Endpoint Protection

Hey all,

With my new position at work, I'm getting my hands dirty much more significantly with SEPM and how the sites are setup. 

Domain 1 - Online.
Domain 2 - Offline.
Domain 2 technically has 5 separate sites. We can consider that 4 remote and 1 local, like a spoke configuration.

Domain 1 handles it's own domain and gets updates through its SEPM. However, my previous colleague also setup LiveUpdate Administrator to distribute updates to the 5 sites of domain 2. Now that the 5 sites are all on the same domain (DOMAIN2), I'd like to see if there is a better configuration method. Each site has its own instance of SEPM, with different licenses and clients. My main goal is to be able to get rid of LiveUpdate Administrator, since this application just seems horrible and unnecessary.

I've been toying around with the idea of replication, but I don't know much about it and have a few questions. Any and all recommendations are welcome!

1. What is the best way to be able to get updates and definitions from Domain #1 to Domain #2, so that Domain #2 Site #1 can distribute to the other 4 sites? Presently this is done via LiveUpdate Admininstrator.
2. If we go this route, do all sites in Domain #2 need to be using the same license? Presently they're individually licensed sites.
3. Can we have individual administrators per site, as well as administrators that can access the entire setup?
4. How would deploying clients from the sites work? Does a client get received from its local site, or the site that is initiating the deployment?
5. Would it be possible to incorporate a site from DOMAIN3 into DOMAIN2?

I think this is all I have for now. Thank you!

1) When you link them up using replication, you can go to Admin -> Servers -> pick the replication partner, right click, select Edit. From there, you can enable to replication of logs, client packages and also the Liveupdate contents

2) I'm not sure on the licensing side, so to play it safe, you're advised to call Symantec licensing for confirmation.

3) Yes, and yes. All configurable when you set up the replication.

4) If you enable the replications of the clients package, youc an deploy from there at its local site.

5) To my best of knowledge, no.

Hope this helps,

Tony,

This does help, so thank you for your information. I do have but one question:

You state that with #5, DOMAIN3 cannot be a part of DOMAIN2. Does this mean that you are unable to replicate consoles that are a part of different domains? If that is the case, then I could set all of DOMAIN2 to replicate with each other, but I still then have to figure out the best method of getting updates from DOMAIN1 since that is the domain console that is online to receive updates.

Thanks!

Because DOMAIN 3 have its own 5 sites within it, I am not sure how it will work with replications to DOMAIN 2. I am not even sure if this is supported. I tink the best option is to do this is by testing. Perhaps clone it to a Dev network and test from there, else make sure you have good backups before you do this.

Tony, sorry about the confusion. Right now here is the current setup:

Domain1 is one site. This is on the internet, and responsible for picking up updates. We also have LUA installed on this server so that we can push those updates out.

DOMAIN2 would be the easy replication answer... that one is 5 sites, with one of them being the host site which is the physical location I am at. But don't forget, DOMAIN2 gets its antivirus updates from DOMAIN1's LUA.

DOMAIN3 itself is one site as a separate domain. I would love to somehow interconnect this with DOMAIN2 which would bring DOMAIN2 to 6 sites, even though it is a different domain (and that won't be changing... ugh!).

Does this change any information you have provided, or cleared anything up?

Thanks again!

Yes, that helps, thank you for the additional information.

In the case, replications between DOMAIN 2 & 3 can happen. You can specific if you wish the log files to be replicated to DOMAIN 2 so you can see the stats from there, including replication of contents and client installer too.

You will still however need to switch between D2 & D3 from D2 console to see the data you want to see without having to access D3's console.

Does this help?

I think it does Tony. So basically, what you're saying is other than the possible licensing issue, I can have the following setup:

DOMAIN2 is replicated with each other. DOMAIN3 is added to the DOMAIN2 replication.

And I can connect DOMAIN2 to DOMAIN1 so that I can sync definition updates without having to use LUA?

Thanks!

Assuming your firewalls allows it, yes it's doable including the Liveupdate contents.

Be aware & take notice of how often it's synced across, you may want to change the timing of how often the replication happens. Ours is set up as "Auto-replicate", but this can be set as Hourly, Daily or Weekly depending on your needs.

Yeah the game plan was maximum daily. Trying to manage 6 or so sites across the world with varying levels of connectivity speeds makes things a bit more difficult, so I wouldn't want to strain the connections more than they need to be (especially because backups are over the wire... ugh!). 

I'm going to try to investigate what firewall rules need to be implemented. As of right now I am in charge of at least making the requests to change the firewall rules, so that makes things a little bit easier. I just have to get permission before they get applied.

Thanks for your help Tony. If you wind up having the firewall ports handy that would be great, otherwise I'll see what I can find today. Thanks!

I don't have the firewall details as it was set up on our other product which is managed by the Network admin. However, you may find this useful:

https://support.symantec.com/en_US/article.HOWTO81103.html

Good luck with this project! :)

If you're happy with the answer, please could you close this topic?

Thanks,