation package (not using autoupdate).  The client has no listening port, so it can't respond.

    What port are the SEPM -> client communications happening over?



  • 3.  RE: Why does SEPM contact clients in Pull mode?

    Posted May 24, 2012 10:17 AM

    Hello,

    The default setting is Push mode. If you select Pull mode, then by default, clients connect to the management server every 5 minutes, but you can change this default heartbeat interval.

    Please check out the below document for more clarification,

    How the client computers get policy updates

    http://www.symantec.com/business/support/index?page=content&id=HOWTO55060&actp=search&viewlocale=en_US&searchid=1337868743089

    Configuring push mode or pull mode to update client policies and content

    http://www.symantec.com/business/support/index?page=content&id=HOWTO55197&actp=search&viewlocale=en_US&searchid=1337868743089

     



  • 4.  RE: Why does SEPM contact clients in Pull mode?

    Posted May 24, 2012 10:43 AM

    Idimple,

    Thank you, but are satisfied with the setup. We were an early adopter, and we have been running Pull mode with a 30 minute heartbeat / 5 minute randomisation for about 4 years now. The server initiated connection was observed via a recently installed firewall so we do not have visibility of how long that has been going on.

     

    Paul,

    My firewall guy reports the source as HTTP with random high service ports. I have checked with the site administrator where the connections were observed, and he has not been attempting remote deployment