Endpoint Protection

Hello everyone. I am desigining SEP solution for one of our customers . I have few questions in this regard . I would really appreciate if the SEP Gurus can give me suggestions and feedback in this regard so that I can design the solution accurately.

 

1. SEPMs are placed at HQ in Load balancing in city A and clients are scatterd in diffrent cities B,C,D etc in the same Country. Now when the clients communicate with the SEPM over the WAN to take new policies , update status , logs and download content definations from SEPM how much bandwitth each client would consume for this purpose. I know for remote sites I can configure GUPs to reduce bandwidth load for remote sites for the content definations . But what I need to know is approxitely how much bandwidth each client will consume over the WAN when it talks to SEPM to download new policies , update its logs and status to SEPM etc etc

 

2. I am planning to use a single site design configure two SEPMs at Primary site in Load Balancing for about 3000 endpoints . Customer has difffrent sites/regions that are scatterd all over the country. For remote sites/regions I am planning to use multiple GUPs to limit the content definations within their own specific regions. What I am wondering now is should I install a secondary site as well , what I mean should I install another SEPM at DR site with its own Database and then configure Replications with the Primary and Secondary site . What are your suggestions in this regard should I do it or not ? or having two SEPMs at primary site in Load Balancing is enough I dont need to configure a replication partner.

Your suggestions and feedback will be appreciated. Thanks and Regards 

let me try to answer the question to the best of my knowledge

1. SEPMs are placed at HQ in Load balancing in city A and clients are scatterd in diffrent cities B,C,D etc in the same Country. Now when the clients communicate with the SEPM over the WAN to take new policies , update status , logs and download content definations from SEPM how much bandwitth each client would consume for this purpose. I know for remote sites I can configure GUPs to reduce bandwidth load for remote sites for the content definations . But what I need to know is approxitely how much bandwidth each client will consume over the WAN when it talks to SEPM to download new policies , update its logs and status to SEPM etc etc

Ans: Well it totally depends and we cannot give a definite number. as it depends on varios factors, like the logging that you have kept in client and content revison it holds and the content revison the SEPM holds. lets asume if the different is just one revison, and the logging is set to defualt, then the typical WAN bandwith between the SEPM and the SEP client could be anywhere between 4 to 8 MB, this is just a vauge no and it may differ in either ways.

 

2. I am planning to use a single site design configure two SEPMs at Primary site in Load Balancing for about 3000 endpoints . Customer has difffrent sites/regions that are scatterd all over the country. For remote sites/regions I am planning to use multiple GUPs to limit the content definations within their own specific regions. What I am wondering now is should I install a secondary site as well , what I mean should I install another SEPM at DR site with its own Database and then configure Replications with the Primary and Secondary site . What are your suggestions in this regard should I do it or not ? or having two SEPMs at primary site in Load Balancing is enough I dont need to configure a replication partner.

 

Ans: We I would suggest you to go with your second plan which is to have two SEPM with two Database and replicating. I will list of the reasons below.

1). Even if one sepm/database goes down clients won't be orphaned

2). You can split the work load between these two SEPM's

3). You can make the local site's clients to communicate to its own SEPM resulting in reduced bandwidth

4) Incase of External factors affecting SEPM availability, like power outage, internet down or extreme weather, you will still be able to access SEPM at the DR site.

 

Hi Praveen thanks for your reply. Please consider the below points.

 

1. I will keep 90 content revisions and logging will be for 60 days , each remote site will have a GUP in its own region. I am planning to run into a single site design with two SEPMs in Load balancing with SQL Database since the total number of users doesn't exceed 3,000 and becuase remote endpoints will get the content definations from their corresponding GUPs . They won't communicate over the WAN to SEPM to get the content definations . For Database we will keep the recent backups so in case if the database gets corrupted we can restore the latest version of database.

The reason I am avoiding to use a replication partner is becuase 1) it adds complexity since the total number of users is only 3,000 . 2) Since Primary and DR site will replicate their databases over the WAN it will also consume bandwidth.  Please correct me if I am wrong in this regard.

 

 

Well in that case the Traffic between the SEPM the client will be typically less than 3 to 5 MB. and for the secordary site I just gave my option from a disaster recovery point of view. You will be the best person to chose as will you have more insight than anyone of and also the reasons that I listed just mere hypothetical.

Thanks for your reply. One more thing if my GUP server has some connectivity issue with the SEPM server or anything other issue becuase of which It cannot download the content definations from the SEPM , in that case can I make my GUP server to download the defs from the internet as a failback mechanisim ? Can I do the same for my endpoints ?

Thanks

GUPs cannot download content for endpoints from Symantec LU. Only clients would be able to go out Symantec LU for updates if the SEPM is not available.

Thanks for your reply Brian. So for GUPs there is no fallback mechanisim in case of SEPM failure , but for clients we can point them to get the defs from Internet in case of SEPM/GUP Unavailability ? 

If GUPs fail, they can failback to the SEPM. If the SEPM fails as well clients would need to go out to Symantec live update.

There is no fall back mechanism for GUPs, still the SEP on that machines needs defintions so the policy that you apply for the clients will apply to GUP as in your the SEP ont he GUP machine will also download its defiition from Symantec LU server. But its is not able to serve it client is because the GUP will no longer know whether it is still a GUP and the SEP clients's LU mechanism is different for the GUP live update Mechanism. So while configuring the LU policy configure it keeping all the odds in mind.

Hi,

When we talk about fail-over & load-balancing there is only one database and Two SEPM's. So if SQL database goes down all the clients in both the SEPM will be offline.

When we talk about replication there are two or multiple SEPMs and duplication of database.

My question is do you need SQL database replication? How much up-time is there for SQL database?

I will advised if GUP is not available then let the client go to Symantec liveupdate server to take definition updates. It will save unnecessary WAN link usage.

Hello Chetan thanks for your reply. Kindly confirm the following

 

1) the full size update or delta upgrades  that the endpoints download from the SEPM servers are the same in SEP 12.1.6 MP2 or it is still the same as it was in earlier versions ?

2) Size of full updates or delta updates that the clients download from the GUPs are still the same or have they been optimized in the latest version of SEPM.

3) If we are doing an Autoupgrade of SEP endpoints running SEP version 12.1.4 or 12.1.3 what will be the size of the package that will be pushed from the SEPM Manager or the endpoint ? has the size remained that same (for AutoUpgrade) that will be pushed from the SEPM to the SEP endpoints for upgrade or it has also been optimized and reduced ?

Thanks and Regards

Ok let me try to answe all your qestion with most closest answer.

1) the full size update or delta upgrades  that the endpoints download from the SEPM servers are the same in SEP 12.1.6 MP2 or it is still the same as it was in earlier versions ?

 

Ans: the answer is a BIG NO. Delta's have come down to sigificent lower size with is about 1.5 MB.

more deatails here      FAQ: Core 1.5 definitions for Endpoint Protection 12.1

 

There are full.zip available for every type of definition in SEP and they are of different sizes. you can find the type of the definition using the moniker value number in the name of the file.

For example

The moniker value for AV definitions are as below and the full.zip of AV defintiion are ~570 MB

{535CB6A4-441F-4e8a-A897-804CD859100E}: Virus Definitions for 32-bit SEP clients
{07B590B3-9282-482f-BBAA-6D515D385869}: Virus Definitions for 64-bit SEP clients

The moniker value for IPS definitions are as below and the full.zip of IPS signature are ~1.2 MB

{D3769926-05B7-4ad1-9DCF-23051EEE78E3}: IPS Signatures for 32-bit SEP clients
{42B17E5E-4E9D-4157-88CB-966FB4985928}: IPS Signatures for 64-bit SEP clients

 

2) Size of full updates or delta updates that the clients download from the GUPs are still the same or have they been optimized in the latest version of SEPM.

It is optimized and lesser is Size.

 

3) If we are doing an Autoupgrade of SEP endpoints running SEP version 12.1.4 or 12.1.3 what will be the size of the package that will be pushed from the SEPM Manager or the endpoint ? has the size remained that same (for AutoUpgrade) that will be pushed from the SEPM to the SEP endpoints for upgrade or it has also been optimized and reduced ?

Always during Autoupgrade the SEPM clalculates the differnce betweent he current client version and the latest version available and provide only the difference to the client. which will be typically around 12 to 15 MB and sometime may go upto 50 to 100 MB on some occations.

 

let me know if you have more quries.

Thanks Praveen for your reply . However let me clarify what I meant by 1) What  I wanted to ask is the full size defination for AV that SEPM 12.1.4 or earlier version used to push was around 400-500 MB So in the latest version which we have i.e SEPM 12.1.6 MP2 does this size has remained the same ?

2) Same question for a GUP running 12.1.4 or prior version compared to a GUP with 12.1.6 version in terms of delta Upgrades.

 

Again thank you for your help ans replies. Regards 

unfortunately the answer is yes the AV full.zip size remains the same. If there is a change int he size there would have been an official communication released. we currently run SEPM 12.1 RU5 and the AV Full.zip is at 514 MB. 

2) Same question for a GUP running 12.1.4 or prior version compared to a GUP with 12.1.6 version in terms of delta Upgrades.

Full.zip will be ~500 MB whereas Deltas are at around 1.5 MB

Hello,

1) What  I wanted to ask is the full size definition for AV that SEPM 12.1.4 or earlier version used to push was around 400-500 MB So in the latest version which we have i.e SEPM 12.1.6 MP2 does this size has remained the same ?

--> It's around 500+ MB if full.zip is requested. 

2) Same question for a GUP running 12.1.4 or prior version compared to a GUP with 12.1.6 version in terms of delta Upgrades.

-->  As said Full.zip will be around 500+ MB and deltas will be minimum.

With the release of SEP 12.1 RU5  there is a new feature: Content Storage Optimization feature:

As part of the upgrade to SEPM 12.1 RU5, the SEPM converts all of the content from full definitions to delta definitions. This process is resource intensive and may take an extended period of time. After this process is completed, the SEPM will use significantly less disk space.

In a typical enterprise setup where 30 content revisions stored, the SEPM upgrade process must reduce 55GB of full content to under 2GB of delta content. This process requires significant resources to complete and is impacted by the performance of any available CPUs, CPU cores (physical/logical/hyperthreading), memory, and disks (I/O). On a server that performs multiple roles, stores larger numbers of content, or is otherwise resource constrained, this process may take a longer duration to complete.

Refer this article to find more info: The LiveUpdate content optimization and content storage space optimization steps take a long time to complete when upgrading to Symantec Endpoint Protection Manager 12.1 RU5

http://www.symantec.com/docs/TECH224055

SEPM 12.1 RU5 onwards store 90 revision by default, it means SEPM can provide last 1 month definitions  as a delta updates only. Symantec release 3 definitions per day. Previously SEPM used to store only 30 definitions by default.

As long as delta updates is available on SEPM clients won't request full.zip.

Hello All,

     Thanks Help full Comments from Praveen and Chetan