What are the best practices for preparing Symantec Endpoint Protection (SEP) clients for deployment in non-persistent Virtual Desktop Infrastructure (VDI) environments?
|State information for the SEP client and other applications is lost on refresh||
VDI environments utilize available resources more efficiently, which leaves less overhead for increased loads
SEP 12.x and 14.x
This document contains best practices specific to Symantec Endpoint Protection (SEP) clients installed in non-persistent VDI environments and the Symantec Endpoint Protection Manager (SEPM) servers that service them. Before following the steps below, see the following documents depending on the build of SEP being used:
- SEP 12.1 RU1 and earlier: Virtualization best practices for Endpoint Protection 12.1.1 (RU1) and earlier
- SEP 12.1 RU2 and later: Virtualization best practices for Endpoint Protection 12.1.2 and later
The following configuration recommendations ensure that SEP clients, in non-persistent VDI environments, generate no network or disk I/O from advanced SEP features that do not benefit non-persistent clients.
- Make these changes to the Communications Settings policy:
- Configure clients to download policies and content in Pull mode
- Disable the option to Learn applications that run on the client computers
- Set the Heartbeat Interval to no less than one hour
- Enable Download Randomization, set the Randomization window for 4 hours
- Make these changes to the Virus and Spyware Protection policy:
- Disable all scheduled scans
- Disable the option to "Allow startup scans to run when users log on" (This is disabled by default)
- Disable the option to "Run an ActiveScan when new definitions Arrive"
- Avoid features like application learning, which send information to the SEPM and rely on client state to optimize traffic flow
Add these steps to the routine maintenance schedule for base images. Symantec recommends that you perform these maintenance tasks at least once a week.
- Update all applicable definitions and security content on the base image with the latest content available
- Confirm the SEP client on the base image is able to communicate with its SEPM server(s)
- Confirm the SEP client is using the correct VDI-specific policies
- Before you redistribute the image:
- Remove any temporary files associated with the SEP client, including
- Remove hardware key information from the base image using How to prepare an Endpoint Protection client for cloning
- Ensure that the following registry value exists, and has a value of 1:
For 32-bit clients: HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\Virtualization\IsNPVDIClient
For 64-bit clients: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\SMC\Virtualization\IsNPVDIClient
Follow the general best practices below for periodic image maintenance and testing.
- Manually upgrade the SEP client on the base image rather than using auto-upgrade for the VM client policy groups
- Test performance optimizations. For instance, reduced memory allocated to a VM can cause increased operating system (OS) swapping and defeat hypervisor optimizations like memory page deduplication
- To minimize the size of the base VM image, disable client install cache and set content cache revisions to 1. See http://www.symantec.com/business/support/index?page=content&id=TECH106042
- Configure VM refreshes to occur on logoff. Set the pool of available VM's large enough so that users can easily access a running image which was updated in the background.
Symantec Endpoint Protection Manager settings
- Configure SEPM to keep definitions at least as long as the minimum image refresh frequency. For example, if the maximum image age is 14 days, keep definitions for 30 days.
- SEPM will 'remember' all new images which attach to it, which can build up quickly in a VDI environment. To avoid this, check the Delete non-persistent VDI clients that have not connected for specified time box in the domain properties.
Imported Document Id