One thing I struggled with when first beginning to use SEPM was utilizing Location Awareness with multiple Management Server Lists (MSL). The process is rather long but once you get use to the steps needed for using multiple MSL, it is well worth it. In this article I am going to assume the reader has at least some basic level experience with SEPM and creating policies. If anyone thinks additional clarification is needed feel free to PM me and I will respond (and update the article).
Let us assume we are working on a network with three geographically separate locations.
- Subnet 1 is for Engineering located in the USA (192.168.1.0 – 192.168.1.255)
- Subnet 2 is for Marketing located in Ireland (192.168.2.0 – 192.168.2.255)
- Subnet 3 is for Information Security in Italy [think a villa on the Mediterranean Sea] (192.168.3.0 – 192.168.3.255)
Each location contains a SEPM server. Clients are in one Site (as defined by SEPM) under separate groups (engineering, marketing, and InfoSec). We could create three management server lists and have everyone grab from their primary location… however if InfoSec needs to physically visit Engineering or Marketing their updates would then cross the WAN and could negatively impact network availability.
Now let us get right to business creating three MSL, each with the ability to failover to one of the other SEPM servers in the event of a disaster. The first item of business is to configure our MSL. Open the SEPM console to the Policies tab.
Once we get to the MSL window look under Tasks and click on the Add MSL. Logically name the MSL, in this example it would be “Engineering – Subnet 192.168.1.0”. Make sure the description clearly identifies the intent of this MSL.
Click the Add>> button, Select Server
Enter the IP Address of the primary SEPM server for the first location
Click Add>> button, Select Priority
Click the Add>> button, Select Server
Enter the IP Address of the second SEPM server for the first location
Click Add>> button, Select Priority
Click the Add>> button, Select Server
Enter the IP Address of the third SEPM server for the first location
In the end your MSL should look similar to this.
Repeat the above steps to create two more MSL. Each MSL should have a variation to the SEPM servers listed in the various priorities. Here are the two other I created for this article.
Whew. All that hard work deserves a break. Spend your time down on the virtual Italian beach wisely we will be back up and finishing this task in short order. J
Fun… Back to work!
Now we need to modify our policy to utilize location awareness. Back into the SEPM Console, click on the Clients Tab, select the group you want to manage. Once there make sure you are on the Policies tab under the group settings. At this point select Manage Locations… (IMO, it’s quicker than Add Location).
A new window opens that contains most of the information on locations. A default window looks like this:
Some notes about this area.
- You cannot delete the default location, until you assign the default to something else.
- Location checking every X seconds depends upon how mobile your clients are.
- Enabling the location change notification isn’t a good idea for general end-users (IMO it they are very mobile, they will get annoyed and begin ignoring the SEP alerts).
Let’s look at creating our new locations. Symantec did a great job in providing multiple triggers that can switch the location. Be careful with how many triggers you put in. You can make it so that a system is not able to communicate with a SEPM if you are not careful…. Trust me, I did in testing…. Thankfully not in production.
First, let’s create our three logical locations. Under the location window click the Add… button (Not under the Switch to this location when). Create logical names for your locations, unlike my bad examples in these screenshots. Once you create the three locations click on the first location you want to control, click the Add >> button (yes this time the one under Switch to this location when). I like to consider these the triggers or conditions that cause my clients to ‘move’ to a new management server. When the new window opens you can get a feel for the types of triggers/conditions you can use to manage location. For this example we are using the subnet the clients are in. So leave the Type at Computer IP Address. Click the Add button, select Subnet from the drop down and enter the IP Address and Subnet for your first location. After clicking OK you should see something similar to the following figure:
Once again we are at a nice time to take a break. Look back at your work before heading down to the beach. Do all your location names and descriptions make sense? Are the subnets correct under that location? Did you add any other conditions/triggers that might conflict? Are you all done double checking your work? Good too late to get the visit to the beach in. Need to get this configuration done today.
Now on the final step to configuring Location Awareness to use multiple MSL. Once you have completed adding all your locations your policy window is suddenly going to look a bit different. The following screenshot give you and idea of what you will see (I minimized parts of the window to expand my workspace).
First thing we need to do is expand each of the “Location-Specific Settings”. Right now everything is set to Group – Push. This basically means the Communication Settings for the group control each of these locations. If you click on the Tasks link to the right of the Location you are working with you can unselect the check box for User Group Communications.
Instantly you should now see the Communication Settings (for this location) change to Local – Push.
Let’s click on the Local – Push link. A familiar window opens. Now select the specific MSL for this location (safety reminder, double check your work).
Repeat modifying the MLS for each of your locations. Once complete your policy will now allow clients to update from their local location. Once done, clients will begin updating their policies and changing how they get their updates.
GREAT JOB!! You’ve just saved the company bandwidth by reducing the network overhead and keeping everything localized. You deserve a raise!
Seriously though, I hope this helps someone. If you have ANY questions please let me know through a PM. I’m always willing to help (sometimes I’m busy though and it might take a little bit for me to respond).