Endpoint Protection

I understand that the GUP only does def updates and cannot actually install the client. Do I have to setup some kind of branch server and will the main console keep the stats of all the computers in the environment? I'm coming from McAfee where the agent handlers can instal everything so this is a rude awakening if it is. I use virtual servers so not a big deal if so.

If deploying new packages or client updates is a high priority, I'd recommend setting up additional servers for load balancing. Each server would be primary for certain groups. And you won't be needing GUPs since the server would be managing the updates. Depending on how many servers we're talking about here, sometimes its cheaper to assign GUPs to branches and just do a scheduled package deployment when new SEP versions are out. Which means no new machines are added to the network.

I just checked  on McAfee's Agent Handler. Its counterpart in Symantec is the Load Balancing feature. You'll neet to setup multiple SEPM servers for this one, probably similar to McAfee (I just skimmed over their PDF) but with different procedures. If posted some useful references:

Document:

http://www.symantec.com/docs/TECH104519
 

Video:

http://98.129.119.162/connect/ja/videos/load-balancing-and-fail-over

http://98.129.119.162/connect/ja/videos/replication-concepts-and-configuration

So if you'd just copy the previous topology, go with load balancing.

Cheers.

Yes , you can have Replication.

Where you can have a main site at the Head office and at each branch you would have a replication partner. All the information from the branch office can be seen at the Head office.

Hello,

The Group Update Provider was a feature request to support designating a particular client to serve as a computer that will get content updates and publish them. This is designed to provide functionality vaguely similar to configuring a legacy Symantec AntiVirus client as a secondary server.

The computer that is downloading and publishing the content is referred to as the “Group Update Provider.” The computers in the client group will use the designated “Group Update Provider” as a local proxy for content updates.

Check the Following few Symantec Knowledgebase Articles for the same.

Symantec Endpoint Protection 11.0 Group Update Provider (GUP)

http://www.symantec.com/business/support/index?page=content&id=TECH102541&actp=search&viewlocale=en_US&searchid=1301047226875

Best Practices with Symantec Endpoint Protection (SEP) Group Update Providers (GUP)

http://www.symantec.com/business/support/index?page=content&id=TECH93813&actp=search&viewlocale=en_US&searchid=1301044702628

Items to consider when using Group Update Providers (GUP)

http://www.symantec.com/business/support/index?page=content&id=TECH138828&actp=search&viewlocale=en_US&searchid=1301047226875

In regards to your Question about Deploying the Clients automatically, I would say

You have to install SEP on all the machines for the first time via Migration and Deployment Wizard. However, the next time for Migrating the Clients to the latest release, there is a Auto upgrade Feature within SEPM.

All you would have to do is Upgrade the SEPM and once the SEPM is upgrade, you can use the Auto-upgrade feature to migrate all the Clients to the Latest Version. Check the Symantec Knowledgebase as below:

Upgrading clients by using AutoUpgrade

http://www.symantec.com/business/support/index?page=content&id=TECH96789&actp=search&viewlocale=en_US&searchid=1301048252679

For Deploying SEP to newer Clients coming on the network, there is a feature Find Unmanaged Computers and Unmanaged Detector, which could also be used.

Best Practices: When to use the "Find Unmanaged Computers" or "Unmanaged Detector" features in Symantec Endpoint Protection 11.0

http://www.symantec.com/business/support/index?page=content&id=TECH104340&actp=search&viewlocale=en_US&searchid=1301048345110

Hope that answers all your questions.

Thank you all for your replies.

1. We are a school district environment. We only have 5 buildings 2 of which are connected via 100MB connections so one SEPM could service both.

2. In McAFee's agent handler the agent will send everything locally to the computers even the client and you cannot even look at a console or anything on the agent handler server, all is done through the EPO console.

3. I really need to be able to script this because in a school environment computers are coming and going at a fast rate. We also have computers that go home for long stretches, are turned off in the summer, are used for testing and do not go on very often, etc. Can't I just share out the client install files in the inetpub folder and point the script to that?

4. Is load balanding different than replication?

@mac

To deploy packages, I usually use IIS. You would add the install packages to the groups, and point SEPM to the IIS virtual directory.

For example -

Copy your exported install packages (setup.exe files) to each of of the domain controller or other server in each of the remote sites. Make sure the server is on the same subnet. Setup a new virtual directory in IIS and point it to the setup.exe package you want to deploy. You'll get a URL - http(s)://server/virtual directory/setup.exe. From there, in SEPM>Client>(name of group)>Install Packages>Add

When you add the install package, make sure you copy/paste the URL for the IIS virtual directory.

Using the IIS method allows the packages to auto deploy and the client will not being downloading 125MB file from the SEPM and saturating the bandwidth. Of course, another option would be the clientremote.exe or Push Deployment Wizard. But, that's a lot more work.

Good luck!

Mike

@postechgeek

That is most interesting. How does the client computer know to look at the IIS directory? I was going to share out the client install files on the inetpub on each SEPM and use a startup script to make a call to that setup.exe file on the share itself so all woudl be local. We have tons of computers that come on when we are not looking so I can't be there swatting flies so to speak to catch them. I will take a look at the finding the rogue ones but that is a last resort for me.

@mac,

The IIS solution would be good for upgrading client packages (say from RU6 MR2 to RU6 MR3). If you have a new install, the IIS option wouldn't work to my knowledge. Keep it mind for future upgrades though. Your idea sounds solid to me. 

Mike

So far I am trying this directly from the share and very interesting that in that scenario I had to add this to the setup.ini, CmdLine=/qn

Without that it asks you if you if you want to install Symantec, that is if you are logging into the computer, not a good thing for automation. It did remove McAFee and install Symantec but I am now checking if it puts the computer into the console. If not well that may be a problem.

McAfee has a rogue detector but instead of just telling you which ones they are it actually installs the agent and puts it in the McAfee console as unknown. From there I just throw it into the right group.

This will be an interesting journey.

@mac,

Do you have any firewall restrictions blocking port 8014?

If not, you may try to replace the sylink.xml file with SylinkDrop or even better SylinkReplacer. This tool will come in handy down the line.

SylinkDrop:

http://www.symantec.com/business/support/index?page=content&id=TECH105034

SylinkReplacer:

https://www-secure.symantec.com/connect/downloads/sylinkreplacer-tool-connecting-sep-clients-sepm

It allows you enter an IP address range, and the tool will auto replace the sylink.xml file all on SEP installs that it finds within that range.

To export a valid sylink.xml file-

SEPM>Clients>(Select Group>right click, choose "Export communication settings", rename the file sylink.xml

Hello,

I know you are working on Scripts.

SylinkDrop is an Excellent Tool and probably would have to understand what the Tool does behind to get it to work right for you.

In the mean time , we shall first understand, how the manual replacement of sylink.xml is working.

1) On your server 2k3 Server, go to

C:\Program Files\Symantec\Symantec Endpoint Protection Manager\data\outbox\agent

2) open a numbered folder

3) copy the sylink.xml file

4) Go to Client machine where you want to replace the Sylink.xml file to make it managed.

and

Start > Run > smc -stop

5) Go to c:\program file \symantec \symanetc endpoint protecion \

6) Place the copied sylink.xml file here.

7) Now you need to start the service by:

Start > Run > smc -start

Now, check if the local client on 2k3 has green dot and if thats reporting to new SEPM..

Indeed, you can try the SylinkRemote as well. You can download the Tool from:

https://www-secure.symantec.com/connect/downloads/...

How to run the SYLINK REMOTE to Replace the Sylink Remotely

https://www-secure.symantec.com/connect/articles/h...

*Sylink Remote is a Outdated Tool, however, in your case it is the right tool to have.