Endpoint Protection

Hello,

Hoping someone can help me out with this.

I have set up a site.  Within this site I have set up groups based on Gegraphic location (Olympia, Tacoma, Seattle,Etc.).

My Olympia computers connect to the SEPM for Live Updates.  All other groups connect to a GUP in their own office.  So Tacoma PC's connect to a GUP definded for the Tacoma group.  Seattle PC's connect to a GUP configured for Seattle, and Olympia PC's connect to the SEPM (Which is also defined as a GUP).  This all appears to be working fine.  However I have 2 questions about how to refine this:

1) How can I make it so that a computer which is a member of the Olympia group will automatically assign itself to the Tacoma group if it is connected in Tacoma?  I have an issue where some of our Olympia users bring their laptops to Tacoma.  When they do they pick up an address on the Tacoma subnet, but still pull their updates from the SEPM in Olympia.  We do have quite a few users who travel around and can be in Olympia one day, Tacoma the next, and Seattle the day after.  I'd like it if the laptops in question would just download their definitions from the GUP local to their current location.

2)  How can I configure laptops, which may not connect to our network for weeks at a time, to get their updates directly from Symantec when off our network and from a GUP when they are connected to our network?

I usually don't like asking two questions in one post, but these seem to me to be pretty closely related and I'm hoping what I learn about how to fix one issue will lead me to a fix for the other.

Thanks in advance,

John

You could use location awareness to accomplish this.  The document below describes how to set up location awareness for when your laptops are offsite they will download definitions from Symantec rather than your internal SEPM.

How to configure mobile computers to automatically download virus definitions when disconnected from the Symantec Endpoint Protection Management console

http://www.symantec.com/business/support/index?page=content&id=TECH104571&locale=en_US

You can't make a computer automatically switch groups, but you can change what policies are applied to it based on criteria you define within the location awareness settings.

Thanks for the reply.  I read through the link you posted and have a question.

Does this process require all of our laptops to be in the same group?  I can see a problem with that because I'm not sure how I can make them use a local GUP when they are connected to our network.  Does SEP client have the smarts to look at a configured list of GUPs and hit the one closest to it?

Or am I thinking sideways here (I have been known to do that)

It doesn't require them to all be in the same group.  You would, however, have to configure this "offsite" location for each group which contained laptops that leave the office for an extended period of time.

Thanks a lot.

Boy oh Boy.  This is a tricky little product.

I'm telling you what.

John

So I created a location under my Seattle Group.  Then I tried to move the laptops into this location and found that that is NOT how it works.

I have to check for a condition and then the machines which meet those criteria move to the new location.  That's great.

However, the only thing that differentiates the Laptops from regular workstations is their names.  All our workstations have "WK" in thier names and all of our laptops have "LT" in their names.  Unfortunately, there is no way to key on the computer name.  Basically, there's a lot of choices, but none of them do me much good.

I guess I could just configure the whole group to use a Live Update server when they are off the network.  That would have the same effect since the workstations would not really move too often between offices or off our network entirely - unless we have some very enterprising employees.

Anybody got any ideas on how to configure an entire group to use a GUP when they are on the network and a live update server when they aren't?  I guess this would be a good way to go, because I could then key it off IP addresses and this MAY solve the problem of Laptops moving around that I mentioned earlier.

Create 2 different locations as well as two different LU Policies. As an example:

Create an "On Network" location. Create an "On Network" LU Policy and set it so it only allows updates from the GUP. Assign this policy to your "On Network" location

Create an "Off Network" location. Create an "Off Network" LU POlicy and set it so it only gets updates from a LU server. Assign this policy to your "Off Network" location

You might want need to create multiple locations though.

Here's how we do it.

Create two Live Update policies, one for being connected to the corporate network & one when off the network.

• Off network LU policy states to get updates from default Symantec LiveUpdate server.
• On network LU policy states to use a GUP.* (See Beware ... below)

Create multiple LiveUpdate policies, one for each location

• Each LiveUpdate policy for that location, specifies to use the local GUP.

For your groups, create a 'Off network' location with a definition that your workstation / laptop can't connect to the SEPM. This means you are in the big wide world out there, not the corporate LAN. Create a location each for Tacoma, Seattle, Olympia etc. The definition for this network is the default gateway. Now assign each location specific LU policy to each location definition for the group.

You should then end up with something like this (See green highlights):

Hope fully this gives you an idea to owrk with.

Look here for another similar discussion: https://www-secure.symantec.com/connect/forums/sep-gup-behavior

* Beware network spanning of GUPs

• Symantec say that if you define a single GUP for a group, this GUP will service clients outside of its own IP subnet
• If you define multiple GUPs, they will only service their own (Class C) IP subnet.

Your case sounds small enough that this makes no difference. We however have GUPs servicing 3-200 subnets. Anything from Class B down to Class E. A multi GUP list does not work for us because of the limit of local subnet only.

Hope that helps.

It does.

I will have to take care of some other business first then I will try and apply your suggestions to our network.

Once again, tons of help....