Endpoint Protection

I'm testing a rollout of the RU5 client to a large group of folks.  We noticed in our test push that clients got different IP's after the RU5 install.  I build a small test group and watch them as the client updated and sure enough they get a different IP after the NTP module installs.  Most clients are updating from some flavor of MR4.  I have AV/AM, PTP, and NTP enabled as installed modules.  My install package is set to maintan features.  I have a wide open firewall policy and non of the smart filtering options enabled.  My IPS policy is stock with no modifications.  Our DHCP server gives out 72 hour leases.  The clients are telling the DHCP server to drop the lease and request a new lease.  This causes minor issues as many users VPN to work systems and use the DHCP'd address.  Many of them only know the IP since it hasn't changed in a long time due to pretty good uptime. Can anyone give me a reason why this is happening?

Have you checked these documents, please have a look at it.

Client computers are unable to receive addresses through DHCP after installing Symantec Endpoint Protection
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007101210172548

Clients lose network access after installing Symantec Endpoint Protection 11.0

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007101417361248

Matt, although I am not sure why the lease is being dropped and a new one received, the interruption to the network connection is mandatory if installing the PTP and NTP features of the client, albeit brief.  It has to do with how the NTP has to hook into the network layer of the client.

In addition to adverse affects of having NTP and PTP on servers, the network interruption was a big reason I do not put NTP or PTP on servers as you can imagine the headaches that would cause.  We only use AV/AS on our servers which does not cause a network interruption.

 Thanks for your responses.  I'm aware that the NTP reload necessarily drops the interface.  These are client systems, the users have gotten used to having the same address for a long period of time.  They are able to function withiout issue after the install completes.  I'm just currious why the clients are dropping their reservations.  I'm trying to get the DHCP logs from my test, because I suspect the clients are sending a DHCP discard message.  

We have the whole bundle installed on all of our servers, so far, no issues directly.
All that should happen is a short network blip or drop of connection, for just a bit, then pick back up.
This should have the same impact on IP addressing via DHCP as a Windows "shutdown/restart" - and we all know most of the time you get the same IP address right back at you.
i've had my same IP address for months, even though it's DHCP, even through Windows restarts. This IMO should be the same, so I'm really curious as to why it wants to assign a new address. Like you say, a release or renew message is all that can explain it - but why would it do that simply to insert a driver?
You might setup a wireshark session and watch what happens during an update from MR4 to RU5.......... see what command is hitting the DHCP server.
(PTP won't load or function on servers, the NTP will function and does very well here)

My solution here was to create a group for the VPN folks and not assign them a package - I deal with them manually. Typically when I do a PUSH to them, it's not an issue. I was finding the automatic upgrade via a package assigned to a group was causing bad side-effects. So VPN computers have their own group. Luckily, there's only a few that are VPN only - most others only VPN occasionally.