This post demonstrates how Symantec Endpoint Protection (SEP) agent is deployed within a domain.
Symantec endpoint protection manager supports intra domain SEP agent deployment, next time I would want to try if it is possible to do inter domain SEP agent deployment.
I have downloaded SEP trialware and tried it on my VM workstation. VMware Workstation is a great tool for learning and testing.
Organization Unit structure and deployment strategy
FOR_SEP_DEPLOYMENT OU is created as a convenience for me to group all domain computers because I want to distribute Windows firewall group policy to these newly joined computers.
SEP requires the SMB ports (UDP137 and UDP138, TCP139 and TCP 445) to be enabled for initial deployment, the SMB ports are the ports which file and printer sharing is using.
After the SEP agents are deployed the computers will be moved to their intended OU.
Configure Windows firewall with GPO
Group Policy Object (GPO) contains policy which you have configured, the GPO will be linked to the OU, objects contained within the OU will receive the configured policy.
If you cannot find Group Policy Management, you can either use MMC to create a snap-in or install the Group Policy Management feature with Server Manager.
The path to find the legacy Windows Firewall configuration in Group Policy Editor is Computer Configuration –> Administrative Templates –> Network –> Network Connections
You will see a sub folder which says Windows Firewall; this Windows Firewall group policy is legacy, however you only need to enable ICMP echo request and File and Printer sharing rules which will work on Windows 7 32/64-bit.
Select Windows Firewall then click on Domain Profile.
This section briefly introduces how a computer joins a domain.
To sidetrack, if you wish to configure customized rules on Windows 7 firewall with group policy you cannot use legacy Windows Firewall policy, instead use the Windows Firewall with Advanced Security policy.
Add LDAP server on SEPM
You need to add LDAP server on your Symantec Endpoint Protection Manager (SEPM). SEPM has a structure that looks similar to AD users and groups.
Import OU from AD also imports the objects that reside in the OU. Since my SEP policy is based on machine, importing OU is suffice.
Before you can import anything from AD you need to add LDAP server.
Choose the OU that you need to include in SEPM. Whenever you move objects from one OU to another OU, SEPM can sync with AD and place the object in the correct group on SEPM.
Deploy SEP agent
SEPM needs to turn on Computer Browser service in order to enumerate the computers in the domain or workgroup.
If you want SEPM to search the network automatically, you need to turn on network discovery on the domain on SEPM. But this is not necessary, you can search manually by giving an IP address range.
Select the group you want to add client and click on Add Client.
Click next and send and until finish.
After you have moved the domain computer to the intended OU, you need to right click the group on SEPM and click sync now.
One thought on “SEPM:Remote SEP deployment within a domain”
thanks for this article, can you help on how to deploy SEPM within multiple vlans or interdomain environment.