Hi there,

I have a simple question about the different protection methods for server and clients.

I know i can run an installation on clients with lets say full or basic protection so on the client only this is installed.
But lets say when i installed a full protection featured installation and want to change this later, can i for example disable the firewall policy on the group so this will be disabled on the client also?

Thanks,

LEVD 

Check this Article for: Deciding which features to install on the client

In a nutshell, yes.

If you were to install the "Full Protection" feature set to a client.  You can later disable the component by withdrawing or disabling the corresponding policy or policy section (whether that be IPS, FW, A&DC, HI, SONAR, etc).

The difference is that by choosing the "Basic Protection" feature set, the client doesn't even install the drivers for the feature, meaning it cannot later be enabled by assigning the corresponding policy type.

Soooooooo, the "Full Protection" feature set, gives you the flexibility to enable and disable components as you see fit.  Whereas the "Basic Protection" feature set pretty much limits you to just AV and means even if you assign a IPS/FW/A&DC policy by mistake, it will have no effect.

Its does not always work ok for me to set a package on a group with lets say a basic protection feature set.
So SMLatCST, disabling lets say the "firewall policy" on a group actually disables the firewall on the client in that group? or will the client give errors that the firewall isnt working properly?

Component will be installed , Policies will be in pass through mode. No actions will be taken on any packets.

Even to leave the packets alone , It has to do some work and it will take some cpu cycles.

Disabling fw from SEPM will generate warning on the clients. To stop this you need to close the Lock icon on the policies tab.

If you are not using FW policy Dont use the FW component. Thats what I have been doing over these years.

Its always up to you ....

Withdrawing the FW policy from a group will disable the FW on the clients in that group.

In SEP12.1RU2 and RU3, this will result in "Disabled Component" warnings on the SEPM, but the fix list for RU4 says Symantec have resolved this now (but I've not yet had a chance to check).  Oddly, this issue never affected IPS.

Regarding your failed auto-upgrade attempts, have you checked out the sylink and sep_inst logs on the clients for why some of them work and others don't?

On the moment i have a client with full server protection, i need to bring this back to basic protection for servers.

I created a new group, created a new feature set with basic server protection, added the client to this group.

i cant find the SEP_INST.log file it isnt on the client computer, if i look at the client properties from within the console:

Deployment status: the client decided to reject the upgrade package

Deployment message: Client ingnored upgrade package version 12.1.3001.165

This notification is on a lot of computers that are not upgrading to new version, or wont upgrade to my new client feature sets.

What does the sylink log on the client say about this?  I provided a link to enable sylink logging in your other thread:

https://www-secure.symantec.com/connect/forums/install-packages-sepm

http://www.symantec.com/docs/TECH104758

If the client rejects the package, then it won't even attempt to run the installer.  Therefore the sep_inst log won't get updated.

if its on just one server, go to add/remove programs select sep , select modify, 

remove the components you want to. click next and complete the install.

if its happening on too many servers then logs will give us the root cause.

refeeq, yes i can do this but i need to fix this for all my other clients also..

SMLatCST, can i also enable debug logging from within the client --> troubleshooting or is this some other kind of logging?

You can, but that is something different from sylink logging.  It may be of help though, so I see no reason not to enable debug logging as well.

This log seems to indicate it actually did change the features:

10/31 13:20:39.878 [2408] <CSyLink::mfn_DownloadNow> SMC reports applying new features succeeded with cache installer.

What do you see on the client itself?

Pretty strange, or will a reboot be required?

Yeah, looking pretty odd.  If there's no sep_inst log file, then it doesn't sounds as if the feature change was actually attempted.

Is there anything in the Windows App log to suggest the setup was run?

Beginning a Windows Installer transaction: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\SmcLU\Setup\Sep64.msi. Client Process Id: 5216.

Product: Symantec Endpoint Protection -- Configuration failed.

Windows Installer reconfigured the product. Product Name: Symantec Endpoint Protection. Product Version: 12.1.3001.165. Product Language: 1033. Manufacturer: Symantec Corporation. Reconfiguration success or error status: 1602.

Ending a Windows Installer transaction: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\SmcLU\Setup\Sep64.msi. Client Process Id: 5216.

Error 1602 appears to suggest it was cancelled:

http://www.symantec.com/docs/TECH141798

Did you create and assign a "Silent" install settings package wth the upgrade?

its a standard package delivered with the SEPM installation, but i indeed select a silent install in the client install settings. Is this the problem?

It does seem like the cause of the issue.

The error number of 1602 appears to suggest the installer is getting cancelled by the user.  In which case setting the auto-upgrade package to use a "Silent" package should prevent the users from messing with it.

Well its allready a silent install. maybe i need to test with a different client install setting setting...
Will test things out and check back here, but its pretty strange behaviour, and mostly it look like this behaviour is on server systems ( w2k3, w2k8)

log deleted comtains a lot of info ;)