Endpoint Protection

For me, "low bandwidth environment" is completely relative.  Some have access to pipes and budgets that many around the world do not.  Also, depending on what is already being pushed through those pipes and how reliant on them you are will make any potential bandwidth hogs that much more of a problem.

I had major bandwidth problems at a client which I spent months troubleshooting.  They were running a WAN over VPN tunnles on DSL connections in a star topology.  Although the download potentials of the connections were sufficient for their needs, the upload limit of the center node (head office) was ADSL and peaked out at around 70KB/s.  When the SEP clients would all start grabbing updates from the central server it would bring all head office communication to a crawl for a few hours a day.  Once I setup GUPs in the remote offices this meant only two systems were pulling from head office, however during weeks where there were many Symantec updates we could still see multiple days where over 400Mb of Symantec traffice was being generated.  The solution was to max out the number of versions of updates that are kept, as the more and older versions exist, there are more options to grab a delta differential update file from before sending it out over the WAN (sadly this option consumes many gigabytes of disk space).

For me it is really about bandwidth optimization.  Even on your nice MPLS/T1 connections, if you are using default settings for SEP/SEPM, all remote systems will EACH be downloading updates from your main server when updates are available.  Also, I think number of old versions of updates is set to something like 6, so any machine that has not been updated in the past week which tries to grab an update needs to download the WHOLE package which is over 200Mb if I recall correctly.

In my opinion, Symantec may or may not be the cause of the problem, but they do not optimize WAN traffic at all, and are notorious for having bloated software.  They are at least part of the problem.  I would suggest the following:

1. Up your number of update revisions to keep to 16 or more
2. I think you also need to keep these updates in uncompressed form in order for the delta update file creation to work (re-read this article)
3. Implement/assign at least one GUP in each location (updates sent to branch once, distributed from there)
4. Install NetLimiter Monitor (or buy it) on your SEPM and watch the process bandwidth use to the Internet zone (be aware installation requires a reboot)

Hope this helps.  NetLimiter is how I identified SEP as the culprit.  Note that the Symantec services download from IIS, so you'll probably see it as web traffic.

What would be a good definition of "low bandwidth environment" ?

Remote dial-up users? 128k ISDN line? My company has 5 remote sites, existing as subnets & their own router, and with either a 1.5 or 3.0 MPLS connections (or T1 in one case I think).

Something seems to cause us periodic bandwidth freak-outs, and Symantec often gets blamed.

Excelente articulo! Muchas gracias por compartir esto.

Wow.  Thanks for the detailed explanation

Very good article!

congratulations..

As a follow up to the implementation that I was doing, I have found that bandwidth throttling between GUPs and the central management server may not work as intended.  I would thusly suggest not using this, and if required, look at using IIS bandwidth throttling instead.

After working with Symantec support for many days without resolution as to why the clients were not getting any updates, I finally just disabled bandwidth throttling and everything started working normally.

Good tips for Bandwidth reducation in the Environment need to follow and read all the links available .

Thanks People

I have been working on this same issue.

I'm somewhat against the idea of manual upgrades, so I'm looking at package deployment.  This however brings a bunch of challenges into SEP/SEPM.

The following article describes deploying packages to remote sites using IIS.  If you use DNS to provide an IP address of an IIS server per site when a common hostname is queried, you could have this deployed package be retrieved locally from the SEP clients.

https://www-secure.symantec.com/connect/articles/how-auto-upgrade-remote-site-clients-using-iis#comment-4784321

My plans are to implement the above on the sites GUPs, and then use a scheduled RoboCopy task to ensure that the IIS content folders are kept up to date on the various site servers.

Greg

Any idea on deployment and upgrade on low bandwidth environments?

The article is generally for definition updates.

great collection of screen shots

Great article - really like all the screen shots high lighting the fields.
I'm reading thru all the related articles as well.
We use GUP's already but MR5 has new options which I need to understand.