Endpoint Protection

Hi,

I've been looking for a solution to distributing live update content to the workstations on our domain for a while now but to no avail so I'm hoping someone here might have a possible solution as I've read everything I can find.

What the network is changing to:

1. Several dozen sites each with multiple subnets.  Each site has it's own Active Directory Site.

2. No server on any site is on the same subnet as workstations on those sites.  Their IPs start similarly though - i.e. site A could have 20 subnets, some allocated to servers, some to workstations but all would start with 192.168.x.x

3. Most sites have multiple workstation subnets

4. AD structure will be pretty flat so a large amount of workstations will be in the same OU (i.e. Sites do not have their own OU)

5. There are several thousand workstations that need to be managed

6. Most servers are 2003 R2, most workstations are XP 32 bit or windows 7 64 bit.

It's not possible to change any of the above, unfortunately.

Many sites are remote and ideally we'd like a content distributer on each site.

We are running SEP 11 RU5 (I believe, it's version 11.0.5002.333) and have one primary SEP manager with one backup.

After much research it doesn't appear that a Multiple GUP setup would work since all servers are on different subnets to the workstations (but please correct me if I'm wrong here).  A single GUP setup would require manually maintaining groups on the SEPM so a lot of work - unless there is some way to automatically allocate existing and new workstation clients to groups based on specified criteria?

Any help would be great!

Thanks in advance,

yes, multiple GUP is the way you should look for. you can assign IP or conditions.

You can provide the backup GUP, in case client is not able to reach to any of the assigned GUP.

Thank you for the quick reply. 

After reading a lot about Multiple GUPs I was under the impression that if a client cannot find a GUP on its local subnet it would then either go to the backup GUP or directly back to the SEPM.  In my scenario though the client will never be on the same subnet as the GUP so will always go to the backup GUP.  If I can only define one backup GUP then all clients will always go back to the one backup GUP or the SEPM.

Unless you meant something else?

 If I can only define one backup GUP then all clients will always go back to the one backup GUP or the SEPM.
 

yes, provided you have configured that clients do not bypass GUP.

Hello,

I agree with Pete's comment above.

• If you have configured a "Backup" Group Update Provider on a different subnet (if Group Update Providers on the local subnet are unavailable). 
• If you have configured a GUP from a different Subnet as a Single Group Update Provider.

Reference: http://www.symantec.com/docs/TECH139867

http://www.symantec.com/docs/TECH96419

Also, Check these Articles:

How To Optimize Endpoint Protection for Branch Offices using GUPs, Load Balancing, and Location Awareness

http://www.symantec.com/docs/TECH94122

How to update virus definitions and other content with Symantec Endpoint Protection and Symantec Network Access Control

http://www.symantec.com/docs/TECH102467

Symantec Endpoint Protection Sizing and Scalability Best Practices White Paper

http://www.symantec.com/docs/DOC4448

Also, check this Thread: https://www-secure.symantec.com/connect/forums/symantec-endpoint-protection-management-multi-site-setup

Hope that helps!!

Hallo, can I ask a question about update process?

In my environment I have x86 computers with Windows XP / 7 and x64 computers with Windows 7.
I have created two client packages (12.1.1000.157) one for the x86 environment and one for the x64 environment.
I would update my computer adding my packages to the "Install Packages" section of my default group.
Can I add together the x86 and x64 packages to one group? The computers will download the right package according to their operating system version?

Thanks for suggestion.

Can I add together the x86 and x64 packages to one group? The computers will download the right package according to their operating system version?
 

yes, the client will take the corrrect package that is needed.

Hi,

In the end you need to use the single GUPs.

As explained by Pete and Mithun, when using multiple GUPs, the clients will connect only to the that GUP on the same subnet and to its backup (even in a different subnet) in case of failure.

Because you already know that it will fails because servers and GUPs are not in the same subnet, there is no advantage in setting multiple GUPs and then go to the backup, you will need to set up a different backup GUP per each site, so it will equivalent to using single GUPs.

Dear PXW.

I use Location awareness to solve my problem which is the same as yours.

I define the following

• One SEP group for workstations
• Multiple locations for SEP group
• One location per AD site
• Each location uses the default gateway for the subnet as a criteria. (Reasoning here is that multiple subnet make up one network site. One network site = one SEP location. Default gateway is more unique than DHCP / DNS server used or DNS suffix. Default gateway immediately available when client gets IP address. If a laptop moves to a new site, location is changed automatically -> No having to manually move laptop to a new SEP group to get new LU policy.
• One LiveUpdate policy per location
• Each LiveUpdate policy defines only one GUP. Now clients will go outside of their own subnet for downloads
• One additional generic location for Off network clients to get updates from the Internet

PS Remember that AD domains and OU's can be divorced from SEP domains and groups. You don't necessarily need that integration. If you DO NOT use AD integration, you have a lot of freedom on how to structure your SEP groups.

Beppe - Is there some way to auto-populate a group in the SEPM with workstations based on ad-site or ip address, or anything really?  That would allow then allow the setup of each group pointing to a single GUP.

Ian_C. - Very interesting idea.  I actually started looking into that option but read on the whitepaper that it was not recommended to have more than 7 or so locations - much more than that and it would start causing delays/slow down.  Using this option I would be creating 50+ locations.  Do you mind me asking what your experience is like in this regard for a large number of locations?

Hi. Brian81 has posted that he has 40+ locations: https://www-secure.symantec.com/connect/forums/location-awareness-many-groups-admin-nightmare#comment-4808791

In the end, we'll have ±80 locations & associated LiveUpdate policies. As in the above thread, so far we don't see an impact. Admin overhead is the pain.

No, there's not, I'm afraid.

I would not recommend having too many locations, in addition to possible performance issues and admin overhead, even troubleshooting will become complex in case of issues.

SEP locations have been thought for laptops that can really change location, not as a way to set the GUPs for workstations, I know it still works but there's no optimization behind it.

In your case, I believe the best is to reorganize your clients in groups according to their physical location and give to each group a sigle dedicated GUP. As answered above there's no such feature to auto-populate groups according to some criteria but instead you may use the Search Clients feature according to the criteria you wish and then select the results > right click > move. It should be easier than you believe and, in the long term, you will be paid back by less complex maintenance.

Moreover, consider the impact on reports, there are filters by groups but not by locations, so if you have a big group with several locations, you won't be able to break reports down to specific groups, this may result in less readable reports, inability to isolate issues, etc. so, additional waste of time.

In my opinion you have two ways.

1. As Bepee said Create groups for each location and assign a single GUP to that group.

2. If the number of client in each location is quiet large, you can install on LUA for that location and configure the clients to receive update from this LUA.

2. If the number of client in each location is quiet large, you can install on LUA for that location and configure the clients to receive update from this LUA.

Except that you then need a live update policy per LiveUpdate server which brings you back to multiple groups or multiple locations because you do not want clients to download updates across the WAN.

Hi.

Have you found a solution to your problem? Have any of the answers here helped?

Just wanted to say thank you for all the assistance.  It looks like the initial set up is a larger job than expected but I believe you've provided the best options available.

Thanks again,

PXW

I have two seperate installation running, both with multiple locations (31 and 15) and in the "Manage Locations" Dialogue I have many sites with multiple subnets.

Pic is of the most populous site with the most subnets. All running from the one GUP.

have had minor issues mostly to do with bandwidth to the site (remote). This seems to work fine. Been running this config around two years now. Setup is a little intensive but once it's done it seems to just tick along nicely.

Dear PXW

Please mark the response that helped you most resolve your problem as the answer to this thread.

Thank you in advance.

Greg12 suggest a different solution here: https://www-secure.symantec.com/connect/forums/update-distribution-point-multiple-subnets#comment-7273681