Optimizing Symantec Endpoint Protection for branch offices
search cancel

Optimizing Symantec Endpoint Protection for branch offices


Article ID: 177685


Updated On:


Endpoint Protection


You want to know what to consider when planning your implementation of Symantec Endpoint Protection (SEP) in your branch offices.

Your company may have an Symantec Endpoint Protection Manager (SEPM) at the main office, as well as branch offices with multiple computers per branch.


  1. Implementation Considerations
    1. System Requirements for the build of SEP
    2. Database Considerations
    3. Network Considerations
    4. Load Balancing Considerations
    5. Replication Considerations
    6. Content Update Considerations
    7. About Group Update Providers (GUP)
    8. Location Awareness
  2. Pre-installation Considerations
    1. Establish Inventory of SEPM servers and GUPs
    2. GUP as "secondary content distributor"
  3. Configuring SEPM
    1. Organize Branch Offices by Group
    2. Use a GUP in Every Group
    3. Disable Policy Inheritance for Branch Office Groups
    4. Configure Branch Groups for Pull Mode with Optimal Heartbeat
    5. Configure Log size
    6. Configure Throttling

1. Implementation Considerations

Database Considerations

    • Failover and load balancing installations are supported only when the original SEPM uses Microsoft SQL Server.
    • Do not install servers for failover or load balancing when the original Endpoint Protection Manager uses the embedded database.

For more information regarding installing SEP with a SQL Server, please refer to the following documentation.

      SQL Requirements
      Best Practices for SQL 2000 and 2005

Network Considerations

An ideal situation for clients is to always have the ability to contact a trusted content provider. Designing for multiple paths of available communication for each client is the best way to ensure that content is received. Endpoint Protection can be configured so that if the client cannot contact one source for content, it will attempt to contact another. Load Balancing can be used (with or without replication) to provide fault tolerance for client management and content updates.

Load Balancing Considerations

It is not recommended to set up multiple sites in an attempt to balance the load on the server. A better practice is to add management servers to an existing site. Use the "Management server list" feature to automatically distribute the load among them. In a custom Management server list, each server is assigned to a priority level. By default all management servers have a "priority one" status. After installation, you can configure the priority level of a server.

A client that comes onto the network will randomly select a priority one server in their location to connect to. If it cannot connect to that server, it tries to connect to another "priority one" server in that location. If no "priority one" servers are available, then the client tries to connect to a random priority two server. This method of distributing client connections randomly will distribute the client load among your management servers.

The Management server list can also be used in conjunction with Location Awareness to ensure that clients will connect to the most appropriate server for their location. For more information about setting up Managed Load Balancing with Location Awareness, please read the following document.

Replication Considerations

Replication should be implemented with care. The minimum number of replication sites should be implemented.

    • Keep the number of replicated sites ideally below 5
    • It is strongly recommended to not go over 20 replicated sites.
    • If more than 3 SEPM sites are replicating, it is recommended to do so no more frequently than once per day.
    • It is critical to ensure that replication does not overlap with either replication at another site, or a scheduled Liveupdate session.

Content Update Considerations

Content can come from many internal sources. SEPMs and GUPs are just two examples. Proper placement and configuration of content providers is critical to ensure that clients are able to update their protection. Issues such as bandwidth usage, frequency, and scheduling of content updates should be carefully considered.

Administrators often are curious how much network traffic can be created during content updates. Please keep in mind the frequency of the content update (i.e. daily, quarterly, or per heartbeat) and whether or not the content can be distributed to clients by a content provider such as a Group Update Provider (GUP). Below is a table with estimated sizes of the types of content updates that can occur between the Manager, the Group Update Provider (GUP) and clients.


    Content type
    Size of Package
    Deliverable via Group Update Provider (GUP)
  • Heartbeat (with no updates to be exchanged)
  • between 2 KB and 3 KB per heartbeat.
  • When there is no traffic to be exchanged (i.e. no profile to download and no logs to update). The heartbeat is configurable. The default is every 5 minutes.
  • The GUP does not directly manage clients; it delivers content to clients on its local network segment.
  • Policies (i.e. AV/AS, Firewall, OS Protection, Host Integrity)
  • Typically varies between 20 KB and 80 KB.
  • Generally, after you set your policies to suit your network needs, you do not modify them on a regular basis.
  • Can increase if detailed rules are included, or OS protection templates are used.
  • No. The policies must come from a Symantec Endpoint Protection Manager.
  • IPS Signature Updates
  • 50 KB and 100 KB
  • Symantec supplies updates approximately every quarter unless a specific threat or vulnerability needs to be addressed.
  • Yes. The client receives information from the Symantec Endpoint Protection Manager when to download content from the GUP.
  • AV Signatures
  • 50 KB to 100 KB (daily)
  • If you assume that the signatures are updated successfully every day.
  • Logs
  • Varies
  • Logs are compressed at the client before they are uploaded to the Symantec Endpoint Protection Manager. Approximately, 800 log entries take up 1KB of file space.
  • Logs are forwarded from the client to the Manager.

About Group Update Providers

Group Update Providers (also known as GUPs) can be used in networks to distribute content updates. Clients will still need a Symantec Endpoint Protection Manager to connect to. The Manager is what informs the client that it should download new content from the Group Update Provider. The Manager is also responsible for distributing policies and collecting logs from the client.

For improved bandwidth, implement a Group Update Provider on an "always-on" machine running a Server OS (such as a Windows File server).

    • For remote sites with less than 10 machines, it may make most sense to have the local SEP clients connect directly to their SEPM for content updates or to Symantec Liveupdate on the internet.
    • When there are over 50 machines at the remote site, it advisable to install 1-2 GUPs to handle content distribution, while the clients are managed with a SEPM physically located at another office.
    • In Release Update 5 (RU5) Take advantage of the enhanced GUP features to designate GUPs on each subnet.

New features and functionality in Symantec Endpoint Protection Release Update 5 (SEP RU 5) Group Update Provider (GUP)

Location Awareness

Sometimes despite best efforts, a client simply cannot connect to an internal content provider. That can be especially true for computers such as laptops. With proper configuration, Location Awareness can be used so that if the client finds itself isolated from internal sources, it can still contact the Symantec LiveUpdate server for updates.

2. Pre-installation Considerations

Establish a Inventory of Endpoint Management Servers and Group Update Providers

Symantec Endpoint Protection Managers should be placed strategically in your environment.

    • Research installation requirements and best practices.
    • Create a detailed diagram of how the Endpoint Servers will be integrated for fault tolerance and load balancing.

Group Update Provider As "Secondary Server"

The most significant load on the Manager comes from distributing content. GUPs can be used to supplement or replace a SEPM for distributing content updates to SEP clients. Rather than each of your branch clients connecting to the main office SEPM, it receives its updates from the Group Update Provider.

GUPs cannot be used to update policies or manage clients. This means that clients will still need network connectivity to a SEPM in order to perform the heartbeat process, which updates their policies, and informs them when new content is available to download from the GUP.

3. Configuration of Endpoint Protection

Organize Branch Offices by Group

Using this organization method will allow you to configure settings specific to each branch location. This will improve the performance of content distribution significantly, and greatly reduce the load on the server.

Use a Group Update Provider in Every Group

It is recommended that a GUP be on the same network segment as all clients configured to update from the GUP. Though bandwidth usage can be significantly reduced by using GUPs strategically, it is still important to ensure that GUPs are positioned in the network to maximize their effectiveness. GUPs should only be configured to provide updates to for clients on their local network segment. The GUP must have sufficient bandwidth to deliver content packages of up to 45 MB to the clients it serves up to 3 times a day.

Disable Policy Inheritance for Branch Office Groups

You must disable policy inheritance on the groups that will be using the GUP functionality of the Symantec Endpoint Protection software. If you have policy inheritance enabled on the groups that the GUP's were configured on they will revert back to the GUP configured for the Global group.

  1. Click on the "Clients" tab.
  2. Click on the name of the group.
  3. Click on the "Policies" tab.
  4. Under "Policy Inheritance" uncheck "Inherit policy and settings from parent group '<Group Name>'."

Configure Branch Groups for Pull Mode with Optimal Heartbeat

Endpoint Protection by default is set in "Push" mode. You should switch your branch offices to "Pull" mode. Clients that use the Pull mode download policies and content based on the Heartbeat interval setting, which is set to 5 minutes by default. Even in slower bandwidth environments, the heartbeat can be as frequent as every hour.

  1. Click on the "Clients" tab.
  2. Click on the name of the group.
  3. Click on the "Policies" tab.
  4. Under "Location-independent Policies and Settings" click on "communication settings".
  5. Under "Download" check "Pull Mode"
  6. Under "Heartbeat Interval" enter in a more convenient heartbeat. The default is 5 minutes.

Configure Log size

  1. Click on the "Clients" tab.
  2. Click on the name of the group.
  3. Click on the "Policies" tab.
  4. Under "Location-independent Policies and Settings" click on "client log settings".
  5. Adjust log settings if necessary.

Configure Throttling

Group Update Provider (GUP) bandwidth throttling was introduced in SEP 11.0 MR4. Please refer to the following document for configuration instructions.

'How to configure GUP bandwidth throttling in Symantec Endpoint Protection 11.0 MR4?'