Endpoint Protection

 View Only

How to Auto-Upgrade Remote Site Clients using IIS 

Apr 16, 2010 08:55 AM

Reduce WAN traffic and upgrade failures by using an IIS server in a remote site.

Please refer the below exhibit.

Site1 has SEPM.

Site2 and Site3 are remote sites having a Windows server with IIS.

Configuring a remote site, in this case Site2 or Site3.

The name of the Server is Site2.

Step1.1: Create a folder on local drive and copy the setup.exe created using SEPM.

Step1.2: Create a virtual directory in IIS on Site2 server.

Step 1.3: Make sure the Virtual Dircetory has the correct 'Local Path' where the setup.exe is saved.


Step2: Verify that the package can be downloaded without any permission issue.

To test this, type the client package url for e.g. "http://site2/SEP_client/setup.exe" in a web browser.

You should get a file download doalogue box. Click cancel.



Step3.1: Goto Install Packages under Clients tab in SEPM. Click on Add client install package.

Step 3.2: Select 'Downloadthe client package from the following URL (http or https)' and type the URL of the client package hosted in IIS of site2 and click 'Ok'.

e.g "http://site2/SEP_client/setup.exe"

The Site2 clients will get the package from the Site2 IIS server.

0 Favorited
0 Files

Tags and Keywords


Jan 09, 2014 03:45 PM

Just another thought, with 12.1 RU4 there is a setting where you can set the clients for a specific container in SEPM.
Choose clients container, Click on Tab Install Packages
Right Click on any package and should have an option for that package to change Download Source
Not sure if it would be a wise Idea to Create the Site mentioned above and both have 32Bit and 64Bit Client on site.
Then Schedule the Upgrade at a certain time, so all clients within that container will start looking at the provided URL and will automatically get the package from there.
I have not tested this out but how would a client know which package to download and install? or how the URL should look like?
Any thoughts on this is greatly appreciated as I am trying to Upgrade all clients from our remote sites 50+ Sites so meaning 50+ IIS servers temporarily created on the current GUPs.

Mar 08, 2013 08:47 AM


GUP can only provide definitions updates to remote clients.

To upgrade remote clients you will have to use other methods. As geva mentioned you can use Migration and deployement tool to deploy SEP packages as well.

Mar 08, 2013 08:01 AM

I am not sure about this, but I see absolutely no reason why you couldn't setup IIS on a Windows XP or 7 workstation and have it server the deployment package for you.

I considered doing this when I was having problems, but Symatec Technical Support advised me against it and suggested that I just make an install package and install from that.  This is exactly what I did, replicated the package to remote sites, and then installed from there using the Migrate & Deploy tool.

From what I understood... this remote package deployment is somewhat overkill depending on the network you are managing.  It will allow you to easily upgrade entire groups to newer SEP... however the Migrate & Deploy tool used with a freshly created package does the same thing.  As this package is not being accessed after install, it is not really going to have very much bandwidth influence.

Mar 07, 2013 03:26 PM

Would it be feasible to set this up on an Windows XP or 7 machine that is always on?

Reason for asking is that it wouldn't be the least bit practical in my situation to put a server at our branches, the largest of which has 7 computers total. However, most of the branch offices have one machine that is only used for about 30 minutes and would be an ideal candidate to use for managing the updates this way.

Oct 12, 2012 02:16 AM


You can pull the reports as per business requirements.

About the different types of Symantec Endpoint Protection Manager Reports


About Computer Status reports and logs


Oct 11, 2012 10:54 AM



Thanks for the great help it actually works very well! I just need help with one final thing: pulling a success/failure report on the SEPM.


Thanks again!

Oct 08, 2012 10:20 AM


As per screenshot it seems that you are trying to upgrade to SEP 12.1 RTM (12.1.671.4971).

Could you please confirm upgrade path?

Also, have you checked by increasing distribution upgrade period.

If possible uncheck upgrade schedule as well to test it.

Let me know you are testing in test environment or it's production environment?

Oct 08, 2012 09:42 AM

Hi Chetan,


Please find the attached screen shot from my browser. My upgrade schedule is from 15:30 to 00:00 over 1 day the current time is 15:36.


Bongani Macheke

Oct 08, 2012 09:36 AM

Hi Chetan,


Please find the attached screen shot from my browser. My upgrade schedule is from 15:30 to 00:00 over 1 day the current time is 15:36.


Bongani Macheke

Oct 08, 2012 09:23 AM


Screenshot shared by you is the same screenshot shared in this article.

Could you please share your environment specific screenshot? Could you please check upgrade schedule as well?

Oct 08, 2012 08:52 AM

Hi guys


I followed all the steps above and I can even get to step 2 succesfully, I'm not getting any errors but the upgrade does not work at all. Is there something that I missed? Please please help.


May 11, 2012 03:20 AM

HI Chetan,/Veekee

yesterday I did same practice for remote site client. those updated succesfully with upgrade version clients setup through IIS and keep reporting to SEPM. Thanks all for best practices


May 10, 2012 02:23 AM

Hi Ajit Singh,

It's applicable in SEP 12.1 EE also.

May 10, 2012 01:19 AM

HI Veekee,

excellent document and steps suggested by you. I was unware about this step. through this step no issue for WAN traffice except logs and policy communication by SEPM. same method also for SEP 12.1?


Jun 23, 2011 01:56 PM


Such configuration is not possible with Small Business Edition 12.x

This option is available in SEP 11.x 

Jun 22, 2011 05:47 AM



This setup is for managed clients. This to upgrade a managed SEP client to new version.

The SEP client should be communicating with SEPM.

Thank you.

Jun 07, 2011 04:30 AM

can we make this kind of setup for SEP SMB 12. how much bandwirth required. and when remote site update from central server how much data will copy for one client

Jun 06, 2011 10:37 PM

when you do the find unmanaged clients for site2? do you use SEPM from site1??

is there anything special you have to do to use the site2 installation file??



Nov 11, 2010 06:20 AM

I've just stumbled across the post and it gives me a good idea as to how to best setup the deployment.  Like you, I'm only using one site, as well as having users who roam between sites.

DNS has a cool feature where if a host has multiple A records, it will return the one in your subnet first.  Meaning you could create a DNS name called "SEPUpdates" which would resolve to the IP of the IIS server as described above.  You then just need to set all of your IIS server roots to replicate; perhaps using a RoboCopy script or NTFRS/FRS-R.

Let me know if you want more clarification.


Oct 12, 2010 12:23 PM


I would still recommend using groups for each remote site.

All groups will still use the same settings if they are configured to use shared policy files (which is the default). So you would only have to make policy updates in one place.

And by using groups, you can take care of assigning the respective local IIS servers to each group.

It's a WIN-WIN scenario.

Oct 06, 2010 04:28 PM

This seems like exactly what I have been looking for.  Thanks!

One question, however.  Is there any way I could set up 2+ install packages to a group, and then depending on where the clients are located, they would just pick the best path?

I dont separate my offices into separate groups because we all use the same settings, but I don't want all of them to pull from the remote server, but from each of their respective local IIS servers.

Jun 25, 2010 08:57 AM

Yes it can be a upgrade package like RU5 to RU6a.

Jun 25, 2010 08:56 AM

Yes it can be a upgrade package like RU5 to RU6a.

Jun 18, 2010 01:14 AM

You could create another virtual directory for 64bit package.
For Example if you refer Step 2. The path would look like http://site2/SEP_win64bit/setup.exe
Configure the same path in Step 3.2 when you add a 64bit package.

May 20, 2010 05:45 AM

What an excellent document thanks very much, just a quick question what is the best way to handle different client versions.  For example do i need to create a website for 32bit and one for 64bit clients or can the SEPM server supply a package that contains both.

May 12, 2010 01:00 AM

Thanks man,

this is just what I've been looking for.

Special thanks to the Original poster for creating such a great tute for all of us.

May 07, 2010 12:29 AM

how to make that one single exe package ?

May 05, 2010 09:13 AM

thanks for u r article

Apr 27, 2010 07:59 PM

Thanks for the tip, I haven't thought about  deploying an upgrade this way.

Question: Could that setup.exe be a patch file instead? i.e RU5 to RU6a ?

Also file:// in order to use a local network share would be ideal. I have remote sites with GUP's only.

Related Entries and Links

No Related Resource entered.