Endpoint Protection

Dear Community

I am in the process of designing a new SEPM infrastructure consisting of two sites with replication for DR purposes. My setup will be similar to this

1.DC1_Site: SEPM-A (internal server)
2.DC1_Site: SEPM-B (in DMZ for my remote clients)
3.DC2_Site: SEPM-C (internal server) connect to SEPM-A for replication
4.DC2_Site: SEPM-D (in DMZ for my remote clients)

Datacenter 1 (DC1) will have a dedicated SQL server. The same will DC2.

I am currently doing some reading on LiveUpdate and content updates and have a couple of questions related to that.

1. Content download through SEPM heartbeat or through LiveUpdate

http://www.symantec.com/business/support/index?page=content&id=TECH173650 under "Configuring Content Updates" mention that endpoints can receive updates either through the SEPM heartbeat or through LiveUpdate where SEPM heartbeat is the default.

Using SEPM heartbeat is recommended as it means you can benefit from the delta technology related to content revisions.

Every group and endpoint will have a set of policies applied to them, including a LiveUpdate policy. Does this mean that in order for a group of endpoints to use SEPM heartbeat to download content updates from that particular SEPM server I will just disable LiveUpdate scheduling for this group's LiveUpdate Settings policy?

How about if I am using a Group Update Provider (GUP) for a set of endpoints, will those endpoints download content from their assigned GUP at every SEPM heartbeat?

2. SEPM server LiveUpdate

I am planning on configuring LiveUpdate on one SEPM server in each data center, e.g. SEPM-A and SEPM-C. Will SEPM-B and SEPM-D automatically receive these same updates so that during the next SEPM heartbeat for my remote clients, they will receive these latest content updates?

3. Configuring LiveUpdate on SEPM servers

Under SEPM > Admin > Local Site > Edit Site Properties, there is a LiveUpdate tab. Is this the only place I need to configure in order for an SEPM to download content from Symantec or do I need to have a LiveUpdate policy with an active schedule as well?

Here's my stab at your questions 

1. Getting clients to update via the heartbeat process is as simple as making sure the LiveUpdate policy has the "Update via default managament server" option enabled.  As long as that is ticked, and this policy assigned, then the clients will update via heartbeats.  The other options can be enabled/disabled as you see fit.  There's no issue with enabling the LiveUpdate option as well (just make sure you have the "Options for skipping LiveUpdate" enabled on internal clients).
   The use of GUP is entirely dependent upon hearbeats, and yes, clients will download defs from their assigned GUPs when told to by the SEPM on their heartbeats.
2. While it's possible to configure the SEPMs in DC2 to grab defs from the SEPMs in DC1 during the replication, it's not something I'd typically recommend as it'd mean a delay in defs getting to DC2 SEPMs.  As long as DC2 has an internet connection as well (which it clearly does to allow management of external clients), you can just tell the DC2 SEPMs to update their defs and remove content from replication (which has the added benefit of reducing replication time).
   I'd look at location awareness if I were you, so that external client supdate direct from the net rather than through your SEPMs (B&D).
3. LiveUpdate tab in the Site propertires controls the SEPM's update behaviour, the LiveUpdate policy controls the client update behaviour

By the by, given the number of questions you've posted recently, have you ever considered contacting a Symantec Partner (such as ourselves) for PS in designing this for you?

You could get a lot of these questions answered during a workshop, and benefit from the experience of people who've done it lots of time previously

SMLatCST

Many thanks for great feedback, as always.

This certainly cleared up some of my ?

On #2, sorry for not being very clear. I will not replicate content between by two sites.

What I am actually wondering about is how does SEPM-B get its contents updated if LiveUpdate is only configured to run on SEPM-A?

Thank you for your note on location awareness and remote clients to run LiveUpdate direct from Symantec. There should really be no security concerns or other concerns by doing it that way.

On your second note, this is something we are always considering. On some projects we formally involve third parties for PS, other times we research ourselves and ask questions in forums like this. I see great benefit in working with people like yourself, and it is something we might still consider, even for this project.

Just to clarify then regarding Q2.

You'll notice when looking at the LiveUpdate tab under the Site Properties, that the sites themselves will correspond to the different datacentres (remembering that the definition of a site is one or more SEPMs connected to the same SEP DB).

This means that making amendments to the "local site properties" via SEPM A or B, will change the settings for the "DC1" site, while making changes in the same place on SEPM-C or D, will make changes in the "DC2" site.

#EDIT#

Oh yeah, the SEPMs on the same site share their defs via their shared database.  So if SEPM-A does a LiveUpdate, it will process the defs into the DB.  Once there, SEPM-B will see and pick them up.

As the LiveUpdate is set for the entire site, either of the SEPMs can/will perform the LiveUpdate task.  To control which one, you can disable the LU functionality on an individual SEPM basis if need be (see below article):

http://www.symantec.com/docs/TECH136648