Endpoint Protection

Hi,

 

We have 1300+ offices in our organization spread acorss the globe and have SEP client configured to protect workstations in these offices. Some offices have below 100 computers and some offices have 200 computers. Do we need the GUP server for offices where SEP client count is 100.

Presently, Our enviorment have SEP 14 version configured on GUP and SEP Clients.

Any suggestions are welcome.

Thanks

KK  

Hi

Up to 10,000 clients:

https://www.symantec.com/docs/TECH93813

A GUP is always handy and will keep updates local instead of coming across the WAN.

Thanks Brian,

But I am looking for the information to configure or not to configure a GUP Server for a remote office where less than 100 SEP client is configured ?  

Multiple articles exist on setup:

https://www.symantec.com/docs/HOWTO80959

https://www.symantec.com/docs/HOWTO80900

It's the same whether you have > 100 clients or 5,000.

Thanks Brian,

There are around 200 offices where SEP client count is around 100. Do you think its good to have separate 200 GUP server for these 200 offices. Or SEPM server is sufficient to do so?

Do you have the resources to deploy dedicated GUPs? What are bandwidth links from remote offices back to the SEPM? 

Hi Brian,

Yes, but i think it will be a costly and overhead management if there are 200 GUPS for offices where there are 100 computers.. Each office have different network bandwidth varing from 512 KBPS to 2 MBPS.

Trying to push out content to clients from the SEPM based on those link speeds may be problematic. If some offices are closer you could configure a GUP at one site and have a few other sites go to it. Additionally, you could stand up one or two dedicated GUPs and have the clients from only them.

Hi

Do you have idea, What should be ideal bandwidth for a remote office with 100 computers to download the content from SEPM server?

This looks like a very complex environment. I would advice you to contact a Symantec partner to help you build a configuration/design that fits your environment.

This looks like a very complex environment. I would advice you to contact a Symantec partner to help you build a configuration/design that fits your environment.

Thanks for the suggestion Torb,

Yes, its a complex enviroment. Bt we are looking for specific information only what should be minimum count of endpoints where we should place a GUP and what should be ideal network bandwidth between remote office and SEP server to download the content directly. 

 

There is no specific minimum count. The SEPM can handle pushing down content but GUPs are ideal in situations where you want to take the load of SEPM and in lower-bandwidth locations.

As for an exact speed, can't really say and I don't want to make suggestions on what to purchase without fully vetting/testing download speeds. For the links you currently have though GUPs are ideal.

SEPM Servers have good configurations and can share a good amount of load for 100K SEP client requests. Only concern is remote office with lower bandwidth locations. These are small offices with around 100 computers.

So I'll asume clients at remote offices are already pulling content from SEPM? If so, your sysadmins should be able to look at network utilization. 

Yes, Presently we have GUP server configured at each site. But there is hardware change is going in the premises so we are reviewing the options if we should place teh GUP or remove from the remote location. I

The below article recommends using GUPs for any sites with between 10 and 10k clients:

https://www.symantec.com/docs/TECH92051

Bear in mind that these are only best practice recommendations, and do not specifically address your estate.  Ideally, you would review your network utilisation to determine whether or not GUPs are necessary, and where.

Thanks SMLatCST.

Its a very old article. Since then SEP has been changed a lot in terms of virus definition distribution. We are using SEP 14.1 in our enviorment. Before 12.1.5, A GUP was required for every location with 50 computers and lot of document are available to calcualte the virus defintinos distributed over network. Per Symantec, 12.1.5 virus definitions size has been reduced significantely. But I am not able to find the article what will be actual size transferred between SEPM server and SEP Client in SEP 14.1

I do not believe that level of detail has ever been available to be honest.

The defs downloaded by clients is dependent upon how far out of date they are.  That is to say, the deltas required to update a client that is 3 days out of dat, are usually larger than those required to update a client that is only 1 day behind.  With the definition sizes being so subjective to the estate, it's always been difficult to predict.  While there's always been guideline info on the size of a heartbeat, log uploads, etc., def sizes have been omitted (IIRC).

Assuming all clients are always on the latest def though, then you can usually see the size of the delta that would be pushed out.  Just look at the various .dax files under "Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Inetpub\content" on your SEPM.  Check this location out for live information on delta sizes.

Regarding SEP12.1RU5, all Symantec did was change the way defs were stored on the SEPM to save disk space.  It didn't really change the size of the deltas tranferred between the SEPM and the client.

Also worth noting as well, is the (slightly) increased bandwidth generated by Insight Lookups and Intelligent Threat Cloud as well.  Please bear these in mind as well (depending on how your clients get out to the Internet)

Thanks SMLatCST

 

There is a MPLS connectivity between remote location and SEPM server but million dolloar question is do we need GUP server for remote location with 100 computers.

In a nutshell, Symantec Best Practices recommend putting in a GUP for any remote sites with more than 10 SEP Clients, as you will see a measurable reduction in traffic.  Whether or not you actually need a GUP, is down to you and your link load.

HI SMLatCST

Correct, Best practices recommend putting a GUP for any remote sites more than 10 SEP. But this best pratice make it costly to implement. Presently we have around 200+ GUP Server for small remote offices having around 100 computers. So we  are reviweing the SEP enviroment, if we can remove GUP servers for remote locations. But I am getting exact answer for network bandwidth requirements for a remote office to download content from SEPM server directly. Now a days N/W bandwidth is 10 times cheaper than one GUP server at one remote site.

I'm afraid at this point, this is now a network infrastructure question, and not a SEP one anymore.  The use (or not) of GUPs is going to be dependant on information from your networking team.

To help inform your decision, you might wish to ask the question: "can the network handle the worstcase SEP Scenario of all 100 clients in a remote site downloading the full definitions simulatneously?".  Only you can really answer that, and only you can really calculate the cost-to-benefit ratios of GUPs vs increased bandwidth.

Unfortunately, all we can really do as outsiders with limited information, is provide you with the best practice recommendations.

If it helps, you could contact a Symantec partner (such as ourselves) to help make that determination via a Professional Services engagement.  Might that be of use to you?