Endpoint Protection

Hello,

Here is the point, I need to configure computers to get their definitions on the nearest local FTP server.

We've got something about 450 FTP server around the world, so it's not possible to put 450 groups/sub-groups with a specific liveupdate policy (and then move each computer on the right subgroups...amazing considering we've got 80k clients...).

In SEP11, my script configure Settings.Liveupdate, and it was ok.

In SEP12, is this possible ? Considering, there isn't any (it seems to be) Settings.liveupdate.

I was figuring out to create a common policy with a fake host (liveupdate.company) which will be resolve by the hosts file (in system32/drivers/hosts modified by my script to resolve the liveupdate.company to my nearest FTP server)...

Unfortunatly, SEP12 liveupdate seems to directly query DNS...So i'm totally stuck !

Any idea someone ?

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate , i can see settings.liveupdate on SEP 12 client.

This file is completly ignored by SEP12 :(

Maybe if you're on an unmanaged client ? But this is not the case

Hi Ouhlala,

A couple of questions...

First of all, how does that content get up onto the 450 FTP servers at present?  Are you using LiveUpdate Administrator 2.x?  (If so, what version?) 

If you really have your heart set on manually redirecting all clients to FTP servers rather than via a newer technology like SEPM delta defs + GUPs, LUA has the ability to export settings.hosts.liveupdate files which should be able to direct SEP 12.1 clients to FTP locations.

I can confirm: SEP 12.1 uses a new technology called LUE to keep its clients up to date.  The files associated with the older Windows LiveUpdate client are no longer applicable.  LUE can receive LiveUpdate policies from the SEPM in a far more efficient (and supported!) way than manually changing settings.liveupdate files.  A series of LU policies, applied at the correct level of nested client groups, should also do the trick. 

Final question: do all the sites around the world use the same Active Directory structure?  If so it it *may* theoretically be possible to arrange a global local resource that all clients could access via FTP... I am thinking about getting definitions, content, etc replicated Active Directory Distributed File System Replication (DFSR)-?  Have not tried that myself, but it night work.   

Thanks and best regards,

Mick

Solution here:

http://www.symantec.com/business/support/index?page=content&id=TECH166129&actp=search&viewlocale=en_US&searchid=1317236386554

An other solution (we're going to finally apply) is to configure in LU policy one or two main "fake" HTTP liveupdate server.

Those fake servers will do a "HTTP Redirect" (301 moved permantly) to the local server.

Cheers for updating this thread with the solution!  I agree that the method in that KB should work fine.

If you are using a LUA 2.x server to export those Settings.Hosts.LiveUpdate files, do make sure you are runnign the most recent release: LUA 2.3.

A new LUA 2.3.1 should be available around the end of this year- keep a watch out for it!  &: )

The "KB method" will work fine, but you need to disable "Tamper Protection" => Not really fine and secure, isn't it ?

Settings.Hosts.LiveUpdate only contain same parameters as Liveupdate 3.3, and works fine with SEP12 (so, no need to update LUA 2.x to a newer version).

Anyway, the HTTP 301 redirect methods (Thanks to Apache for his mod_rewrite module :p) seems the most flexible and secure solution !