Endpoint Protection

 View Only
  • 1.  SEP 14.2 for VDI VMWare Horizon

    Posted Apr 01, 2020 03:30 PM
    Please share with me the best practices for configuring SEP 14.2 for VDI Clients (Vmware Horizon) Please share it for the latest SEP version. Thanks

    ------------------------------
    Symantec Enthusiast
    ------------------------------


  • 2.  RE: SEP 14.2 for VDI VMWare Horizon

    Posted Apr 02, 2020 05:30 AM
    Edited by Systems Team Apr 02, 2020 05:30 AM
    Hi SymSpec,

    I've pulled all the docs together for you. Symantec had it spread over multiple documents and it hasn't changed yet under Broadcom.  Not sure if you're setting up from scratch or just need updated best practice, so I'll include how we do some of ours FYI  :)

    Endpoint Protection - Non-persistent Virtualization Best Practices (https://knowledge.broadcom.com/external/article?legacyId=tech180229)
    There are two links in this doc. The one that says "SEP 12.1 RU2 and later: Virtualization best practices for Endpoint Protection 12.1.2 and later" is the one you want for best practice. If you open that link (that will open TECH197344), there is a link at the bottom of the page that opens for "SEP_14_Virtualization_Best_Practices.pdf". That's your 14.2 BP doc.

    But make sure you read the rest of TECH180229 as well because particular bits (Like Client Recommendations, Image Maintenance and Symantec Endpoint Protection Manager settings) are not included in other docs. There is also a link "How to prepare an Endpoint Protection client for cloning" in TECH180229 but that one points to a dead Symantec link. The Broadcom link to the same is https://knowledge.broadcom.com/external/article?legacyId=howto54706.  That's an important doc not only for the info, but also the only place to download the ClientSideClonePrep tool.

    We run a Horizon VDI environment and it works pretty flawlessly for us.  Not sure if you're setting up from scratch or just need updated best practice, so I'll include how we do some of ours FYI:

    • Power Up VDI base image VM
    • Do whatever updates we need to do (SCCM/WSUS or updating any other apps which are in the base image) and reboot if needed
    • Make sure SEP definitions are up to date with SEP Manager
    • Open SEP GUI and run a full scan. If it is clean, close SEP GUI
    • Copy VIETOOL.exe (Virtual Image Exception Tool) to the base image VM (we don't leave VIETOOL on the base VM) and run (without the quotes) "vietool.exe c: --generate" in an elevated command prompt.
    • Remove VIETOOL.exe from base image VM
    • In an elevated command prompt run ClientSideClonePrepTool.exe (we leave this on the VM).
    • You should have a password set to prevent uninstall or stopping of SEP services. Enter the password. SEP will stop and client identifiers will be removed (ClientSideClonePrepTool should say " Success: The client identifiers have been reset.")
    • Shutdown and power off base image VM
    • When it is off, take a VMware snapshot. We name it with initials and date, and in the description include what was done.
    • Disable provisioning on your desktop pool (Just prevents new machines spinning up with old config while you push new image)
    • Push the new image. We use the default date & time shown in "Scheduling" and we choose "Wait for users to log off". This means existing users will stay on, and VDI VM's not being used will be replaced with new build.
    • Once new image has been published & prior image has been unpublished we enable Provisioning on the pool.
    • Once we are happy new image is working fine, then we delete the prior VM snapshot (don't ever do it before you've successfully pushed the new image).

    We don't use Shared Insight Cache (as it is only useful in certain scenarios).  We use the "Embedded or VDI client installation settings for Windows" which gives you the reduced client size.  We also manually copy an exported install package to the VM when we upgrade versions (and delete it afterwards) - never use auto-upgrade from SEPM on your VDI Group.

    If you need additional pointers or info let me know.

    Hope this helps,
    Steve




  • 3.  RE: SEP 14.2 for VDI VMWare Horizon

    Posted Apr 02, 2020 03:22 PM
    Hi Steve, thanks for the reply. Its gonna be a fresh install of SEP on this VDI environment for one of my customers. Any other recommendations you would like to make apart from the above ?

    ------------------------------
    Symantec Enthusiast
    ------------------------------



  • 4.  RE: SEP 14.2 for VDI VMWare Horizon

    Posted Jul 23, 2020 06:02 PM
    Hi Steve,

    Your reply seems to be precise.But i have a query.In our case we are having vmware horizon with dedicated and floating VDI machines.In the dedicated machines we installed symantec endpoint agent like normal installation.But in the case of floating VDI machines , since the user will get multiple machines each day with login based on availability, we wont be able to install agent and thus we followed the same approach as you mentioned for the floating VDI machine.

    1.Installed SEP agent on the base image
    2.created a registry  "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\SMC\virtualization\IsNPVDIClient  (how the license  reclaiming)
    3.Run full scan 
    4.run vietool on the base image 
    5.enable vietool in the policy
    6.remove vietool from base image and provision.

    we are currently at step 4 where we tried to run vietool and got  error in reading file and we logged ticket for the same.But below are my query.


    1.In your message it was telling to use  ClientSideClonePrepTool .But i am not able to find that in the administration and installation guide of SEPM 14.3
    2.In the case of floating VDI ,do we need to do the base image scanning and vietool as mentioned regularly