Endpoint Protection

 View Only

  • 1.  AutoUpgrade of clients across firewall

    Posted Aug 02, 2010 05:44 AM
    Hi,

    I've tried to use the AutoUpgrade feature (ie, the Install Packages tab of a group) to change the feature set on a number of servers.

    They all worked perfectly except for one in the DMZ.

    I've searched high and low for documentation of the process SEP goes through to achieve the update so I can establish what is going on but can't find any details.

    It's not such a huge problem at the moment as I can do it manually for this one server, but eventually I'll be upgrading all the DMZ systems from RU5 to RU6 - and that will be a collosal pain manually.

    Can anyone shed any light on this?

    I had assumed it downloads the update package on port 80 from the management server, but I'm wondering if it uses NetBIOS like the remote installation process.

    Regards

    Dan


  • 2.  RE: AutoUpgrade of clients across firewall

    Posted Aug 02, 2010 05:56 AM

    How to allow Symantec Endpoint Protection clients in a remote location to be managed by a Symantec Endpoint Protection Manager that's behind a NAT device


    http://webcache.googleusercontent.com/search?q=cache:Wk45e6LefiYJ:service1.symantec.com/support/ent-security.nsf/docid/2009032408115648%3FOpen%26seg%3Dent+service1+behind+NAT&cd=1&hl=en&ct=clnk&gl=in


  • 3.  RE: AutoUpgrade of clients across firewall

    Posted Aug 02, 2010 09:48 AM
    When configuring a firewall operating between the SEP client in DMZ and SEPM in local LAN it is necessary to allow on the firewall only one of the two ports: HTTP 8014/80 or HTTPS 443, which is answering the security standards and it is limiting open ports to necessary minimum. Limited number of open ports is allowing the firewall Administrator to monitor the communication and create appropriate rules on the application level granting only to SEP processes the rights to use dedicated open ports. 
     
    In high security environments where communication between servers located in DMZ and internal LAN is not allowed please consider the following scenarios:
     
    - Installing Unmanaged SEP clients on servers in DMZ updating virus definitions directly from internet
    - Installing Unmanaged SEP clients on servers in DMZ updating virus definitions with Intelligent Updater file
    - Installing in DMZ a dedicated  instance of LiveUpdate Administrator supplying virus definitions only to servers in DMZ
    - Installing in DMZ a dedicated  instance of SEPM supplying virus definitions only to servers in DMZ
     
    The last solution is the most secure but at the same time requires more investment in terms of administration effort and system resources. We recommend to evaluate what is the security level requested by your business needs and select and implement the solution answering these needs accordingly.


  • 4.  RE: AutoUpgrade of clients across firewall

    Posted Aug 03, 2010 07:39 AM
    Neither of these help.

    There is no problem allowing the clients to talk to the server and the clients do talk to the server - they receive new policies and send status updates on port 80 no problem.

    They just won't AutoUpgrade.

    There is no NAT involved either.

    Regards


  • 5.  RE: AutoUpgrade of clients across firewall

    Posted Aug 03, 2010 07:54 AM
    any info in the event log?
    is it specfic to 32 or 64 bit machines?


  • 6.  RE: AutoUpgrade of clients across firewall

    Posted Aug 03, 2010 10:15 AM
    Nothing in the event log.

    It's only one machine I've tried thus far but it was 32-bit. Don't think processor architecture is the issue though.

    All the other boxes were 32-bit.


  • 7.  RE: AutoUpgrade of clients across firewall

    Posted Aug 03, 2010 10:19 AM
    can you try this? for one box...just want to make sure its able to download the full package

    https://www-secure.symantec.com/connect/articles/how-auto-upgrade-remote-site-clients-using-iis