Endpoint Protection

We are migrating from SAV to SEP 12.1 and there are about 5000 clients, worldwide, each of them being able to have different proxy settings.

Under SAV we used the "c:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Settings.Merge.LiveUpdate"  to pass the proxy configuration to the LU.

Also we cannot use the IE proxy as that one is put to a 127.0.0.1 to restrict eventual access to outside (note that this is not a stardard system)

Any way to accomplish the same thing (passing custom proxy settings) with SEP client and LiveUpdate Engine?

Thanks,
florin

Dear florin.d

Firstly, remember that SEP clients can get updates from three sources, compared to SAV. There is the actual Management server, there are GUPs and then there is the same old LiveUpdate server. Depending on the policies you've set, your client will get it's update from either. You can disable SEPM & GUPs if you choose to.

That being said, LiceUpdate is still LiveUpdate and uses the same files. You can still configure it from the Control Panel applet or use the config files (*.liveupdate). Thus the answer is yes, you can still script it like you did with SAV.

No, because do you really want to? You loose benefits of delta updates thereby decreasing your network utilisation. LiveUpdate ALWAYS downloads full definitions. GUPs and the SEPM can & will do incremental updates to the definitions.

I can't remember if there is a proxy setting for the LiveUpdate policy in the console.

The question is how to configure proxy for live update not from where to get updates 

And no, there is no (Windows) Control Panel applet to configure live update, even if it were, I do not want to remote to 5k systems each day to ensure LU proxy is properly configured.

And the files & behavior used under SEP are not the same as the one used under SAV:

 - files under "c:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate" are removed when upgrading to SEP (this is were we used to put "merge" configu files)

 - Settings.Hosts.LiveUpdate file is expected to be under  "c:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Config" not "c:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate", to take custom LU server. Also this file is only taken into consideration until next service restart and not actually merged into the LU config files.

 - Settings.Merge.LiveUpdate is not taken into consideration when put under any folder used by SEP (as I've seen so far)

have a nice day.

Which version of SEP are you using? In SEP 12.1, clients are not using Window LiveUpdate anymore as it has been replaced by LiveUpdate Engine (http://www.symantec.com/docs/TECH168602). As a consequence of it, you do not have Symantec LiveUpdate anymore installed as standalone product (except if you have other Symantec product already installed on the machine), and that's why settings.merge.liveupdate cannot be used anymore.

You can however configure LiveUpdate proxy settings directly from LiveUpdate policy, in SEPM console. Have a look at section 6 of this article:

https://www-secure.symantec.com/connect/articles/how-configure-proxy-settings-symantec-endpoint-protection-manager-sepm-121

(it is mentioning LUA but it also apply for Symantec LiveUpdate)

I would also suggest you to have a look at section 2, regarding external communication (if you want to have benefit of new features such as Insight).

Yes, one could configure the proxy like that if they have only one proxy....

But each system in our case depends on it's own location proxy settings.

So I cannot deploy this software on +5000 systems as long as they each can have different proxy settings. The configuring the proxy on SEPM is not an alternative.

And if I would request our partners to go on each system (remote or on sight) and configure the proxy after I seploy SEP they will probably put a bounty on my head. 

I don't know any other way to do so... By the way, if you configure your SEP 12.1 clients to update from SEPM/GUP rather than Internal LiveUpdate server/Symantec LiveUpdate server, keep in mind you do not need to care about LiveUpdate Proxy settings, as LiveUpdate is not used in that case.

...using Location Awareness in conjunction with the LU Policy proxy settings?

That should allow you to create several different version of the LU Policy (each with different proxies defined), and configure the SEP Client to use the correct LU Policy depending on their location.

There's also the option of creating a DNS alias in each of your offices which resolves to the local proxy, and using that in a single LU Policy if you so wish.

some thing...

Each system can have it's own proxy (that is 5000+) proxy settings. I cannot create that many locations.

I do not have all proxy info as the system are at "customer" site.

Also, what to do with new system at other customers? As the software is automatically installed, who will put in the proxy details (the proxy details are not the kept under IE settings)

yes, and who will set the SEPM/GUP proxy settings?  (they are not kept under IE settings, see above).

It is the same issue: having some info on A side and not having a way to put in on the B side.

...would be if you could provide us a bit further information on what you are doing at the moment.  What are you passing to the SAV clients via the merge file?

#EDIT#

I think it's probably worth mentioning that Definition distribution is different in SEP than it is in SAV.  Any of the requirements you current have in SAV may no longer be required when using SEP, hence the above question to clarify exactly what you are currently doing (as it may no longer be needed!)

I thought I did it already a couple of time in the posts above: I need to upgrade from SAV to SEP (12.x) and there are 5000+ systems worldwide, each of them with potential other proxy settings. The proxy settings are not kept under IE settings so SEP cannot pick them up automatically.

No matter if I use LU or SEPM for updates I face  the same issue: configuring SEP based on these proxy settings and doint it without user intervention.

It should be clear that a deployment cannot be done as long as the SEP is not configurable at deploy time to use these settings.

Looking into Symantec registry keys I see that LU settings, including proxy are kept under there. Event if SEP would only pick them after a system reboot that would be fine.

But, the user and password are encrypted.

I wonder If there would be a way to "encrypt" my values the same way (and put them into registry).

It would seem we have two people asking the same question in seperate posts.

Have a look here: https://www-secure.symantec.com/connect/forums/scripting-configuration-change-such-liveupdate-comes-particular-http-proxy

The reasons for doing the update might be different, but both want to achieve the same goal.

Sorry. As John Q. states below, SEP 12 now uses the LiveUpdate Engine, my previouscomment will not work.