Reduce WAN traffic and upgrade failures by using an IIS server in a remote site.
Please refer the below exhibit.
Site1 has SEPM.
Site2 and Site3 are remote sites having a Windows server with IIS.
Configuring a remote site, in this case Site2 or Site3.
The name of the Server is Site2.
Step1.1: Create a folder on local drive and copy the setup.exe created using SEPM.
Step1.2: Create a virtual directory in IIS on Site2 server.
Step 1.3: Make sure the Virtual Dircetory has the correct 'Local Path' where the setup.exe is saved.
Step2: Verify that the package can be downloaded without any permission issue.
To test this, type the client package url for e.g. "http://site2/SEP_client/setup.exe" in a web browser.
You should get a file download doalogue box. Click cancel.
Step3.1: Goto Install Packages under Clients tab in SEPM. Click on Add client install package.
Step 3.2: Select 'Downloadthe client package from the following URL (http or https)' and type the URL of the client package hosted in IIS of site2 and click 'Ok'.
The Site2 clients will get the package from the Site2 IIS server.
GUP can only provide definitions updates to remote clients.
To upgrade remote clients you will have to use other methods. As geva mentioned you can use Migration and deployement tool to deploy SEP packages as well.
I am not sure about this, but I see absolutely no reason why you couldn't setup IIS on a Windows XP or 7 workstation and have it server the deployment package for you.
I considered doing this when I was having problems, but Symatec Technical Support advised me against it and suggested that I just make an install package and install from that. This is exactly what I did, replicated the package to remote sites, and then installed from there using the Migrate & Deploy tool.
From what I understood... this remote package deployment is somewhat overkill depending on the network you are managing. It will allow you to easily upgrade entire groups to newer SEP... however the Migrate & Deploy tool used with a freshly created package does the same thing. As this package is not being accessed after install, it is not really going to have very much bandwidth influence.
Would it be feasible to set this up on an Windows XP or 7 machine that is always on?
Reason for asking is that it wouldn't be the least bit practical in my situation to put a server at our branches, the largest of which has 7 computers total. However, most of the branch offices have one machine that is only used for about 30 minutes and would be an ideal candidate to use for managing the updates this way.
You can pull the reports as per business requirements.
About the different types of Symantec Endpoint Protection Manager Reports
About Computer Status reports and logs
Thanks for the great help it actually works very well! I just need help with one final thing: pulling a success/failure report on the SEPM.
As per screenshot it seems that you are trying to upgrade to SEP 12.1 RTM (12.1.671.4971).
Could you please confirm upgrade path?
Also, have you checked by increasing distribution upgrade period.
If possible uncheck upgrade schedule as well to test it.
Let me know you are testing in test environment or it's production environment?
Please find the attached screen shot from my browser. My upgrade schedule is from 15:30 to 00:00 over 1 day the current time is 15:36.
Screenshot shared by you is the same screenshot shared in this article.
Could you please share your environment specific screenshot? Could you please check upgrade schedule as well?
I followed all the steps above and I can even get to step 2 succesfully, I'm not getting any errors but the upgrade does not work at all. Is there something that I missed? Please please help.
yesterday I did same practice for remote site client. those updated succesfully with upgrade version clients setup through IIS and keep reporting to SEPM. Thanks all for best practices
Hi Ajit Singh,
It's applicable in SEP 12.1 EE also.
excellent document and steps suggested by you. I was unware about this step. through this step no issue for WAN traffice except logs and policy communication by SEPM. same method also for SEP 12.1?
Such configuration is not possible with Small Business Edition 12.x
This option is available in SEP 11.x
This setup is for managed clients. This to upgrade a managed SEP client to new version.
The SEP client should be communicating with SEPM.
can we make this kind of setup for SEP SMB 12. how much bandwirth required. and when remote site update from central server how much data will copy for one client
when you do the find unmanaged clients for site2? do you use SEPM from site1??
is there anything special you have to do to use the site2 installation file??
I've just stumbled across the post and it gives me a good idea as to how to best setup the deployment. Like you, I'm only using one site, as well as having users who roam between sites.
DNS has a cool feature where if a host has multiple A records, it will return the one in your subnet first. Meaning you could create a DNS name called "SEPUpdates" which would resolve to the IP of the IIS server as described above. You then just need to set all of your IIS server roots to replicate; perhaps using a RoboCopy script or NTFRS/FRS-R.
Let me know if you want more clarification.
I would still recommend using groups for each remote site.
All groups will still use the same settings if they are configured to use shared policy files (which is the default). So you would only have to make policy updates in one place.
And by using groups, you can take care of assigning the respective local IIS servers to each group.
It's a WIN-WIN scenario.
This seems like exactly what I have been looking for. Thanks!
One question, however. Is there any way I could set up 2+ install packages to a group, and then depending on where the clients are located, they would just pick the best path?
I dont separate my offices into separate groups because we all use the same settings, but I don't want all of them to pull from the remote server, but from each of their respective local IIS servers.