Endpoint Protection

 View Only

  • 1.  SEP 12.1 communications question

    Posted Sep 07, 2012 09:07 AM

    SEPM and clients on SEP 12.1.1101.401

    We are in the process of moving 5000 clients from SEP 11 to SEP12.  My process to do this is, I have an SCCM app that runs sylinkdrop on a locally mapped drive. (Works great)

    The clients get thier SEP12 packages from a local http server (Works great)

    The clients get thier defs from a local GUP (Works great)

    The problem/question I have is after the clients upgrade I am seeing a lot of network traffic back to the SEPM.  I think after the SEP12 client does an initial scan it uploads an inventory to the SEPM.  My client settings are also set for uploading the logs to the SEPM.  My heartbeat is set to 1 hour and download randomization is set for 2 hours.  I do have Learn applications that run on client computers checked, and I'm setting my download setting to Pull Mode.

    It looks like each workstation is uploading about 50-60 MB of data, when you get 5-6 of these happening at once it tanks the T1 and WAN access get real slow.

    The questions I have are, is there any way to throttle the amount of bandwidth between the client and the SEPM?  What logs should I check to see what is causing these clients to talk to the SEPM?  Should I increase the heartbeat?

    What I need to do is cut down network traffic between the clients and the SEPMs.  HELP!!!

     



  • 2.  RE: SEP 12.1 communications question

    Posted Sep 07, 2012 09:14 AM

    Minimizing network traffic from client-to-server communications in Symantec Endpoint Protection Manager 12.1

    http://www.symantec.com/business/support/index?page=content&id=TECH160964

     

    How to Troubleshoot High Bandwidth usage issues in Symantec Endpoint Protection

    http://www.symantec.com/business/support/index?page=content&id=TECH154001

     

    Getting up and running on Symantec Endpoint Protection for the first time

    http://www.symantec.com/business/support/index?page=content&id=HOWTO55274

     

    Configure the content revisions available to clients to reduce bandwidth

    Set the number of content revisions that are stored on the server to reduce bandwidth usage for clients.

    • Typically, three content updates are delivered per day. You configure the number of updates that are retained on the server. You generally want to store only the most recent content updates. A client that has not connected during the time it takes the server to accumulate the set number of updates, downloads an entire content package. An entire package is in excess of 100 MB. An incremental update is between 1MB and 2MB. You configure the number of stored updates to a setting that minimizes how often a client must download a complete update package.

    • As a rule of thumb, 10 content revisions use approximately 3.5 GB of disk space on the Symantec Endpoint Protection Manager.

    For more information about calculating storage and bandwidth needs, see the Symantec Endpoint Protection sizing and scalability white paper

     



  • 3.  RE: SEP 12.1 communications question

    Posted Sep 07, 2012 09:22 AM

    Hi Ashish,

    1st link does not work.  Just takes me to the support page.  Wouldn't the current number of revisions be stored on the GUPs?  I'm not having an issue with the GUPs talking to the SEPM, it's the clients after the initial install.  After that they are not as chatty to the SEPM.

     

    Thanks,

     

    Marty



  • 4.  RE: SEP 12.1 communications question

    Posted Sep 07, 2012 09:26 AM

    Hi,

    I am able to open this link

    Symantec Endpoint Protection Manager 12.1 Communication Troubleshooting

    http://www.symantec.com/business/support/index?page=content&id=TECH160964



  • 5.  RE: SEP 12.1 communications question

    Posted Sep 07, 2012 09:34 AM

    That one worked.  Checking the SEPM logs, I guess the questions are have now are, Content gets delivered to the clients via the GUP correct?  Does the client deliver an initial inventory to the SEPM?  How big is that file?

     

    Thanks.



  • 6.  RE: SEP 12.1 communications question

    Posted Sep 07, 2012 09:47 AM

    Minimizing network traffic from client-to-server communications in Symantec Endpoint Protection Manager 12.1

    http://www.symantec.com/business/support/index?page=content&id=TECH164737

     

    Check this Thread

    http://www.symantec.com/connect/forums/gups-1

    http://www.symantec.com/connect/forums/gup-updating

    SEP12.1 clients defination downloads size

    http://www.symantec.com/connect/forums/sep121-clients-defination-downloads-size



  • 7.  RE: SEP 12.1 communications question

    Broadcom Employee
    Posted Sep 07, 2012 09:59 AM

    Hi,

    Check with this tool if it helps any.

    SEP Content Distribution Monitor (for GUP health-checking)

    https://www-secure.symantec.com/connect/downloads/new-sep-content-distribution-monitor-gup-health-checking

    It looks like each workstation is uploading about 50-60 MB of data, when you get 5-6 of these happening at once it tanks the T1 and WAN access get real slow. --> I don't think clients will upload 40-60 MB data to the SEPM

    Q. The questions I have are, is there any way to throttle the amount of bandwidth between the client and the SEPM?

    --> You can throttle the amount of bandwidth between the GUP and SEPM. Can't restrict between SEPM and SEP client. In GUP environment client takes only policy updates from the SEPM & those are in few KB's only.

    For further troubleshooting you can run a Sylink monitor tool for affected SEP clients.



  • 8.  RE: SEP 12.1 communications question

    Posted Sep 07, 2012 10:05 AM

    No method exists to throttle client/server bandwidth usage directly through the SEPM Apache server. The majority of the bandwidth the SEPM uses is for client content updates. Minimze the network load for these updates using one of the following methods:

     

    • Increase the interval between SEP client checkins to lower SEPM server load
    • Add one or more Group Update Providers (GUPs) to distribute bandwidth usage
    • Ensure that the SEPM is hosting sufficient content revisions. This allows deltas to be created for out-of-date clients instead of full content packages

    OK, that answers the throttling question.  The GUPs are not my issue, but that being said, the clients get content from the GUPs correct?  I do have my live update policy set that the clients should NEVER contact the SEPM for content updates.

    I'm wondering about the initial communications between the client and the SEPM, this is only happening once per client, lasts for about 15-20 minutes, then stops.  Like I said, I THINK it's uploading the inventory to the SEPM, and would like to verify that.



  • 9.  RE: SEP 12.1 communications question

    Broadcom Employee
    Posted Sep 07, 2012 10:21 AM

    Hi,

    Can you monitor it with the help of process and ports used by Symantec?

    Which Communications Ports does Symantec Endpoint Protection use?

    http://www.symantec.com/docs/TECH163787

    Processes and Services used by Symantec Endpoint Protection

    http://www.symantec.com/docs/TECH102748

    Also run Sylink monitor tool, sylink log can given information about SEPM and SEP client communication.