Endpoint Protection

HI

I have SEP 11 manager running on one of our servers which Manages all my clients in our local office in the UK.  We also have Offices in China and I want to deploy clients on to their domain, servers and workstations.

I want to manage all the clients both on my domain in the UK (which I already do) and on the domain in China through the SEP manager on my server in the UK.

Can somebody advise if this is possible and is there any best practice guides to do this.

Thankyou

will be the clients at China location able to communicate to your local SEPM?

If yes, clients can be managed by local SEPM.

Or, if a WAN licnk between the sites is slow, you can install a second SEPM for clients in China. You will need to use MS SQL however, as multiple SEPMs are not supported with embedded DB. You can install one DB - both managers will use it and clients in both office will connect to their manager or you can install 2 DBs - so every site will get its own set: clients, manager and DB. You can set then replication for DBs or manage the clients from the second SEPM connecting to it remotely :-)

Yes you shouldn't have any issues setting them up in China to be managed by your SEPM.

Create a new group for them as they may need new policy changes. If they require a GUP setting up you will just need someone to set that up for you. An you should be able to create a package that can be rolled out by there local admin service. There is a way to roll out via the SEPM also remotly if you have admin rights to all the machines.

Check this document

Title: 'How to allow Symantec Endpoint Protection clients in a remote location to be managed by a Symantec Endpoint Protection Manager that's behind a NAT device'

Document ID: 2009032408115648

> Web URL: http://service1.symantec.com/SUPPORT/ent-security....

Thanks for the advice guys

Idealy I want everything going through the UK SEPM but as Pawel has said, if the wan is slow then I will look at setting up a separate SEPM and 2 DB's.

So just to confirm:

• As long as I have admin rights and a decent WAN connection I can push  the clients out to the servers and workstations from the UK SEPM as I normaly do?  
• The definitions will also be pushed out from the UK SEPM as well?

Is this correct?

If you can reach chinese machines from the UK there is no problem to deploy the clients and make them update from the UK server. However you may want to open port (by default 8014) used by clients to communicate with the server on your firewall to let the clients connect from Chjina site.

• As long as I have admin rights and a decent WAN connection I can push  the clients out to the servers and workstations from the UK SEPM as I normaly do?  

yes.

• The definitions will also be pushed out from the UK SEPM as well?

Is this correct? 

Yes, however recommend to have GUP at the remote place. It will save bandwidth for download for the clients.

Thankyou Pawel

I will give it a go and report results.

Pete_4u2002

Just to clarify when you mention GUP are you refering to Group update policy?

GUP is group update provider - a regular SEP client which deploy definitions to other clients. So only one client - GUP - download defs from SEPM over slow WAN and the rest of the clients download them from it so bandwith is saved. Still all clients need to maintain a minimum connection to the server (to download settings, policies, etc.) but the difference in bandwith is huge.

Yup Pawel is correct if you want to setup and there's alot of users over there I'd allocate them to a GUP locally to save the bandwidth. If there are only a handfull of users you won't notice any issues with bandwidth. Depends how many users you want to hook up.

Additionally, network firewall must allow traffic on TCP 2967 (customizable), so that GUP can comunicate with the SEPM. 

http://www.symantec.com/business/support/index?page=content&id=TECH102416&locale=en_US

That's incorrect, on port 2967 clients connect to GUP. GUP connects to SEPM on port 8014

I stand corrected.

Thanks Pawel.

Ok I got the client up and running and am just in the process of updating the definitions so thanks for all your help on this guys.

I have put the client in its own group called China Office.

What I need to know is How do I make this into the GUP.  I know you do it through the policies but am unsure as to which policy i need to create (live update, AV& anti spyware etc..) and if this will effect any policies i have already.  I only have the sytem default policies that were set up on install by the way.

Also to specify which clients get the policy is it just a case of once the policy is created you assign it to that Specific group and all clients in that group will benefit from that policy?

About your second question - yes, you create a new policy, assign to a group and all clients in this group will have this policy applied.

Now, how do you promote a client to GUP? Basically you set it via LiveUpdate policy. Please have a look on this articles:

Symantec Endpoint Protection 11.0 Group Update Provider (GUP)   -> general information and setup
http://www.symantec.com/business/support/index?page=content&id=TECH102541&locale=en_US

Best Practices with Symantec Endpoint Protection (SEP) Group Update Providers (GUP)
http://www.symantec.com/business/support/index?page=content&id=TECH93813&locale=en_US

Ok so ive come to create a new policy and a couple of problems ive hit

• The group list is hidden for some reason

• I get the warning has described in the document from the 1st link posted above stating "Default Management Server should be selected to use group update provider.

Now also in the 1st link above after showing this error it states some Registry settings but doesnt mention if these need changing or what else to do to remove the error.

I am really stuck on this now and dont want to change any settings in case it messes up the policy or other setting i already have in place.

Hm, I don't really get what the problem is but basically you should create a new LU policy (let's call it GUP LU policy) an assign it to group(s) where your clients and GUP are. In LU policy, on LU settings, on Server part, please select "Use management server" and put IP or hostname for a GUP.

That should work!

Sorry, looks like i misread the Article from the link.

Ok ive set up the policy but cant access the remote PC just yet to test if the Gup is working correctly.

I will post back once I have tested, and once again thankyou for your help.

you are very welcome. Please let us know how it works.

Ok ive got another client up and running in our China offices and put it in the group where i have Assigned the Gup Policy. 

The client received the definitions very quickly so it looks like it is working OK but how do i check to make sure it really is receiving the definitions from the GUP and not the SEPM back in the UK

This is tricky. This is how it works: the client will contact GUP only when it gets the information from SEPM that there are new updates:

client: Yo, SEPM. Do you have new defs?

SEPM: Nope.

client: Ok...

(1 hour later)

client: And now.

SEPM: Yeap.

client: Great! (to GUP): Hey bro, gimme some fresh defs.

GUP: Wait a sec. I am downloading them from SEPM. Will be ready soon.

client: No problem.

So, to sum up, since there are 3 updates daily, it is dificult to cach the client redhanded flirteringwith GUP :-) My advice: keep sylink.log ON on the client for about 12 h, then check it. If there is connection on port 2967 - it uses GUP. If you are not sure, you can paste the log here.

Let us know! :-)

Thanks Pawel

I have enabled sylink logging and will leave running for 12 hours.  If i get any problems with the log i will post back on here

Thankyou.

Hi Pawel

I dont think this is connecting to the Gup for updates.

I have had the log running for over 12 hours and cant see any mention of port 2967.

Please see attached log.

Attachment(s)

debug log.txt   126 KB 1 version

The debug log you provided is a log of client activity; we need sylink log: http://www.symantec.com/connect/articles/how-enable-sylink-logs-registry

:-)

I will check the log and in the mean time could you please run Support Tool and attach here .sdbz log resulting from it? It will allow us to check if the policies are applied on the client correctly.

EDIT: unnecessary. Please see my post below.

Sorry, Didnt realise I had to add the Registry string.

Ok that is now working and there is strings of text in ther that contain reference to 2967 but make no sense to me. 

I have attached the log. 

Is this sufficiant or do I have to leave again for a while?

Attachment(s)

sylink log.txt   36 KB 1 version

Nope, it is just a piece of request. As I explained it will be a bit difficult to cach the client accessing GUP so you'd better leave it run for some time. Then you can search for string :2967

I have run the log again and it looks like it is working now, The port 2967 is mentioned along with the GUP's IP address about half way down the document.

Could you take a look at the attached log and just confirm this for me please, just to put my mind at rest.

thankyou.

Attachment(s)

sylink log_0.txt   5.51 MB 1 version

The client seems to download correctly from GUP:

12/15 08:32:14 [3208] <CHttpConnector::SendRequest()>
12/15 08:32:14 [3208] Request> http://192.168.2.200:2967/content/{D3769926-05B7-4ad1-9DCF-23051EEE78E3}/101213001/xdelta101210001.dax
12/15 08:32:15 [3208] Unable to query return content length for SendRequest, 122
12/15 08:32:15 [3208] </CHttpConnector::SendRequest()>
12/15 08:32:15 [3208] <CHttpFileDownload::read()>
12/15 08:32:15 [3208] </CHttpFileDownload::read()>
12/15 08:32:15 [3208] </CHttpFileDownload::Do()>
12/15 08:32:15 [3208] <LUDownloader::GetContentToFile> completed. 
12/15 08:32:15 [3208] <CHttpFileDownload::~CHttpFileDownload()>
12/15 08:32:15 [3208] </CHttpFileDownload::~CHttpFileDownload()>
12/15 08:32:15 [3208] <UpdateLUFileList:>Updating existing Download File List with : {D3769926-05B7-4ad1-9DCF-23051EEE78E3}101213001
12/15 08:32:15 [3208] <ProcessLUDownloadedFile>LU Content Downloaded.  Moniker: {D3769926-05B7-4ad1-9DCF-23051EEE78E3} Target Seq:101213001 Full version:0 Delta Base Seq:101210001
12/15 08:32:15 [3208] <PostEvent>going to post event=EVENT_LU_DOWNLOAD_COMPLETED
12/15 08:32:19 [3208] <PostEvent>done post event=EVENT_LU_DOWNLOAD_COMPLETED, return=0
12/15 08:32:19 [3208] <ProcessLUDownloadedFile> Download LU file succeeded. FileName: C:\Program Files\Symantec\Symantec Endpoint Protection\LiveUpdate\LUF{D3769926-05B7-4ad1-9DCF-23051EEE78E3}1012130011012100017.TMP Moniker: {D3769926-05B7-4ad1-9DCF-23051EEE78E3} Seq: 101213001 
12/15 08:32:19 [3208] <LUThreadProc>LU file download succeceded with HTTP status:200 and with return status:0
12/15 08:32:19 [3208] <CExpBackoff::Decrement()>
12/15 08:32:19 [3208] Backoff wait index: 0
12/15 08:32:19 [3208] </CExpBackoff::Decrement()>
12/15 08:32:19 [3208] <SetupTempLUFilePath:>NEW download: C:\Program Files\Symantec\Symantec Endpoint Protection\LiveUpdate\LUF{C60DC234-65F9-4674-94AE-62158EFCA433}1012140011012130037.TMP
12/15 08:32:19 [3208] <CHttpFileDownload::CHttpFileDownload()>
12/15 08:32:19 [3208] </CHttpFileDownload::CHttpFileDownload()>
12/15 08:32:19 [3208] <CHttpFileDownload::Do()>
12/15 08:32:19 [3208] <CHttpFileDownload::getRemainingBytesToDownload()>
12/15 08:32:19 [3208] Remaining bytes to download: 1404240
12/15 08:32:19 [3208] </CHttpFileDownload::getRemainingBytesToDownload()>
12/15 08:32:19 [3208] <CHttpConnector::SendRequest()>
12/15 08:32:19 [3208] Request> http://192.168.2.200:2967/content/{C60DC234-65F9-4674-94AE-62158EFCA433}/101214001/xdelta101213003.dax
12/15 08:32:19 [3208] Unable to query return content length for SendRequest, 122
12/15 08:32:19 [3208] </CHttpConnector::SendRequest()>
12/15 08:32:19 [3208] <CHttpFileDownload::read()>
12/15 08:32:20 [3208] </CHttpFileDownload::read()>
12/15 08:32:20 [3208] </CHttpFileDownload::Do()>
12/15 08:32:20 [3208] <LUDownloader::GetContentToFile> completed. 
12/15 08:32:20 [3208] <CHttpFileDownload::~CHttpFileDownload()>
12/15 08:32:20 [3208] </CHttpFileDownload::~CHttpFileDownload()>
12/15 08:32:20 [3208] <UpdateLUFileList:>Updating existing Download File List with : {C60DC234-65F9-4674-94AE-62158EFCA433}101214001
12/15 08:32:20 [3208] <ProcessLUDownloadedFile>LU Content Downloaded.  Moniker: {C60DC234-65F9-4674-94AE-62158EFCA433} Target Seq:101214001 Full version:0 Delta Base Seq:101213003
12/15 08:32:20 [3208] <PostEvent>going to post event=EVENT_LU_DOWNLOAD_COMPLETED
12/15 08:32:39 [1856] <CSyLink::mfn_DownloadNow()>
12/15 08:32:39 [1856] </CSyLink::mfn_DownloadNow()>
12/15 08:33:36 [3208] <PostEvent>done post event=EVENT_LU_DOWNLOAD_COMPLETED, return=0
12/15 08:33:36 [3208] <ProcessLUDownloadedFile> Download LU file succeeded. FileName: C:\Program Files\Symantec\Symantec Endpoint Protection\LiveUpdate\LUF{C60DC234-65F9-4674-94AE-62158EFCA433}1012140011012130037.TMP Moniker: {C60DC234-65F9-4674-94AE-62158EFCA433} Seq: 101214001 
12/15 08:33:36 [3208] <LUThreadProc>LU file download succeceded with HTTP status:200 and with return status:0
12/15 08:33:36 [3208] <CExpBackoff::Decrement()>
12/15 08:33:36 [3208] Backoff wait index: 0
12/15 08:33:36 [3208] </CExpBackoff::Decrement()>
12/15 08:33:36 [3208] <SetupTempLUFilePath:>NEW download: C:\Program Files\Symantec\Symantec Endpoint Protection\LiveUpdate\LUF{812CD25E-1049-4086-9DDD-A4FAE649FBDF}1012140171012130207.TMP
12/15 08:33:36 [3208] <CHttpFileDownload::CHttpFileDownload()>
12/15 08:33:36 [3208] </CHttpFileDownload::CHttpFileDownload()>
12/15 08:33:36 [3208] <CHttpFileDownload::Do()>
12/15 08:33:36 [3208] <CHttpFileDownload::getRemainingBytesToDownload()>
12/15 08:33:36 [3208] Remaining bytes to download: 617114
12/15 08:33:36 [3208] </CHttpFileDownload::getRemainingBytesToDownload()>
12/15 08:33:36 [3208] <CHttpConnector::SendRequest()>
12/15 08:33:36 [3208] Request> http://192.168.2.200:2967/content/{812CD25E-1049-4086-9DDD-A4FAE649FBDF}/101214017/xdelta101213020.dax
12/15 08:33:37 [3208] Unable to query return content length for SendRequest, 122
12/15 08:33:37 [3208] </CHttpConnector::SendRequest()>
12/15 08:33:37 [3208] <CHttpFileDownload::read()>
12/15 08:33:37 [3208] </CHttpFileDownload::read()>
12/15 08:33:37 [3208] </CHttpFileDownload::Do()>
12/15 08:33:37 [3208] <LUDownloader::GetContentToFile> completed. 
12/15 08:33:37 [3208] <CHttpFileDownload::~CHttpFileDownload()>
12/15 08:33:37 [3208] </CHttpFileDownload::~CHttpFileDownload()>
12/15 08:33:37 [3208] <UpdateLUFileList:>Updating existing Download File List with : {812CD25E-1049-4086-9DDD-A4FAE649FBDF}101214017
12/15 08:33:37 [3208] <ProcessLUDownloadedFile>LU Content Downloaded.  Moniker: {812CD25E-1049-4086-9DDD-A4FAE649FBDF} Target Seq:101214017 Full version:0 Delta Base Seq:101213020
12/15 08:33:37 [3208] <PostEvent>going to post event=EVENT_LU_DOWNLOAD_COMPLETED
12/15 08:33:43 [1856] <CSyLink::mfn_DownloadNow()>
12/15 08:33:43 [1856] </CSyLink::mfn_DownloadNow()>
12/15 08:33:57 [3208] <PostEvent>done post event=EVENT_LU_DOWNLOAD_COMPLETED, return=0
12/15 08:33:57 [3208] <ProcessLUDownloadedFile> Download LU file succeeded. FileName: C:\Program Files\Symantec\Symantec Endpoint Protection\LiveUpdate\LUF{812CD25E-1049-4086-9DDD-A4FAE649FBDF}1012140171012130207.TMP Moniker: {812CD25E-1049-4086-9DDD-A4FAE649FBDF} Seq: 101214017 
12/15 08:33:57 [3208] <LUThreadProc>LU file download succeceded with HTTP status:200 and with return status:0
12/15 08:33:57 [3208] <CExpBackoff::Decrement()>
12/15 08:33:57 [3208] Backoff wait index: 0
12/15 08:33:57 [3208] </CExpBackoff::Decrement()>
12/15 08:33:57 [3208] <SetupTempLUFilePath:>NEW download: C:\Program Files\Symantec\Symantec Endpoint Protection\LiveUpdate\LUF{E5A3EBEE-D580-421e-86DF-54C0B3739522}1012140171012130207.TMP
12/15 08:33:57 [3208] <CHttpFileDownload::CHttpFileDownload()>
12/15 08:33:57 [3208] </CHttpFileDownload::CHttpFileDownload()>
12/15 08:33:57 [3208] <CHttpFileDownload::Do()>
12/15 08:33:57 [3208] <CHttpFileDownload::getRemainingBytesToDownload()>
12/15 08:33:57 [3208] Remaining bytes to download: 5873
12/15 08:33:57 [3208] </CHttpFileDownload::getRemainingBytesToDownload()>
12/15 08:33:57 [3208] <CHttpConnector::SendRequest()>
12/15 08:33:57 [3208] Request> http://192.168.2.200:2967/content/{E5A3EBEE-D580-421e-86DF-54C0B3739522}/101214017/xdelta101213020.dax
12/15 08:33:57 [3208] Unable to query return content length for SendRequest, 122
12/15 08:33:57 [3208] </CHttpConnector::SendRequest()>
12/15 08:33:57 [3208] <CHttpFileDownload::read()>
12/15 08:33:57 [3208] </CHttpFileDownload::read()>
12/15 08:33:57 [3208] </CHttpFileDownload::Do()>
12/15 08:33:57 [3208] <LUDownloader::GetContentToFile> completed. 
12/15 08:33:57 [3208] <CHttpFileDownload::~CHttpFileDownload()>
12/15 08:33:57 [3208] </CHttpFileDownload::~CHttpFileDownload()>
12/15 08:33:57 [3208] <UpdateLUFileList:>Updating existing Download File List with : {E5A3EBEE-D580-421e-86DF-54C0B3739522}101214017
12/15 08:33:57 [3208] <ProcessLUDownloadedFile>LU Content Downloaded.  Moniker: {E5A3EBEE-D580-421e-86DF-54C0B3739522} Target Seq:101214017 Full version:0 Delta Base Seq:101213020
12/15 08:33:57 [3208] <PostEvent>going to post event=EVENT_LU_DOWNLOAD_COMPLETED
12/15 08:34:03 [3208] <PostEvent>done post event=EVENT_LU_DOWNLOAD_COMPLETED, return=0
12/15 08:34:03 [3208] <ProcessLUDownloadedFile> Download LU file succeeded. FileName: C:\Program Files\Symantec\Symantec Endpoint Protection\LiveUpdate\LUF{E5A3EBEE-D580-421e-86DF-54C0B3739522}1012140171012130207.TMP Moniker: {E5A3EBEE-D580-421e-86DF-54C0B3739522} Seq: 101214017 
12/15 08:34:03 [3208] <LUThreadProc>LU file download succeceded with HTTP status:200 and with return status:0
12/15 08:34:03 [3208] <CExpBackoff::Decrement()>
12/15 08:34:03 [3208] Backoff wait index: 0
12/15 08:34:03 [3208] </CExpBackoff::Decrement()>
12/15 08:34:03 [3208] SyLinkDeleteConfig => Deleting instance: 0389CE30
12/15 08:34:28 [1528] <ParseErrorCode:>12031=>Unknown error code.
12/15 08:34:28 [1528] <MaintainPushConnection:>COMPLETED
12/15 08:34:28 [1528] <ScheduleNextUpdate>new scheduled heartbeat=32 seconds
12/15 08:34:28 [1528] HEARTBEAT: Check Point 8