Get up and running immediately on Symantec Endpoint Protection
Assess your security requirements and decide if the default settings provide the balance of performance and security that you require. Some performance enhancements can be made immediately after you install
Symantec Endpoint Protection Manager.
Perform the following tasks to install and protect the computers in your network immediately:
Step 1: Plan your installation structure
Before you install the product, consider the size and geographical distribution of your network to determine the installation architecture.
To ensure good network and database performance, you need to evaluate several factors. These factors include how many computers need protection, whether any of those computers connect over a wide-area network, or how often to schedule content updates.
- If your network is small, is located in one geographic location, and has fewer than 500 clients, you need to install only oneSymantec Endpoint Protection Manager.
- If the network is very large, you can install additional sites with additional databases and configure them to share data with replication. To provide additional redundancy, you can install additional sites for failover or load balancing support. Failover and load balancing can only be used with Microsoft SQL Server databases.
- If your network is geographically dispersed, you may need to install additional management servers for load balancing and bandwidth distribution purposes.
To help you plan medium to large-scale installations, see: Symantec Endpoint Protection Sizing and Scalability Best Practices White Paper.
Step 2: Prepare for and then install
Symantec Endpoint Protection Manager
- Make sure the computer on which you install the management server meets the minimum system requirements.
- To installSymantec Endpoint Protection Manager, you must be logged on with an account that grants local administrator access.
- Decide on whether to use the default Microsoft SQL Server Express database or a Microsoft SQL Server database.If you use a Microsoft SQL Server database, the installation requires additional steps. These include, but are not limited to, configuring or creating a database instance that is configured to use mixed mode or Windows authentication mode. You also need to provide database server administration credentials to create the database and the database user. These are specifically for use with the management server.
- You installSymantec Endpoint Protection Managerfirst. After you install, you immediately configure the installation with the Management Server Configuration Wizard.Decide on the following items when you configure the management server:
- A password for your logon to the management console
- An email address where you can receive important notifications and reports
- An encryption password, which may be needed depending on the options that you select during installation
Step 3: Add groups, policies, and locations
- You use groups to organize the client computers, and apply a different level of security to each group. You can use the default groups, import groups if your network uses Active Directory or an LDAP server, or add new groups.If you add new groups, you can use the following group structure as a basis:
- You use locations to apply different policies and settings to computers based on specific criteria. For example, you can apply different security policies to the computers based on whether they are inside or outside the company network. In general, the computers that connect to your network from outside of your firewall need stronger security than those that are inside your firewall.A location can allow the mobile computers that are not in the office to update their definitions automatically from Symantec's LiveUpdate servers.
- Disable inheritance for the groups or locations for which you want to use different policies or settings.By default, groups inherit their policies and settings from the default parent group,My Company. If you want to assign a different policy to child groups, or want to add a location, you must first disable inheritance. Then you can change the policies for the child groups, or you can add a location.Symantec Endpoint Protection Managerpolicy inheritance does not apply to the policies that are received from the cloud. The cloud policies follow the inheritance as defined in the cloud.
- For each type of policy, you can accept the default policies, or create and modify new policies to apply to each new group or location. You must add requirements to the default Host Integrity policy for the Host Integrity check to have an effect on the client computer.
Step 4: Change communication settings to increase performance
You can improve network performance by modifying the following client-server communication settings in each group:
- Use pull mode instead of push mode to control when clients use network resources to download policies and content updates.
- Increase the heartbeat interval. For fewer than 100 clients per server, increase the heartbeat to 15-30 minutes. For 100 to 1,000 clients, increase the heartbeat to 30-60 minutes. Larger environments might need a longer heartbeat interval. Symantec recommends that you leaveLet clients upload critical events immediatelychecked.
- Increase the download randomization to between one and three times the heartbeat interval.
Step 5: Activate the product license
Purchase and activate a license within 60 days of product installation.
Step 6: Decide on a client deployment method
Determine which client deployment method would work best to install the client software on your computers in your environment.
- For Linux clients, you can use eitherSave PackageorWeb Link and Email, but notRemote Push.
- For Windows and Mac clients, if you useRemote Push, you may need to do the following tasks:
- Make sure that administrator access to remote client computers is available. Modify any existing firewall settings (including ports and protocols) to allow remote deployment betweenSymantec Endpoint Protection Managerand the client computers.
- You must be logged on with an account that grants local administrator access.If the client computers are part of an Active Directory domain, you must be logged on to the computer that hostsSymantec Endpoint Protection Managerwith an account that grants local administrator access to the client computers. You should have administrator credentials available for each client computer that is not part of an Active Directory domain.
Step 7: Prepare the client for installation
- Make sure that the computers on which you install the client software meet the minimum system requirements. You should also install the client on the computer that hostsSymantec Endpoint Protection Manager.
- Manually uninstall any third-party security software programs from Windows computers that theSymantec Endpoint Protectionclient installer cannot uninstall.For a list of products that this feature removes, see: Third-party security software removal support in Symantec Endpoint ProtectionYou must uninstall any existing security software from Linux computers or from Mac computers.Some programs may have special uninstallation routines, or may need to have a self-protection component disabled. See the documentation for the third-party software.
- As of 14, you can configure the installation package to remove a WindowsSymantec Endpoint Protectionclient that does not uninstall through standard methods. When that process completes, it then installsSymantec Endpoint Protection.
Step 8: Deploy and install the client software
- For Windows clients, do the following tasks:
- Create a custom client install feature set that determines which components you install on the client computers. You can also use one of the default client install feature sets.For client installation packages for workstations, check the email scanner protection option that applies to the mail server in your environment. For example, if you use a Microsoft Exchange mail server, checkMicrosoft Outlook Scanner.
- Update custom client install settings to determine installation options on the client computer. These options include the target installation folder, the uninstallation of third-party security software, and the restart behavior after installation completes. You can also use the default client install settings.
- With the Client Deployment Wizard, create a client installation package with selections from the available options, and then deploy it to your client computers. You can only deploy to Mac or Windows computers with the Client Deployment Wizard.
Symantec recommends that you do not perform third-party installations simultaneous to the installation of
Symantec Endpoint Protection. The installation of any third-party programs that make network- or system-level changes may cause undesirable results when you install
Symantec Endpoint Protection. If possible, restart the client computers before you install
Symantec Endpoint Protection.
Step 9: Check that the computers are listed in the groups that you expected and that the clients communicate with the management server
In the management console, on the
- Change the view toClient statusto make sure that the client computers in each group communicate with the management server.Look at the information in the following columns:
- TheNamecolumn displays a green dot for the clients that are connected to the management server.
- TheLast Time Status Changedcolumn displays the time that each client last communicated with the management server.
- TheRestart Requiredcolumn displays whether or not the client computers need to be restarted to be protected.
- ThePolicy Serial Numbercolumn displays the most current policy serial number. The policy might not update for one to two heartbeats. You can manually update the policy on the client if the policy does not update immediately.
- Change to theProtection technologyview and ensure that the status is set toOnin the columns between and includingAntiVirus StatusandTamper Protection Status.
- On the client, check that the client is connected to a server, and check that the policy serial number is the most current one.