Endpoint Protection

Hi All,

I have a SEPM console (11.0.6005.562) and clients set up in pull mode with a 6 hour window to get content and policy updates. When I issue an "Update Content" command from the console, the clients don't respond. SEPM reports command not received. How does the update content mechanism work? Does the SEPM issue the command to the client immediately, or does it queue until client heartbeat?

Thanks in advance,

Mike

need to wait until heart beat.

https://www-secure.symantec.com/connect/forums/pull-or-push-mode#comment-1417251

Not directly relevant to the question, but I also wanted to mention (since this is a common misconception) that Update Content triggers a LiveUpdate launch, not a request for content from the SEPM. If there is new content to get when the client checks in, it should automatically ask for it and download it.

sandra

So SEPM update content command tells client to 'go get your own content now'? If it has to wait for heartbeat, the command is useless as client will check in, see it's content is out of date, and update anyway. Are there any detailed docs to better explain this?

Hello,

Configuring push mode or pull mode to update client policies and content

You can specify whether the management server pushes the policy down to the clients or that the clients pull the policy from the management server. The default setting is Push mode. If you select Pull mode, then by default, clients connect to the management server every 5 minutes, but you can change this default heartbeat interval. In your case, it is 6 hours.

See How the client computers get policy updates.

Note : The Above Article is for SEP 12.1, however the same principle are applied to the SEP 11.

i have similar issue with my Trial (previous user of v 10 & 11) i have 6 clients installed (3 servers, 3 wks) and none of them have updated since yesterday. In my Policy Settings I have selected both the management server and Live Update Server so that if the SEP clients cannot contact the Mgmt Server that they will update through the internet. If i manually update the client it works fine. But even sending the update command from teh Mgr Console doesnt even update them. Any Ideas?

smc.exe is symantec management client, service which checks for updates from manager after the specific hearbeat interval.

till then there wont be any communication from the client to the manager, 

In the first link which I posted Paul explained it.

yes but when the client is in fact contacting the mgmt server, then what would be the issue?

If I understand this correctly - Update Content DOES NOT WORK in pull mode since the SEPM console waits for the heartbeat to communicate with the client. Otherwise if clients are in push mode, SEPM would send updates immediately so Update Content IS NOT NEEDED.

What am I missing?

Right !!

Its like you can issue an update command however it will be complete when clients talk to SEPM, during heartbeat. this holds for client which is on the same box as SEPM.

Hi,

it seems nobody is explaining why it cannot be in another way.

The SEP communication is based on a server-client model, it is not a peer-to-peer network.

The SEP Manager is the server and it is listening on port 8014 (or 80) for client connections.

The SEP client is the client and it does not listen on any port because it is just a client.

In this model, it is clear  that only the SEP client can start a communication with the manager by opening a TCP connection to [SEPM_IP]:8014, the SEPM cannot connect to the clients because the clients, by definition, are not listening on any port.

Once the connection is established, Server and clients can exchange data, including commands.

In push mode the connection is always kept alive and the commands can be sent to the clients in real time through the already open channel. In pull mode the connection is pulled at regular intervals, between the heartbeats there is no established connection therefore the commands are just stored in the outbox waiting for the clients to get them. It cannot work in any other way.

This does not need any detailed document, it is just the server-client model.

Thanks Beppe, that makes the most sense so far and I will accept it as a solution

But then the question becomes 'What does Update Content do?' In pull mode during the normal heartbeat, the SEPM console queues the request and waits for the client to check in. When the client does check in, it compares it's policy and definition level with the server. If the server has a new policy and/or definition, the client gets the new policy and requests (delta) updates. Update content only duplicates what would be performed during a normal heartbeat anyway.

In push mode console would push updates immediately, so again update content not needed.

So in my (still somewhat confused) eyes, update contenet doesn't really do anything...

What I am also observing is SEPM is reporting what client CURRENTLY has, so if an update is needed, requested and sent, SEPM won't report up to date status until NEXT heartbeat.

As Sandra says, Update Content triggers a LiveUpdate launch from Symantec. 

See SEP Admin Guide 11.0.6, p. 76:

Update Content: [...] The clients receive the latest content from Symantec LiveUpdate.

Update Content would be useful in a case where, for example, the SEPM couldn't update for whatever reason but clients could still check in, or if you had Macintosh clients (who don't get updates from the SEPM).

"Current" is not quite accurate. The heartbeat is when clients upload their logs too--including what revision of definition they have--so the status of the clients in your environment may be up to 6 hours out of date (if you have a 6 hour heartbeat), depending on when they last checked in. That is to say, to modify your above statement, "SEPM is reporting what client has as of their last heartbeat."

Is there a particular reason the heartbeat is so large? For example, a very large number of clients?

sandra

You can specify whether the management server pushes the policy down to the clients

Not to split hairs, but 'push mode' is not a true push, which suggests the server initiates communication and begins sending content or policies proactively. When the SEPM has new content or policies to serve, it sends out a prompt for clients within a few seconds of the updated content/policy to heartbeat in to get it. The actual request for retrieval still must originate from the client.

sandra

There are three major points I have to contend with – Large number of clients (5,000-10,000 or more), Very limited bandwidth (Average 192K), and closed network with no internet access at the workstations. Only SEPM console will have internet, and use GUPs at every remote location.

So in summery push mode is constant communication. As content arrives in SEPM, they are pushed out to clients immediately. In pull mode clients check in periodically, check policy and revisions, update as necessary. Clients report what their current revision levels are, and not what updates they receive just in case patching fails, so SEPM console could be up to 1 heartbeat off for a particular client*. Update Content is queued on SEPM console until next heartbeat, and tells client get content from other LiveUpdate servers.

*Might already be fixed in RU7

….And finally confirmed by Symantec support.

Thank you all for your comments.