Downloading LiveUpdate (LU) content to Symantec Endpoint Protection clients for Mac and Linux.

In Symantec Endpoint Protection (SEP) 14.1.x and later, you have at least two options for downloading LiveUpdate (LU) content to Symantec Endpoint Protection clients for Mac and Linux.

Note: Linux client support is added with Symantec Endpoint Protection 12.1.5 and is only available starting with that release.

1. Use Symantec LiveUpdate Administrator 2.x (LUA 2.x). This is the best option for installations with larger numbers of Mac and/or Linux computers.
2. For smaller installations, you can configure the Apache web server as a reverse proxy. This enables the Apache web server installed along with Symantec Endpoint Protection Manager (SEPM) to download and cache the LU content for Mac and Linux clients locally whenever new content is published. This configuration results in saving of external network bandwidth.

Below are the instructions to set up the Apache web server in Symantec Endpoint Protection Manager to allow Symantec Endpoint Protection clients for Mac and Linux to download LiveUpdate (LU) content by the webserver. Please note that this solution enables Symantec Endpoint Protection Manager to act as a cache: it does not process Mac or Linux definitions into .dax files as it does with Windows definitions. It does not enable Symantec Endpoint Protection clients for Mac or Linux to update from a Group Update Provider (GUP).

Note: Installing and configuring a reverse proxy is beyond the scope of what support can assist with, this article is provided as-is to show an example of how it can be achieved

1. Configure the Apache web server in Symantec Endpoint Protection Manager
2. Update LiveUpdate policy for Mac and Linux clients to point to new LiveUpdate server
3. Manage cache file size
4. Performance and scale
5. Security and compatibility

Configure the Apache web server in Symantec Endpoint Protection Manager

Take the following steps to configure Apache web server to serve as a reverse proxy:

1. Stop semwebsrv (Symantec Endpoint Protection Manager Webserver) and semsrv (Symantec Endpoint Protection Manager).
2. Create a folder called cache-root in the Apache folder of your Symantec Endpoint Protection Manager installation directory, e.g.
   SEPM_Install\apache\cache-root
   
   The default path of SEPM_Install is as follows:
   
   Ensure that the account running Symantec Endpoint Protection Manager Webserver has full control of SEPM_Install\apache\cache-root.
   • 64-bit systems: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager
   • 32-bit systems: C:\Program Files\Symantec\Symantec Endpoint Protection Manager (12.1.x only)
3. Verify if the following files are present in the folder \apache\modules:

   If the files are not present, copy the files from the downloaded installation folder or DVD from \Tools\Apache-ReverseProxy to SEPM_Install\apache\modules. Refer to the section Security and Compatibility below for more details.

   • mod_cache.so
   • mod_cache_disk.so (12.1.5 and later)
   • mod_proxy.so
   • mod_proxy_http.so
   • mod_setenvif.so
4. To make a backup of the original configuration file, navigate to SEPM_Install\apache\conf\, and then copy httpd.conf to httpd-orig.conf.
5. Make the following changes to httpd.conf:
   • Locate the following line, and add the character # to comment it out, as shown:
         #AsyncSendFile anydirectory
   • Locate the following lines and remove the character # to uncomment them, and make the following change, where SEPM_Install is the actual path of your Symantec Endpoint Protection Manager installation (use forward slashes).
         AsyncSendFile givendirectory
    ForceAsyncSendFile "SEPM_Install/Inetpub/content"
   • Optionally, to add cache logging, search for the following line in httpd.conf:
         LogFormat "%h %l %u %t \"%r\" %>s %b" common
     ... and replace it with:
         LogFormat "%h %l %u %t %{cache-status}e \"%r\" %>s %b" common
   • Add the following lines to the end. Replace SEPM_Install in the text below with the actual path of your Symantec Endpoint Protection Manager installation.
     
     For 12.1.5 and later:
     Note: Red text indicates file names that have changed from the version of Apache included with 12.1.4. If you previously implemented this functionality for 12.1.4, you only need to update the changed file names in httpd.conf.

     # SEPM_APACHE_AS_PROXY_START Preserve this line to maintain configuration across SEPM upgrades
     LoadModule proxy_module modules/mod_proxy.so
     LoadModule proxy_http_module modules/mod_proxy_http.so
     LoadModule cache_module modules/mod_cache.so
     LoadModule cache_disk_module modules/mod_cache_disk.so
     LoadModule setenvif_module modules/mod_setenvif.so
          
     <IfModule mod_proxy.c>
       <IfModule mod_cache.c>
         <IfModule mod_cache_disk.c>
           <IfModule mod_setenvif.c>
             SetEnvIf Request_URI "/luproxy/" dolog
             SetEnvIf Request_URI "/luproxy/.*_livetri.zip" no-cache
             CustomLog "|| bin/rotatelogs.exe logs/access-%Z.log 25M" common env=dolog
           </IfModule>
           ProxyPass /luproxy/ http://liveupdate.symantecliveupdate.com/ retry=0 smax=0 ttl=60
           CacheRoot "cache-root"
           # CacheRoot is a path defined relative to [SEPM_Install]/apache/
     
           CacheEnable disk /luproxy/
           CacheDirLevels 1
           CacheDirLength 5
     
           # directives to override any caching prohibitions in LiveUpdate content headers
           # see TECH230862
           CacheStoreNoStore On
           CacheIgnoreCacheControl On
           CacheStoreExpired On
           CacheIgnoreHeaders Cache-Control Pragma
     
           #allow downloads up to 1 GB
           CacheMaxFileSize 1000000000
         </IfModule>
       </IfModule> 
     </IfModule>
     # SEPM_APACHE_AS_PROXY_END Preserve this line to maintain configuration across SEPM upgrades

6. Save and then close the file.
7. Start semwebsrv (Symantec Endpoint Protection Manager Webserver) and semsrv (Symantec Endpoint Protection Manager).

To test that the proxy server is running by downloading an LU file, click Start > Run, and then enter http://localhost:8014/luproxy/masttri.zip. If your Symantec Endpoint Protection Manager Apache web server uses a different port than 8014, replace 8014 with your actual port number in the above URL.

Note: While the massttri.zip file is requested via a local URL address, the request is passed to Symantec's public LiveUpdate server. Make sure that the connection to LiveUpdate web domains can be established from the Symantec Endpoint Protection Manager server according to TECH102059. The reverse proxy also requires a direct connection to Symantec's LiveUpdate servers - it cannot itself go through another proxy.

The reverse proxy will fail to download content from Symantec if the environment requires use of a (forward) proxy for outbound connections. The reverse proxy ignores any proxy settings that are configured in the SEPM server properties or Windows Internet Options. You can use ProxyRemote directive to go to another proxy but will be effective only with forwarding proxies that do not require authentication.- Reverse proxy does not use Endpoint Protection Manager's proxy settings

The LU download requests to the Apache web server are logged in a separate log file, located in SEPM_Install\apache\logs\access-%Z.log.

Update LiveUpdate policy for Mac and Linux clients to point to new LiveUpdate server

Take the following steps to update your LiveUpdate policy for Mac and Linux clients for your desired groups. Once the policy is updated, these clients will point to the newly configured Apache web server for downloading LU content.

1. Within Symantec Endpoint Protection Manager, click Policies > LiveUpdate. On the LiveUpdate Settings tab, double-click the LiveUpdate Settings policy that applies to your desired groups.
2. Click Use a specified internal LiveUpdate Server under Mac Settings > Server Settings (or Linux Settings > Server Settings) and specify the name "SEPM HTTP LU Proxy," with the corresponding URL: "http://ServerIP:8014/luproxy" or "http://ServerName:8014/luproxy"
   Where ServerIP or ServerName represents the IP number or name of the server that hosts Symantec Endpoint Protection Manager. If the Symantec Endpoint Protection Manager Apache web server uses a different port that 8014, replace 8014 with your actual port number in the above URL.
3. Enable download randomization under Mac Settings > Schedule (or Linux Settings > Schedule). If the option is not greyed out, check Randomize the start time. This prevents the Apache web server from getting overloaded at certain times in a day.

Additionally, on SEP 12.1.x clients for Linux, edit the liveupdate.conf file and set serverlogging=false. SEP For Linux 14.0 does not require this setting. See TECH230862.

Managing cache file size

To manage the size of your cache file, take the following steps.

1. Verify if the htcacheclean.exe file is present in the following folder:
   SEPM_Install\apache\bin
2. If the file is not present in the mentioned location, copy htcacheclean.exe from the \Tools\Apache-ReverseProxy folder on your DVD to SEPM_Install\apache\bin
3. Enter the following command while logged in with an account that has full access rights on the cache-root folder:
   htcacheclean -n -t -d1440 -l1024M -p"SEPM_Install/apache/cache-root"

This will run the htcacheclean tool in daemon mode. The cache cleaning will be done on a daily interval. The maximum cache size allowed on disk is 1 GB.

To automatically start the htcacheclean daemon every time Windows starts, take the following steps.

1. Hold down the Windows key on your keyboard and press the letter R to open the Run dialog. Type taskschd.msc, and then click OK.
2. In the Task Scheduler, in the right pane, click Create Basic Task.
3. Name the new task with a description such as Manage Apache Cache Size, and then click Next.
4. To set the task to run every time Windows starts, in the Task Trigger pane, click When the computer starts, and then click Next.
5. In the Action dialog box, click Start a program, and then click Next.
6. Enter the full path to htcacheclean into Program/script:
   SEPM_Install\apache\bin\htcacheclean.exe
7. Enter the following arguments into Add arguments (optional), and then click Next.
   -n -t -d1440 -l1024M -p"SEPM_Install/apache/cache-root"
8. To complete adding the scheduled task, click Finish.
9. In the Windows Task Scheduler library, right-click the task you created, and then click Properties.
10. In the Settings tab, click to deselect Stop the task if it runs longer than, and then click OK.

Since the task does not run until you restart the system, you can run it now. In the Task Scheduler, right-click the task you created, and then click Run.

Note: Ensure that the user account running the task has full control on the folder SEPM_Install\apache\cache-root.

Performance and scale

This configuration is designed for small numbers of Mac and/or Linux clients. You should only use this setup if there are only a few Mac and/or Linux clients and the network connecting clients and Symantec Endpoint Protection Manager has good bandwidth throughput. Assuming that each client downloads roughly 500KB of LU content on daily basis, 2000 Mac or Linux clients will result in a download of approximately 1 GB of LU content daily from the Apache web server. For configurations having large numbers of clients, you should consider an alternative like Symantec LiveUpdate Administrator.

Security and compatibility

Symantec suggests the use of only Symantec-signed binaries for Apache modules that are mentioned in this article. These signed binaries are available on the Symantec Endpoint Protection downloaded installation file. Note that the required binaries also get installed along with Symantec Endpoint Protection Manager for versions 12.1.4 and later.

For Symantec Endpoint Protection 14:

• The downloaded full installation file, \Tools\Apache-ReverseProxy

Because new vulnerabilities may be published after the publication of this article, please check the vulnerabilities published by the Apache project for the appropriate version of Apache web server: http://httpd.apache.org/security/

SEPM Upgrades

Note that upgrading the SEP Manager may reset or overwrite this configuration file. As such, after a SEPM upgrade ensure the changes made to httpd.conf are checked and corrected.