Endpoint Protection

 View Only

  • 1.  Endpoint Internet Client Updates

    Posted Dec 28, 2009 10:17 AM
    I am setting up Endpoint at a client. They have laptop users who are sometimes in the office and sometimes in the field. They want to ensure that the clients receive updates from the internal server even when the laptops are out of the office.  Does Endpoint still use VDTM to connect to the management server? Can I configure clients to use VDTM when not on the network? We have identical DNS names set up internally and externally if it can be configured that way.

    Is LU Admin the best option here? Are there other options?


  • 2.  RE: Endpoint Internet Client Updates

    Posted Dec 28, 2009 10:33 AM
    Greetings,

    The clients will attempt to connect to the SEPM via a machine name and an IP address. If there is a VPN available for the laptops to use and they have access they will update as if they are in the internal network. If they do not have outside access to the IP address/machine name then the update will fail.

    A common recommendation is to set your laptops in their own group in SEPM and apply an LU policy that will allow them to access the external site here at Symantec if the SEPM machine is unavailable. You can do this by creating or editing the LU policy for that group and choosing "Default Management Server" as well as "External LiveUpdate Server".


  • 3.  RE: Endpoint Internet Client Updates

    Posted Dec 28, 2009 10:53 AM
    Thanks for your quick reply, John. That is usually how I do things, but the client is insistent that the clients must update from their internal server if possible despite my recommendation. I will still recommend doing things the way you have suggested, but want to know what is possible so I can give them an accurate report.

    The client has set up a DNS CNAME, dc-sep.domainname.org, to point to the server from both internally and externally. Is there any way to configure the clients to connect to this? Would I need to set up LU on the server, and would this work as I expect?

    Edit: Additionally, is there a way I can make clients REPORT back to the internal server when they are outside the network ? I feel this is more important than where they receive their updates from.



  • 4.  RE: Endpoint Internet Client Updates
    Best Answer

    Posted Dec 28, 2009 11:33 AM
     You can setup the Management server list in the SEPM to include the DNS CNAME. This will cause all communication attempts between the client and the SEPM to use this address.

    Creating and assigning a management server list for a Symantec Endpoint Protection Manager
    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007123110045548