Symantec Endpoint Protection ( SEP / SEPM ) traffic volume management
My organization has a large deployment of Symantec Endpoint Protection (SEP) (~20k clients) with a single SEPM instance running in an ESX VM. We do have many remote clients designated as Group Update Providers (GUPs) where possible.
What our sysadmins have reported is that the SEP software does not have any native way to throttle its use of network bandwidth. It needs to send a 'full' definition update to every client, some hundreds of Mbyte in size. We found that the SEPM will practically accept 1000s of client check-in requests, and will send all clients updates at the maximum data rate possible.
We need some way of reducing the amount of bandwidth used by the SEPM to update clients natively, so that there is headroom on its network connection for management traffic (remote in, check the SEP console, etc).
So far, to mitigate flooding the entire network, we have throttled the SEPM traffic externally (at VM and switching level), which works to prevent congestion at the head-end network. However, that won't guarantee any bandwidth for management traffic.
We'd like to implement some change at the OS or application level to throttle the traffic without needing some heavyweight QoS deployment at 100s of offices. Ideally we would like to be able to throttle the amount of traffic used per client for SEP updates.
Please let me know if you have any ideas how to achieve this goal.
I think your best solution is to configure your remote clients to either:
-
only pull updates from the GUPs in each remote site, throttling the bandwidth on the GUP using the LiveUpdate policy settings
or
-
just let your remote clients go directly to Symantec for updates and not to your SEPM server
This article would help you configure it the first way- symantec.com/business/support/…:
- Set "Maximum time that clients try to download updates from a Group Update Provider before trying the default management server" to Never.
- Also you can throttle the bandwidth on the GUPs if they are still demanding too much with the setting "Maximum bandwidth allowed for Group Update Provider downloads from the management server"
If you have so many remote sites that managing the GUPs in each site is a headache, then I'd go for the second option.
Unfortunately, Symantec doesn't appear to have a built-in way to throttle bandwidth on the remote clients directly, only on the GUP clients.
You can throttle the SEP Manager process's bandwidth using policy-based QoS features that are built into Windows Server 2008 and newer.
Log into the server and open
gpedit.msc
.Navigate to
Computer Configuration\Windows Settings\Policy-based QoS
.Right-click on
Policy-based QoS
and clickCreate new policy...
For Policy Name, enter
SEPM Throttling
.Uncheck
Specify DSCP Value
.Check
Specify Outbound Throttle Rate
.Enter the desired maximum rate in megabits per second, and select
Mbps
(instead ofKbps
) from the dropdown list.Click
Next
.Click
Only appliations with this executable name
.Enter the SEPM web server process name (probably
httpd.exe
).Click
Next
twice, then clickFinish
.