How to configure Symantec Endpoint Protection (SEP) clients to download version upgrade packages from IIS using the Auto-Upgrade feature.
Last Updated January 09, 2010
You'd like to host SEP client packages within IIS for clients to download from during the auto-upgrade process, rather than from the Symantec Endpoint Protection Manager (SEPM) itself. What do you need to configure?
This process has five parts:
Export the package
Set the package up in the file structure of the IIS server
Configure SEPM policies
Verify settings and test
I. Export the package
From within the SEPM, click Admin.
Click Install Packages.
Right click the install package you wish to set up and choose Export.
Choose the location and name for the package you'd like to export.
Ensure that Create a single .EXE file for this package is checked.
Modify the install settings and install feature sets, if so desired.
Ensure that Export a managed client and Export packages with the policies from the following groups: are both checked.
Check the box for the group who's rules you'd like to push out with this client package.
Ensure that Add clients automatically to the selected group is checked.
Ensure that Preferred Policy Mode is set to Computer mode.
Steps 7 to 10 may be skipped if you wish to simply create a generic client package. Clients upgraded using this package will move to the Default Group, and will need to be moved into the proper group within the SEPM after migration is complete.
This will export the single executable installation package.
Currently within Release Update 5, there is verbiage in the Export Package window that says that the single .EXE file option cannot be used for auto-upgrade. This verbiage is incorrect, and will be addressed with a later build.
II. Set up the package in the file structure
Create a new folder wherever you'd like to store the executable on the machine running IIS. In these steps we will create and use C:\sep_upgrade. If you wish to have this folder in a different location, or using a different folder name, please substitute as appropriate.
Right click on sep_upgrade and choose Sharing and Security.
Click Share this folder.
Ensure that permissions list Everyone with Read permissions.
In the text field, enter Anonymous, then click Check Names. This should automatically change the entry to ANONYMOUS LOGON.
Copy the newly created setup.exe file into c:\sep_upgrade.
III. Configure IIS
Open Internet Information Services Manager.
Click on the plus next to the computer name (if not already expanded).
Right click Web Sites and choose New, then click Web site...
Enter a name for this website. Symantec recommends that you use an easily identifiable name. In this example we will call the site sep_packages_upgrade, but you may name this what you wish. Please substitute as appropriate.
Modify the port number if needed. If any other websites in IIS are using port 80, you'll need to either modify our site to use a non-standard port or modify the other website to use something other than port 80. If you have selected a custom port, please be sure to note this, as we will need it in the next section. In this example, we will use port 8088.
Click Browse, and navigate to C:\.
Click sep_upgrade and click OK.
Ensure that Allow anonymous access to this Web site is selected.
Right click on sep_packages_upgrade and choose Properties.
Click Home Directory.
Verify that Local path is set to C:\sep_upgrade.
IV. Configure SEPM policies
Under View Clients, click the group where the clients you wish to upgrade via IIS reside.
Click Install Packages.
Click Add Client Install Package.
Click the radio button for Download the client package from the following URL (http or https):.
Specify the IP address of the IIS machine, as well as a custom port if used. Using our examples from the above steps, it would look like this:
When the client checks into the SEPM, the SEPM directs the SMC process to connect to the remote host, download the listed file and execute it. To simulate this, merely visit the same URL that you entered in step IV into a web browser from a client machine you wish to upgrade. You should be prompted to save the setup.exe. You should not be prompted for a password.
Save this file to wherever you choose and execute it once the download is complete. If the installation kicks off and upgrades the machine, the settings are correct.
If you get error messages when trying to save the file, enable logging on the new website within IIS and consult the IIS logs for that website. Most times, when there are issues with the auto-upgrade feature, it is due to deny access permissions, either on the file itself or within IIS.
Technical Information Please note that SEP clients earlier than version MR4 MP2 will not be able to successfully update using this "
Download the client package from the following URL (http or https)" method. This is a known issue. SEP 11 MR3 clients (for example) should be upgraded to the latest version via alternate methods.
SEP clients can successfully be upgraded from MR4 MP2 to the latest available version.
Imported Document ID: TECH123091
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe