Endpoint Protection

 View Only

  • 1.  SEP Server on the DMZ

    Posted Jan 06, 2010 01:23 PM

    We moved our SEP server to our DMZ in order to manage outside sales PCs. After about an hour the servers on the DMZ became extremely slow so we removed the SEP server from the DMZ and placed it locally on our network where it was located originally. Needless to say the slowness to the servers on the DMZ dramatically improved.  There are several thoughts about what happened and I need to know what standard practices there are in this situation and any clues as to what might be happening.

    First thoughts were the outside sales clients were getting their definition updates from the SEP server. The LiveUpdate settings for the OU used for the outside sales group was set to the following: Server Settings - Use a LiveUpdate server/Use the default Symantec LiveUpdate server. For the Advanced settings: Allow the user to manually launch LiveUpdate/Allow the user to modify LiveUpdate schedule and Download SEP product updates using the LiveUpdate server. Unless I am missing something this would preclude the Outside sales client from taking definition updates from the SEP server. Currently, there are about 125 outside sales clients.  I looked at three different Log.LiveUpdate files from three outside usales users and they indicate the client is in fact going to Symantec for the definition updates which would rule out this scenerio.

    The second thought which seems to be more logical was the forcing a LiveUpdate from the SEPM. This happened about 45 minutes after the server was moved to the DMZ. We have 15 GUPS and an after analysis showed 10 of them updated to the latest definition file.   I thought about this some more and then realized whether I forced a live update or the liveupdate took place based on the schedule the results should be the same.

    Can someone provide Symantec best practices for placing a SEP server on the DMZ and what kind of traffic can i expect to see and would it be enough to overwelm the DMZ and the other devices on the DMZ?



  • 2.  RE: SEP Server on the DMZ

    Posted Jan 06, 2010 01:32 PM
    Whether your clients are in pull mode or push mode?
    If it is in push mode change it to pullode.(This you can do in Clients---->policies--->communication settinngs). Also increse the hearbeet interwell (1 hour recomended)
    You can also imit the bandwidth for  SEPM (This you can do in the properties of SEPM site i IIS manager)



  • 3.  RE: SEP Server on the DMZ

    Posted Jan 06, 2010 02:27 PM
    check this
    https://www-secure.symantec.com/connect/forums/sep-clients-dmz-setup


  • 4.  RE: SEP Server on the DMZ

    Posted Jan 06, 2010 02:34 PM
    Everyone is is in Pull mode so that is not the issue.  Currently the heartbeat is set to 5 minutes and you would recommend one hour.  Would this heartbeat be set to one hour for all clients?  I found something under web sites/default web site and selected properties in IIS.  What would you select for the max bandwidth and would you also limit the number of connections?


  • 5.  RE: SEP Server on the DMZ

    Posted Jan 06, 2010 02:34 PM
    Why would you recommend one hour vs say 15 minutes or 30 minutes?


  • 6.  RE: SEP Server on the DMZ

    Posted Jan 06, 2010 02:39 PM
    15 minutes heartbeat with a randomization of 15 mins I think is the suggested value for groups over 1000 (I think)


  • 7.  RE: SEP Server on the DMZ

    Posted Jan 06, 2010 03:55 PM
    Here would be be a couple of thoughts

    For my laptops I test up location awareness and use can it see the sepm console to determine the location.  If he machine is outside my network I have different update policy that has the machines checking via liveupdate once and hour.  This lets all machine stay updated when they are out of office.


    One other thought would be what OS are you using.   If you look at Window 7 Enterprise or Ultimate edition you may want to look into Microsoft Direct Access as well which may be  a great solution for a sales force that is mobile most of the time.


  • 8.  RE: SEP Server on the DMZ

    Posted Jan 06, 2010 04:16 PM
    Rich

    Good information, however, our outside sales are on the road and out of the office probably 99% of the time as we have shut local offices and the outside sales force work mostly out of their homes.  I use a special profile for the outside sales which tells the pc to go Symantec every four hours to check for definition updates.  Unfortunately we are still on XP Pro and there has been no discussion to move or consider Win 7 as of yet. 

    The modification of the IIS to limit bandwidth and the number of connections might be what the doctor ordered.

    Don


  • 9.  RE: SEP Server on the DMZ

    Posted Jan 06, 2010 04:35 PM
    Definatly bring up WIN7 then get it on the radar and use Direct Access as part of the reason.   Look into it and you will see why.  That is on my list of things to do with our WIN 7 upgrade.


  • 10.  RE: SEP Server on the DMZ

    Posted Jan 08, 2010 09:37 AM
    I set in IIS the maximum bandwidth to 5mbs but did not change the connections (left at unlimited) and then we moved the SEP back onto the DMZ.  Apparently the SEP was sucking up all the bandwidth previously because now it is on the DMZ and the other servers on the DMZ appear to be working ok without any degradation of performance.