Choose a distribution method to update content on clients

You may need to change the default update method to the clients, depending on the client platform, network configuration, number of clients, or your company's security policies and access policies.
Content distribution methods and when to use them
When to use it
Symantec Endpoint Protection Manager
to client computers (default)
(Windows, Mac, Linux)
The default management server automatically updates the client computers that it manages.
You do not define the schedule for the updates from the management server to the clients. The clients download content from the management server based on the communication mode and heartbeat frequency. See:
Symantec recommends that you use this method unless network constraints or your company's policies require an alternative.
If you have a large number of clients or bandwidth issues, you might use this method, along with Group Update Providers.
For Mac or Linux computers to receive content updates from the management server, you must configure the Apache web server. See:
Group Update Provider to client computers
(Windows only)
A Group Update Provider is a client computer that receives updates from a management server. The Group Update Provider then forwards the updates to the other client computers in the group. A Group Update Provider can update multiple groups.
Group Update Providers can distribute all types of LiveUpdate content except client software updates. Group Update Providers also cannot be used to update policies.
A Group Update Provider lets you reduce the load on the management server, and is easier to configure than an internal LiveUpdate server.
Use a Group Update Provider for groups at remote locations with minimal bandwidth. See:
Internal LiveUpdate server to client computers
(Windows, Mac, Linux)
Client computers can download updates directly from an internal LiveUpdate server that receives its updates from a Symantec LiveUpdate server.
If necessary, you can set up several internal LiveUpdate servers and distribute the list to client computers.
You can change the download schedule from the LiveUpdate server to the management server. See:
For more information about setting up an internal LiveUpdate server, see the
LiveUpdate Administrator User's Guide
An internal LiveUpdate server lets you reduce the load on the management server in very large networks. In smaller networks, consider whether Group Update Providers would meet your organization's needs.
Consider using an internal LiveUpdate server in the following situations:
  • If you manage a large network (more than 10,000 clients)
  • If you manage Mac or Linux clients that should not connect to an external LiveUpdate server
  • If your organization deploys multiple Symantec products that also use LiveUpdate to distribute content to client computers
You should not install the management server and an internal LiveUpdate server on the same physical hardware or virtual machine. Installation on the same computer can result in significant server performance problems.
For more information see:
External Symantec LiveUpdate server to client computers over the Internet
(Windows, Mac, Linux)
Client computers can receive updates directly from a Symantec LiveUpdate server.
Use an external Symantec LiveUpdate server if you need to schedule when clients update content or if the available bandwidth between the Symantec Endpoint Protection Manager and the clients is limited.
Symantec Endpoint Protection Manager
and scheduled updates are enabled by default. With the default settings, clients always get updates from the management server unless management server is unresponsive for a long period of time.
Do not configure large numbers of managed, networked clients to pull updates from an external Symantec LiveUpdate server. This configuration consumes unnecessary bandwidth.
For more information, see:
Third-party tool distribution
(Windows only)
Third-party tools like Microsoft SMS let you distribute specific update files to clients.
This method lets you test update files before you distribute them. It may also make sense if you have a third-party tool distribution infrastructure in place. See:
Intelligent Updater
(Windows only)
Intelligent Updater files contain the virus and security risk content and intrusion prevention content that you can use to manually update clients.
You can download the Intelligent Updater self-extracting files from the Symantec Web site.
You can use Intelligent Updater files if LiveUpdate is not available. See:
To update other kinds of content, you must set up and configure a management server to download and to stage the update files. See:
The following figure shows an example distribution architecture for smaller networks.
The following figure shows an example distribution architecture for larger networks.
More information