Endpoint Protection

 View Only

A Helpful LiveUpdate Administrator 2.x Analogy  

Nov 30, 2011 10:52 AM

The popular knowledgebase article  Configuring LiveUpdate Administrator (LUA) to download updates from another LUA Server (http://www.symantec.com/business/support/index?page=content&id=TECH105741)  states:

"Though it is possible to configure LiveUpdate Administrator to download needed updates from another LUA server, it is generally not recommended to use this configuration."

A frequent question is: "Why not?" 

Here's an informal, unofficial way of understanding the nature of LiveUpdate Administrator, and why it is not a good idea to daisy-chain these servers:


Imagine that you look after a house (network environment) and all of the happy little residents (Symantec Endpoint Protection clients and other Symantec products) who live there.

From time to time, these sturdy little characters get hungry and need to consume to stay healthy (download and process new updates)... some more often than others! 

Each also has its own separate foods that it will eat and dietary restrictions (different content for different products and components).

Now, as the responsible parent (admin) you've got to ensure they all get fed, and fed the stuff they need. All of these little guys can run straight to the big supermarket (LiveUpdate source servers on the internet) but that is a bit repetitive... a lot of people cramming into the same place for the same stuff, several times a day... streets get crowded, shopping carts crash into one another, a lot of pushing and shoving and pulling of hair (bandwidth issues, servers overloaded, etc).

Now: imagine you add a refrigerator to your particular house. (The LUA server is one solution.)

You can order the housekeeper to jump in the station wagon, drive to the supermarket several times a day, and get everything everyone needs (configure a scheduled download task).  This loyal housekeeper can bring the whole shopping list home (download what your organization needs) and put it where everyone knows where to get it (distribution task).  Instead of running all the way to the supermarket, everyone just opens the fridge, grabs some convenient grub and whistles a merry tune, satisfied.

Now, it IS possible that you can keep your whole house fed by raiding your neighbor's fridge rather than going to the supermarket (downloading from another nearby LUA server).  One problem here is that what's in your neighbor's fridge is probably not as fresh as what's in the supermarket. (Updates may not be the latest).  Also: who can guarantee that their fridge has exactly what your household needs? 

Plus, the neighbor may not be too happy about you showing up and grabbing what they have (permissions issues, access trouble!)

That's why it's always recommend going to the supermarket (Internet LiveUpdate source servers) --- it is open 24 hours a day, and there you will always find the freshest goods, with friendly service, and no permissions trouble.


Some further points to this analogy....

  • Just because you have gone shopping and brought all the groceries home (downloaded the updates) does not mean that everyone will automatically find them.  You must bring the bags in from the car and pack them away (distribute the updates) to the places where everyone goes looking for the food.
  • Not all food is stored in the fridge.  After you take your goodies home, you put some in the cupboard, beer goes into the beer fridge upstairs, cleaning products get stored under the sink far away from the food, some items go into the freezer in the basement....  (One LUA server can have up to 100 Distribution Centers, and different products can be configured to retrieve from different DC's)
  • Why use your grandmother's old ice box when you can have a brand-new state of the art fridge?  The latest, most up-to-date model is always being given away for free. (Call Technical Support and they will be able to provide the latest LUA 2.x to almost all Symantec customers with a valid contract.  There is no charge.)
  • Today's modern fridges have HUGE capacity- and the housekeeper can deliver goods from it to rooms all over the mansion! (In even the largest enterprise organization, only one LUA 2.x server is usually needed.  Rather than add additional daisy-chained LUA servers, it is generally better to create new Distribution Centers and configure scheduled tasks to keep them up-to-date.) 

    Finally:
     
  • Not every residence needs a refrigerator.  Perhaps this is not a house, but a hotel where both room and board is included.  The restaurant staff will take care of all necessary shopping and preparation: everyone automatically knows where to go for their meals.  (An all SEP environment where the SEPM can keep all its clients up-to-date without the need of the optional LUA server tool.) 

 

LUA 2.x is a fantastic, reliable product- when it is used correctly.  Here are some official Symantec articles full of advice on configuring LiveUpdate Administrator 2.x for your network: 

Top 10 Symantec Best Practices - Deploying Symantec Endpoint Protection Architecture
Article: TECH92051
Article URL http://www.symantec.com/docs/TECH92051  

Best Practices for LiveUpdate Administrator (LUA) 2.x
Article: TECH93409
Article URL http://www.symantec.com/docs/TECH93409

When is it Recommended to Use LiveUpdate Administrator 2.x with Symantec Endpoint Protection?
Article: TECH154896
Article URL http://www.symantec.com/docs/TECH154896  

 

Many thanks for reading!  Please do leave comments, below, if you find this analogy helpful or unhelpful. 
 

Statistics
0 Favorited
7 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Jan 23, 2015 02:34 PM

Thanks for the article Mick.

I understand your points, but I'm still not convinced in my case.  I have 20+  machines working in a manufacturing environment that all have the exact same policies/install features (only basic antivirus.)  I am very cautious not to disrupt operations so I want two distribution centers, one I call early deployment and the other production. I can have certain clients get updates from the early deployment center and awhile later schedule the rest of the production machines assuming no issues are found during early deployment.  I really need this level of testing, I can't have my operators losing control of the process because a machine stops responding.

So I've got my SEPM on the internal side of the firewall and I've added LUA.  I've got the internal LUA source server configured to my external LUA and opened the necessary ports on the firewall.  The external LUA only has one distribution center and it only feeds the internal LUA (or in other words, doesn't service any other clients.)  My previous setup had my SEPM connect to the LUA, then my clients connect to the SEPM but I couldn't have two distribution centers then.  I was manually testing on unmanaged clients, very time consuming.

Is there anything about this solution I need to reconsider?  Or would you recommened something different?

Thank you!

 

Mar 25, 2013 06:15 AM

Also see:

LiveUpdate Administrator 2.x Server Connection Recommendations
https://www-secure.symantec.com/connect/articles/liveupdate-administrator-2x-server-connection-recommendations

Oct 08, 2012 01:12 AM

Thank you Mick !

Oct 04, 2012 05:40 AM

Thanks, it is quite helpfull !!!

Sep 07, 2012 10:41 AM

Here is a new article that may be of interest to LUA administrators:

How Big are Current Symantec Endpoint Protection Definitions?
https://www-secure.symantec.com/connect/articles/how-big-are-current-symantec-endpoint-protection-definitions

Jul 20, 2012 09:28 PM

Thanks man !

Mar 16, 2012 02:42 PM

Thank you mick2009

This helped me a lot.

Absolutely brilliant

Jan 17, 2012 11:08 AM

Good article

Jan 03, 2012 08:26 AM

Check out this new Connect Forum article: it may have some infomation that you have not come across before about how LUA downloads, stores and purges contents.

Managing LiveUpdate Administrator 2.x Space Usage
https://www-secure.symantec.com/connect/articles/managing-liveupdate-administrator-2x-space-usage

Any comments on this new "Managing LiveUpdate Administrator 2.x Space Usage" are very much welcome!

Dec 15, 2011 05:19 AM

Thanks for that explenation. Mkae smore sence now.

Dec 12, 2011 04:57 AM

Three additional resources are now on Connect for the new LUA 2.3.1.....

LiveUpdate Administrator: Product Selection Guide
https://www-secure.symantec.com/connect/articles/liveupdate-administrator-product-selection-guide

LiveUpdate Administrator: How to configure a remote Distribution Center
https://www-secure.symantec.com/connect/articles/liveupdate-administrator-how-configure-remote-distribution-center

Video: LiveUpdate Administrator: How to configure a remote Distribution Center
https://www-secure.symantec.com/connect/videos/liveupdate-administrator-how-configure-remote-distribution-center
 

Hope this helps! &: )

Dec 12, 2011 02:37 AM

very clear explanation, thank you for posting it!

Dec 04, 2011 04:25 PM

Here are some additional resources on Connect which can help administrators and architects with LUA:

LUA Installation and configuration
https://www-secure.symantec.com/connect/articles/installation-and-configuration-lua
 

Configuring Distribution Center in LUA
https://www-secure.symantec.com/connect/articles/configuring-distribution-center-lua 


Illustrated Guide to Configuring LiveUpdate Administrator 2.x for SMSMSE 6.5.5
https://www-secure.symantec.com/connect/articles/illustrated-guide-configuring-liveupdate-administrator-2x-smsmse-655

 

Video: Install LUA (Live Update Administrator) and Configure for Symantec Endpoint Protectionhttps://www-secure.symantec.com/connect/videos/install-lua-live-update-administrator-and-configure-symantec-endpoint-protection
 

Video: LiveUpdate Administrator 2.3: What's New
https://www-secure.symantec.com/connect/videos/lua-23-whats-new
 

 



 

Dec 02, 2011 10:04 AM

Hello,

Mick, "Thumbs Up!!" you are "The LUA Guru"... No doubts about it.!!!!

Excellent Explaination and to the Point.

Related Entries and Links

No Related Resource entered.