You should assess your security requirements and decide if the default settings provide the balance of performance and security that you require. Some performance enhancements can be made immediately after you install Symantec Endpoint Protection Manager.
Perform the following tasks to install and protect the computers in your network immediately:
Before you install the product, consider the size and geographical distribution of your network to determine the installation architecture.
To ensure good network and database performance, you need to evaluate several factors. These factors include how many computers need protection, whether any of those computers connect over a wide-area network, or how often to schedule content updates.
If your network is small, is located in one geographic location, and has fewer than 500 clients, you need to install only one Symantec Endpoint Protection Manager.
If the network is very large, you can install additional sites with additional databases and configure them to share data with replication. To provide additional redundancy, you can install additional sites for failover or load balancing support. Failover and load balancing can only be used with Microsoft SQL Server databases.
If your network is geographically dispersed, you may need to install additional management servers for load balancing and bandwidth distribution purposes.
To help you plan medium to large-scale installations, see: Symantec Endpoint Protection Sizing and Scalability Best Practices White Paper.
Make sure the computer on which you install the management server meets the minimum system requirements.
To install Symantec Endpoint Protection Manager, you must be logged on with an account that grants local administrator access.
Decide on whether to install the embedded database or use a Microsoft SQL Server database.
If you use a Microsoft SQL Server database, the installation requires additional steps. These include, but are not limited to, configuring or creating a database instance that is configured to use mixed mode or Windows authentication mode. You also need to provide database server administration credentials to create the database and the database user. These are specifically for use with the management server.
You install Symantec Endpoint Protection Manager first. After you install, you immediately configure the installation with the Management Server Configuration Wizard.
Decide on the following items when you configure the management server:
A password for your logon to the management console
An email address where you can receive important notifications and reports
An encryption password, which may be needed depending on the options that you select during installation
You use groups to organize the client computers, and apply a different level of security to each group. You can use the default groups, import groups if your network uses Active Directory or an LDAP server, or add new groups.
If you add new groups, you can use the following group structure as a basis:
See Adding a group.
You use locations to apply different policies and settings to computers based on specific criteria. For example, you can apply different security policies to the computers based on whether they are inside or outside the company network. In general, the computers that connect to your network from outside of your firewall need stronger security than those that are inside your firewall.
A location can allow the mobile computers that are not in the office to update their definitions automatically from Symantec's LiveUpdate servers.
Disable inheritance for the groups or locations for which you want to use different policies or settings.
By default, groups inherit their policies and settings from the default parent group, My Company. If you want to assign a different policy to child groups, or want to add a location, you must first disable inheritance. Then you can change the policies for the child groups, or you can add a location.
Symantec Endpoint Protection Manager policy inheritance does not apply to the policies that are received from the cloud. The cloud policies follow the inheritance as defined in the cloud.
For each type of policy, you can accept the default policies, or create and modify new policies to apply to each new group or location. You must add requirements to the default Host Integrity policy for the Host Integrity check to have an effect on the client computer.
You can improve network performance by modifying the following client-server communication settings in each group:
Use pull mode instead of push mode to control when clients use network resources to download policies and content updates.
Increase the heartbeat interval. For fewer than 100 clients per server, increase the heartbeat to 15-30 minutes. For 100 to 1,000 clients, increase the heartbeat to 30-60 minutes. Larger environments might need a longer heartbeat interval. Symantec recommends that you leave Let clients upload critical events immediately checked.
Increase the download randomization to between one and three times the heartbeat interval.
Purchase and activate a license within 60 days of product installation.
Determine which client deployment method would work best to install the client software on your computers in your environment.
For Linux clients, you can use either Save Package or Web Link and Email, but not Remote Push.
For Windows and Mac clients, if you use Remote Push, you may need to do the following tasks:
Make sure that administrator access to remote client computers is available. Modify any existing firewall settings (including ports and protocols) to allow remote deployment between Symantec Endpoint Protection Manager and the client computers.
You must be logged on with an account that grants local administrator access.
If the client computers are part of an Active Directory domain, you must be logged on to the computer that hosts Symantec Endpoint Protection Manager with an account that grants local administrator access to the client computers. You should have administrator credentials available for each client computer that is not part of an Active Directory domain.
Make sure that the computers on which you install the client software meet the minimum system requirements. You should also install the client on the computer that hosts Symantec Endpoint Protection Manager.
Manually uninstall any third-party security software programs from Windows computers that the Symantec Endpoint Protection client installer cannot uninstall.
For a list of products that this feature removes, see: Third-party security software removal support in Symantec Endpoint Protection
You must uninstall any existing security software from Linux computers or from Mac computers.
Some programs may have special uninstallation routines, or may need to have a self-protection component disabled. See the documentation for the third-party software.
As of 14, you can configure the installation package to remove a Windows Symantec Endpoint Protection client that does not uninstall through standard methods. When that process completes, it then installs Symantec Endpoint Protection.
For Windows clients, do the following tasks:
Create a custom client install feature set that determines which components you install on the client computers. You can also use one of the default client install feature sets.
For client installation packages for workstations, check the email scanner protection option that applies to the mail server in your environment. For example, if you use a Microsoft Exchange mail server, check Microsoft Outlook Scanner.
Update custom client install settings to determine installation options on the client computer. These options include the target installation folder, the uninstallation of third-party security software, and the restart behavior after installation completes. You can also use the default client install settings.
With the Client Deployment Wizard, create a client installation package with selections from the available options, and then deploy it to your client computers. You can only deploy to Mac or Windows computers with the Client Deployment Wizard.
Symantec recommends that you do not perform third-party installations simultaneous to the installation of Symantec Endpoint Protection. The installation of any third-party programs that make network- or system-level changes may cause undesirable results when you install Symantec Endpoint Protection. If possible, restart the client computers before you install Symantec Endpoint Protection.
Step 9: Check that the computers are listed in the groups that you expected and that the clients communicate with the management server
In the management console, on the Clients > Clients page:
Change the view to Client status to make sure that the client computers in each group communicate with the management server.
Look at the information in the following columns:
The Name column displays a green dot for the clients that are connected to the management server.
The Last Time Status Changed column displays the time that each client last communicated with the management server.
The Restart Required column displays whether or not the client computers need to be restarted to be protected.
The Policy Serial Number column displays the most current policy serial number. The policy might not update for one to two heartbeats. You can manually update the policy on the client if the policy does not update immediately.
Change to the Protection technology view and ensure that the status is set to On in the columns between and including AntiVirus Status and Tamper Protection Status.
On the client, check that the client is connected to a server, and check that the policy serial number is the most current one.