Endpoint Protection

I have implemented a SEPM solutions before in a small business environment, so I am quite familiar with the product, however I do not have any experience implementhing it in the enterprise. I would really appreciate any  feedback from Symantec 'veterans' :).

This is our infrastructure:

- 10 physical locations with Symantec Antivirus v. 10, - 14 servers, 12 server groups (Symantec 10).
- Three biggest sites have 498, 420 and 150 clients respectively. There are 7 other offices with number of clients ranging from 13 to 80 per site.
- All of the sites are connected thru WAN (Sprint MPLS) network with T1/VPN backups.

My idea:

- Deploy Symantec Servers to three biggest sites, replicating data and logs between them (no content replication).
- Deploy Group Update Provider to the 7 smaller sites and have them connect to the closest management server.
- GUPs would cache updates for the clients at the smaller sites, clients would still send status/download policies from main management servers.

I think this could work, but my boss is concerned about the amount of traffic that this is going to generate over WAN, which may get expensive. Realistically, how much traffic would a site of 80 clients generate in a day when Group Update Provider is being used? Would a dedicated server with replication use less bandwith?

Would I lose any functionality by having the clients update from Live Update Internet site directly, since they all have T1 connections anyway? Would Endpoint Manager still be able to track the version of definitions, and force update if neccessary?

I know it's a lot of questions in a single post, but I hope that someone could provide some insight :).

You need not set any client group to take updates from Internet. Regarding the bandwidth, You can set communication settings for the group which is for a location site(e.g for 80 clients) in Pull mode with custom Heartbeat Interval(This will really help).

Also, for a Group you can now configure a GUP which is in another Group(It works with MR4MP2). So you may configure different Communication settings for GUPs to manage the Bandwidth.

Would I lose any functionality by having the clients update from Live Update Internet site directly, since they all have T1 connections anyway?
No, the Client will update all the components

Would Endpoint Manager still be able to track the version of definitions, and force update if neccessary?
Yes, but there is a setting that needs to be enabled. You can configure the Clients to take the update from the Symantec LIve update and Since the Clients are managed client need to come to SEPM for update, so you can change that setting  to a Month or so in the Live update policy

Content type	Size of Package	Comments	Deliverable via Group Update Provider (GUP)
Heartbeat (with no updates to be exchanged)	between 2 KB/s and 3 KB/s per heartbeat.	When there is no traffic to be exchanged (i.e. no profile to download and no logs to update). The heartbeat is configurable. The default is every 5 minutes.	The GUP does not directly manage clients; it delivers content to clients on its local network segment.
Policies (i.e. AV/AS, Firewall, OS Protection, Host Integrity)	Typically varies between 20 KB and 80 KB.	Generally, after you set your policies to suit your network needs, you do not modify them on a regular basis. Can increase if detailed rules are included, or OS protection templates are used.	No. The policies must come from a Symantec Endpoint Protection Manager.
IPS Signature Updates	50 KB and 100 KB	Symantec supplies updates approximately every quarter unless a specific threat or vulnerability needs to be addressed.
AV Signatures	50 KB to 100 KB (daily)	If you assume that the signatures are updated successfully every day.	Yes. The client receives information from the Symantec Endpoint Protection Manager when to download content from the GUP.
Logs	Varies	Logs are compressed at the client before they are uploaded to the Symantec Endpoint Protection Manager. Approximately, 800 log entries take up 1KB of file space.	Logs are forwarded from the client to the Manager.

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009080400343648
 

How to configure GUP bandwidth throttling in Symantec Endpoint Protection 11.0 MR4?
 

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008121722041748

About Group Update Providers

Group Update Providers (also know as GUPs) can be used in networks to distribute content updates. Clients will still need a Symantec Endpoint Protection Manager to connect to. The Manager is what informs the client that it should download new content from the Group Update Provider. The Manager is also responsible for distributing policies and collecting logs from the client.

For improved bandwidth, implement a Group Update Provider on an "always-on" machine running a Server OS (such as a Windows File server).

For remote sites with less than 10 machines, it may make most sense to have the local SEP clients connect directly to their SEPM for content updates or to Symantec Liveupdate on the internet.

When there are over 50 machines at the remote site, it advisable to install 1-2 GUPs to handle content distribution, while the clients are managed with a SEPM physically located at another office.

 

Group Update Provider As "Secondary Server"

The most significant load on the Manager comes from distributing content. GUPs can be used to supplement or replace a SEPM for distributing content updates to SEP clients. Rather than each of your branch clients connecting to the main office SEPM, it receives its updates from the Group Update Provider.

GUPs cannot be used to update policies or manage clients. This means that clients will still need network connectivity to a SEPM in order to perform the heartbeat process, which updates their policies, and informs them when new content is available to download from the GUP.

3. Configuration of Endpoint Protection

 

Organize Branch Offices by Group

Using this organization method will allow you to configure settings specific to each branch location. This will improve the performance of content distribution significantly, and greatly reduce the load on the server.

Use a Group Update Provider in Every Group

It is recommended that a GUP be on the same network segment as all clients configured to update from the GUP. Though bandwidth usage can be significantly reduced by using GUPs strategically, it is still important to ensure that GUPs are positioned in the network to maximize their effectiveness. GUPs should only be configured to provide updates to for clients on their local network segment. The GUP must have sufficient bandwidth to deliver content packages of up to 45 MB to the clients it serves up to 3 times a day.

Disable Policy Inheritance for Branch Office Groups

You must disable policy inheritance on the groups that will be using the GUP functionality of the Symantec Endpoint Protection software. If you have policy inheritance enabled on the groups that the GUP's were configured on they will revert back to the GUP configured for the Global group.

Click on the "Clients" tab.

Click on the name of the group.

Click on the "Policies" tab.

Under "Policy Inheritance" uncheck "Inherit policy and settings from parent group '<Group Name>'."

Configure Branch Groups for Pull Mode with Optimal Heartbeat

Endpoint Protection by default is set in "Push" mode. You should switch your branch offices to "Pull" mode. Clients that use the Pull mode download policies and content based on the Heartbeat interval setting, which is set to 5 minutes by default. Even in slower bandwidth environments, the heartbeat can be as frequent as every hour.

Click on the "Clients" tab.

Click on the name of the group.

Click on the "Policies" tab.

Under "Location-independent Policies and Settings" click on "communication settings".

Under "Download" check "Pull Mode"

Under "Heartbeat Interval" enter in a more convenient heartbeat. The default is 5 minutes.

Configure Log size

Configure Throttling

Group Update Provider (GUP) bandwidth throttling was introduced in SEP 11.0 MR4. Please refer to the following document for configuration instructions.

 'How to configure GUP bandwidth throttling in Symantec Endpoint Protection 11.0 MR4?'

 

 http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008121722041748?Open&seg=ent

Click on the "Clients" tab.

Click on the name of the group.

Click on the "Policies" tab.

Under "Location-independent Policies and Settings" click on "client log settings".

Adjust log settings if necessary.

.

Thank you all for your suggestions! Just so I can have two scenarios, where could I find information on how much bandwith does replication consume? I know there are options of disabling package replication, etc, but how much data would it be daily if I had 10 sites, each with their own Endpoint Protection Manager?

Top 10 Symantec Best Practices - Deploying Symantec Endpoint Protection Architecture
 

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009012721190648

Kamil - For the infrastructure that you are dealing with, I would just configure 1 SEPM server in the largest office with GUPs on all other sites...  This will alleviate all complications of replication of data from one SEPM to another and it will be easier to manage.
We have implemented 1 SEPM server that manages 15K+ systems in over 150+ offices and it works great...  GUPs do a great job of distributing defintions....


Thanks,

Here is some details regarding the infrastructure:

Main US office 420 clients
US NYC: 490 clients
US Office 3: 150 clients
UK Office: 31 clients
US office 4: 80 clients
US office 5: 70 clients
US office 6: 80 clients
US office 7: 40 clients
US office 8: 40 clients
US office 9: 15 clients

Would it be advised to deploy a second server in UK because of latency issues?

@Fjorq: What kind of heartbeat interval would you advise for that many clients and one server? I would like to avoid a situation where there is outbreak/infection and I don't know about it for few hours.

Yes UK should have a SEPM replcating with the main SEPM in US

The heart beat should be Pull mode ranging from 30 mins to 1 hr

A heartbeat of 1 hour would help keep the traffic down.. No need to have clients checking in with the server more often....
If you only have 31 systems in the UK, if it was me, I would manage them with a GUP and a backup of having the liveupdate policy set for them to go out to the internet in case of network connectivity issues with the main SEPM... 
You can opt for another SEPM in the UK, but for only 31 systems I think it will give you more work to manage it, upgrade it, etc... than just taking care of those 31 clients using a GUP and backup liveudpate policy...

Thanks,