Endpoint Protection

Hi all,

I've setup successfully a little network with SEP ; the config is as below : one SEPM on headquarter and several gups for our branch offices (10 branch offices with up to 15 computers each). We are using a frame relay cloud for our WAN with bandwidth as low as 32k.

I configured a test branch office with a GUP, and saw throughout a packet analyzer that SEP clients seem to send a lot of requests to the SEPM then eating all our WAN bandwidth. 

Is there any way to avoid this type of situation ? 

Thanks in advance.

PS : Excuse for my bad english as I'm not a native english speaker.

Change the communication settings to pull mode and hear beat interval to 1 hour randamize to 5 min.
Which is the version YOU are using?
 

please follow the WAN best practices

https://www-secure.symantec.com/connect/forums/multiple-office-wan-infrastructure-best-practices

AravindKM : 
Already set up for pull mode but I configured an heartbeat interval to 4 hour and randomization window to 1 hour. Should I change those values ??

Rafeeq :
Very interesting link, Rafeeq ; I'll take time to digest all informations described there.

Note :  We are using a high latency WAN (a VSAT one).

Then no need to change.
Remember if a client u switch on it will contact the manager then it will requse the gup for the update.
If the clients having very old update gup has to download large file it will consume bandwidth.
Below doc will help you in deploying the clients with latest update
How to deploy the Symantec Endpoint Protection (SEP) client Release Update 5 or later with current virus definitions and intrusion prevention signatures.
This is common for all versions

You can also enable bandwidth throttling for gup

How to configure GUP bandwidth throttling in Symantec Endpoint Protection 11.0 MR4?
For RU5 you can do this in LU policy --->server settings--->Group update provider

 

AravindKM

Clients with latest update : As all clients have been deployed a month ago for the test site, I think I have no choice that send a CD or something like that to that site and ask them to update manually all clients. For other sites, I'll do as described in the doc.

Bandwitdh throttling : should I set up this for all clients or for the GUP only ?

Another question : is there any way to schedule updates for GUP every night for example ?

should I set up this for all clients or for the GUP only ?
It is only possible for GUP.(I think that much only req.)
is there any way to schedule updates for GUP every night for example ?
It is not possible 

With the help of packet analyzer can you confirm only GUP is creating load.
If not you may have to check the log handling settings.(Clients ----> <Preferred group>--->client log settings and in antivirus and antispyware policy ----- > miscellaneous ---->log handling ).According to  my prediction only GUP has to create the network load problem in your case

Thanks for the two first points

Load : I remember that all clients were chatting with SEPM (by the time of test deployment) ; as it was unbearable, I created an Access-list on our distant router to prevent all communication to SEPM. I think this situation was caused by non updated definitions on clients.
So, I'll send an update and deploy this to all clients to test site throughout a CD and then remove the router ACL and check as you tell. I'll send you all info ASAP.

Banky

zerO

Client to SEPM - logs, policies,... : agreed
Client to SEPM - definition update : please, clear my mind, as documentations say it, clients don't download update from SEPM unless updates don't exist on GUP. True or not ?
GUP to SEPM : definition update : agreed.

Banky

Rafeeq

Read from start to end the URL, lots of informations but It causes me some doubts. Should I deploy, as for UK case, SEPM instead of GUP on my distant sites due to latency ?

Banky 

that true, you have
you set a try interval, if they wnt get only then they wil to to sepm
you can set that to neve also.
this is what happens during hertbeat

SEP clients still need to communicate with the SEPM even when GUP's are used.

Client to SEPM - Logs, policies, heartbeat, stats, etc.
Client to GUP - Definition update
GUP to SEPM - Definition update

You do have to bear in mind that you can tell the clients to go back to the SEPM if they cant get content for X amount of days.
You can also set a secondary GUP that clients can use but unfortunately it is a single host and can't be dynamic list like the normal GUP list for a group.

The SEP client and GUP on a machine are completely independant of each other.
They do not share definitions but rather the SEP client gets whatever definitions it requires and the GUP only gets what other clients are requesting.

Z

banky,

Apologies for that I messed up my post.
Fixed now though.

Best way to think about the GUP is that it works like a web proxy and it will cache definitions that have already been requested,
Very minimal bandwidth if all of your clients are updating every day!

Be careful if they end up at all different definition dates though as they will all need slightly different micro definitions.
I only do a once daily definition update to minimise this risk because at the default of 3 it makes the chance of many clients having different definitions much higher.

Also be careful when deploying new SEP clients as they will have old definitions unless you have updated the install source.
Full definition is running at about 66MB as of today.

Z

Rafeeq

Then, I'm lost...  There are some technical and organizational reasons why  I don't want to deploy SEPM on distant site. Among them is a high rate of hardware failure (due to heat and humidity) ; so if i loose a distant SEPM, what happens ?

Banky

How many clients you are having in remote site?
If it is not huge GUP is recommendable
In case of an SEPM failure you can get it back .For more info refer below doc

Best Practices for Disaster Recovery with Symantec Endpoint Protection

 

Clients on remote site : up to 15
SEPM failure on remote site : the problem is not how to repair it but when it can be repaired... It may take up to a month for a lot of reasons... By the way, thanks for the link.

Clients on remote site : up to 15

Then GUP is best option.
  
"the problem is not how to repair it but when it can be repaired"
i didn't got what u mean

"the problem is not how to repair it but when it can be repaired"
i didn't got what u mean
For how to repair a SEPM on distant site, this can be done. But it may take say 2 weeks to be repaired (request, send and install the hardware items replacement take about 10 days + reparation time). I can't leave our systems without protection during those 2 weeks.

Ok then you go for GUP.
At lest you can change it if the pc which u designated as GUP is not working.

Thanks to all of you, I think I got the solution :
- deploy GUP on remote sites,
- heartbeat : 4 hours
- randomization : 1 hour
- log : security related only logs

To even more reduce WAN traffics with SEPM, I will apply some bandwidth management on routers.

Good
I suggest you to add  bandwidth throttling for gup also along with this.

ArvindKM
I suggest you to add bandwidth throttling for gup also along with this.
I don't undestand what you mean.


zerO

Be careful if they end up at all different definition dates though as they will all need slightly different micro definitions.
I only do a once daily definition update to minimise this risk because at the default of 3 it makes the chance of many clients having different definitions much higher.
How to do this ? 

bandwidth throttling 
In one of my earlier post I has mensed it .With the help of this you can specify the bandwidth to be used by GUP for the downloads

In SEPM go to Admin ---->Servers--->local site---->edit site properties---->liveupdate .Here you select daily so that it will download only one revision in a day.This also can reduce bandwidth use .

Thanks Aravind 

Hi all,

Sent out and deployed updates on remote sites.

Turned our router to a basic sniffer and checked traffics between SEPM and distant clients. Curiously almost (about 90%) of distant clients are chatting with SEPM. Is it normal ?

Only 4 out of 15 distant clients are seen on SEPM clients ? Is it normal.

Banky

All clients will be contacting the SEPM in its each heart beat interval what we set.This time it will upload the logs to the SEPM and it will find any policy change or presence of new update.If any new update find it will req. the GUP for it. 

 That's understandable, but why some clients don't be shown on SEPM ?

Go to that client and see whether it is giving a green dot on the yellow shield.. In the client in GUI go to help and support---> troubleshooting and see the server name and group. In the Corresponding group in the server check whether it is appearing. It is also possible that the client may take some time to show in SEPM even it is connected .Also check the possibility of display filter you set..(There may be multiple pages ,by default the display filter will be 30)

Will tell someone on distant site to check and reporting here ASAP 

Sorry for  taking so much time to reply, ... was ill...

 Can see now all clients on SEPM ; but I can't explain why all those distant clients don't appear on their group, had to move them manually SEPM

Banky

Once if you move whether it is staying in the correct group?
Assure that all your clients are in computer mode. 

Sure, all clients are in computer mode.  

Some times I am also seeing this phenomenon. By the time if I move manually to proper group this problem is getting rectified. Assure that you are do not having this problem
Client install package shows wrong Server details

Thanks AravindKM

Topic may be closed now. 

I think your problem got solved now.in  fact I had written an article which can help in like this scenarios.
ref:Tips For Installing SEP In A Low Bandwidth Environment 

check it an if you are having any suggestion add it as a comment.Since now you are well experienced it will be beneficial for the future visitors.

 Ok. Will have a look on it

Thanks again AravindKM