South Africa Security and Compliance User Group

Expand all | Collapse all

Require a LU /GUP to provide updates only

Jump to Best Answer
  • 1.  Require a LU /GUP to provide updates only

    Posted 07-02-2015 04:19 AM

    We have a SEPM in Network A and 20 unmanaged machines at a seperate branch - Network B . Can I setup a liveupdate server in Network B to provide updates only and not manage these machines(policies etc) and use Network's A SEPM to obtain updates-? Customer only wants to use one server to provide updates to all 20 machines....

    Any help would be appreciated.

    Thanks in advance



  • 2.  RE: Require a LU /GUP to provide updates only

    Broadcom Employee
    Posted 07-02-2015 04:42 AM

    Hope this help

    Is it Supported to Configure Unmanaged Symantec Endpoint Protection Clients to Update from LiveUpdate Administrator 2.x rather than the Symantec Endpoint Protection Manager?

    https://support.symantec.com/en_US/article.TECH123388.html

     



  • 3.  RE: Require a LU /GUP to provide updates only

    Posted 07-02-2015 04:51 AM

    Sooooo, yes you can point all the NetworkB clients at a LUA Server in NetworkB (as pointed out by James007 above!), but you cannot get the LUA Server in NetworkB to grab its own defs from your SEPM in NetworkA in a supported fashion.  The LUA Server in NetworkB would have to go out directly to Symantec LiveUpdate.



  • 4.  RE: Require a LU /GUP to provide updates only
    Best Answer

    Broadcom Employee
    Posted 07-02-2015 05:03 AM

    Client won't be able download updated from a SEPM or a GUP without being a managed. Because the clients need to communicate with the SEPM to findout what latest definition it has. and request a link to download it, if needed.

     

    I understand that you don't want to use another server for liveupdate distribution. An alternative would be to install an LUA on the same server in which the SEPM in installed. But Symantec doesn't recommend installing SEPM and LUA on the same server. The reason being that LUA download its definitions from internet (not from SEPM) and it involves download and distribution of huge data (in GB) and installing SEPM and LUA on same server may cause performance as well as bandwidth issues on the server.

     

    I would suggest you to deploy a script or a thirdparty deployment tool to update the clients manually using the method mentioned in the below link. But to do this you might have to first export an unmanaged client installation package from SEPM with the policies set as in the given link and reinstall SEP on the 20 unmanaged clients.

    http://www.symantec.com/docs/TECH104363



  • 5.  RE: Require a LU /GUP to provide updates only

    Broadcom Employee
    Posted 07-02-2015 02:58 PM

    I don't think you will be able to use JDB file everytime to update just AV definitions for the 20 endpoints.

    Best option would be to make the 20 endpoints Managed clients and allowing them to take definition from Symantec Cloud (Internet).

    Else you can have them as managed and promote any of the endpoint as GUP for Network B. Now GUP alone will take definitions from the SEPM in Network A. Rest of the endpoints in Network B will take it from the GUP in their same vicinity. There will be less administrative intervention needed in this setup.

    As there are only 20 endpoints, any descent desktop should be able to perform as GUP. It should be connected to LAN and should be made to run 24X7 to ensure effective content distribution. Else you can resort to having a dedicated server with minimal configuration for GUP.

    Hope this helps!



  • 6.  RE: Require a LU /GUP to provide updates only

    Posted 07-03-2015 01:38 AM

    @ Maria Robinath Thanks, had that in mind as well.



  • 7.  RE: Require a LU /GUP to provide updates only

    Posted 07-03-2015 10:43 AM

    Being as though the solution has been provided by @Seyed I comment merely that unmanaged endpoints clearly suffer compared to managed endpoints. Simply providing content definitions and signatures being deployed to a seperate branch (assuming these are corporate endpoints like under the SEPM at Network A) at Network B is not sound.

    Difference between a managed Symantec Endpoint Protection (SEP) Client and an Unmanaged SEP Client (Article: TECH185894)(First column is dispositive I have had to clearly articulate in the role of a SEP/SEPM admin)