Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

SEPM configuration for geographically seperated sites

Migration User

Migration UserMar 19, 2010 09:20 AM

thanks.

  • 1.  SEPM configuration for geographically seperated sites

    Posted Mar 19, 2010 04:32 AM

    Hi,

    Don't know if anybody can answer this question here, but i'm having some trouble configuring SEPM. We have a company that exists of one HQ and 5 other sites connected through dedicated lines.

    Now i would like to configure SEP in a way that we have 1 SEPM (in the HQ) that downloads virus defs from symantec and distributes them to it's clients and the other SEPM's in the 5 sites. In their turn the other SEPM's will distribute their virus defs to their clients.
    I've included a small visio drawing to clarify my point.



    The question is: how do i configure SEPM for this setup?
    - do i create a seperate site in SEPM for each geographical site ?
    - do i need to install a liveupdate server in the HQ for the other SEPM's to download their defs from?
    - ...

    I hope you understand my question... :)

    thanks in advance.



  • 2.  RE: SEPM configuration for geographically seperated sites

    Posted Mar 19, 2010 04:46 AM
    The most important question over here would be how many clients do you have in each location.
    A GUP ( group Update Provider can be used in this scenario. A GUP can handle upto 1000 clients but practically upto 500-600 clients.

    However if you want it your way then

    You can have 1 main SEPM and install 5 replication partners to these SEPM and replication content ( definitions )

    or 
    Install first SEPM with SQL.
    and install reset 5 SEPM consoles as failover/Loadbalacing SEPM's


  • 3.  RE: SEPM configuration for geographically seperated sites
    Best Answer



  • 4.  RE: SEPM configuration for geographically seperated sites

    Posted Mar 19, 2010 04:55 AM
    Do as follows
    Install first SEPM(HQ) as first site.
    Install all other SEPMs as replication partner.Refer below link
    How to install the Symantec Endpoint Protection Manager(s) for replication.
    Remove replicating client packages and liveupdate contents
    Install one LUA at HQ point all SEPMs to download from this LUA.
    Note:This will be agood setup if you are having more clients.If you are having only few clients go for GUP.
    Symantec Endpoint Protection 11.0 Group Update Provider (GUP)


  • 5.  RE: SEPM configuration for geographically seperated sites

    Posted Mar 19, 2010 05:28 AM
    With SEP RU5 the GUP can support upto 10000 Clients.

    It is really go to see that the SEP Architecture is already designed, but  make sure that your WAN link is capable of handling the traffic.

    If bandwidth is a concern then go with this architecture

    SEPM on the main sites installed on with Failover 
    Create 5 groups in SEPM corresponding to each site and designate a GUP Locally.


  • 6.  RE: SEPM configuration for geographically seperated sites

    Posted Mar 19, 2010 08:51 AM
    Hi Vikram,

    Each site will contain no more then 500 clients.
    So i don't really need extra SEPM's in the sites? Can these GUP also work as a SEPM in case the SEPM in the HQ breaks down?

    thanks


  • 7.  RE: SEPM configuration for geographically seperated sites

    Posted Mar 19, 2010 08:53 AM
    For 500 clients in my opinion it is better to keep a separate SEPM .If the SEPM is not working GUP also will not work..


  • 8.  RE: SEPM configuration for geographically seperated sites

    Posted Mar 19, 2010 08:56 AM
    Hi,

    thank you all for the fast replies. I will try to go through the documentation you provided.
    The infrastructure of the HQ is already installed and operational.

    -edit-

    If i am correct, a GUP is just a client on a workstation that forwards the def's to other clients?

    in the GUP documentation i find:

    Scenario that will be addressed by adding a GUP
    Customers with Branch offices
    Think of situations where you would use a Secondary Server in Symantec AntiVirus 10.x, but where this was not an ideal solution. Typical a branch office.

    The office has from 2 to 20 computers, often toward the lower number. One of these computers may be a server (A pharmacy or a grocery store for example), or there may only be workstations, as in banks. The network to the branch office does not have a large amount of bandwidth. This is what drives the need to proxy identical content.

    In Symantec AntiVirus 10.x some customers might use a Secondary Server in this situation however, secondary servers with clients download an "XDB" file to provide virus definitions for the clients. The "XDB" file is around 12 MB in size, sometimes larger. The secondary server sends the clients a file with changes to the definitions at a size of 50 KB to 100 KB. The arithmetic is against the secondary server scenario or any automatic download of full content by the GUP. A secondary server would download far more content over the small amount of bandwidth than all of the clients combined. Break-even is around 200 computers.


  • 9.  RE: SEPM configuration for geographically seperated sites

    Posted Mar 19, 2010 09:00 AM
    Yes you are right.
    Go for separate SEPM in each branch..
    pls refer my earlier post..


  • 10.  RE: SEPM configuration for geographically seperated sites

    Posted Mar 19, 2010 09:20 AM
    thanks.


  • 11.  RE: SEPM configuration for geographically seperated sites

    Posted Mar 19, 2010 10:36 AM
    Hi,

    I'm trying to install a new SEPM server for replication with this document
    http://service1.symantec.com/support/ent-security.nsf/docid/2008091703483748

    At the end it asks me to initialize he DB. this will clear all existing data.
    Does a replication server needs its own DB? Is't it possible just to use it to distribute virus defs and use just one DB?

    Is there some documentation about what a replication server exactly is/does?

    thx.


  • 12.  RE: SEPM configuration for geographically seperated sites

    Posted Mar 19, 2010 11:58 AM
    Yes for that you will have to Install 1 SEPM on SQL then install other SEPM as Failover/Loadbalancing


    About Load Balancing and Failover Clustering in Symantec Endpoint Protection 11.0

    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008032810341548



  • 13.  RE: SEPM configuration for geographically seperated sites

    Posted Mar 19, 2010 12:11 PM

    Running with 6 SEPMs puts you close to the practical limit on SEPMs per tech support.  I once had 27 SEPMs and SEP threw up all over itself.  I was told 5 is a practical number of SEPMs and the max was something like 8.  Running 6 SEPMs will put a heck of a load on your WAN as they talk to the database.  They are very chatty.

    I strongly urge you to use SEPMs at your HQ and GUPs at your satellite locations.  The clinets will still talk to the SEPMs for their "marching orders" (~5k of traffic per client per heartbeat) and get updates (big amounts of traffic) from a localized GUP.  Increase the client heartbeat to 3 hours or more to minize impact to your WAN

    That's my 2 cents




  • 14.  RE: SEPM configuration for geographically seperated sites

    Posted Mar 20, 2010 02:38 AM
    Does a replication server needs its own DB?

    Yes.

    Is it possible just to use it to distribute virus defs and use just one DB? .

    Possible ,but not recommendable because your DB server is not present in the same local Lan.

    Replication server will do the same functions which a main SEPM does..

    At the end it asks me to initialize he DB. this will clear all existing data.

    Do you run management server configuration wizard more than one time?