Deploy Endpoint Protection clients in non-persistent VDI environments
search cancel

Deploy Endpoint Protection clients in non-persistent VDI environments

book

Article ID: 155835

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

These best practices are specific to Symantec Endpoint Protection (SEP) clients installed in non-persistent VDI (NPVDI) environments, and the Symantec Endpoint Protection Manager (SEPM) servers that service them. Before following the steps, see Virtualization best practices for Endpoint Protection.

Common challenges of non-persistent VDI environments include:

  Challenges
State information for the SEP client and environments characteristics refresh
  • Optimizations dependent on client state to minimize management traffic are defeated
  • Base images become increasingly out of date as time passes
  • Update overhead increases with time

VDI environments use available resources more efficiently, which leaves less overhead for increased loads
  • Configurations must be optimized to generate minimal input-output (I/O) and network load
  • Disk I/O becomes much more scarce compared to network I/O

 

Environment

SEP 14.x

Resolution

Client Recommendations

The following configuration recommendations ensure that SEP clients, in non-persistent VDI environments, generate no network or disk I/O from advanced SEP features that do not benefit non-persistent clients.

  1. Make these changes to the Communications Settings policy:
    • Configure clients to download policies and content in Pull mode
    • Disable the option to Learn applications that run on the client computers
    • Set the Heartbeat Interval to no less than one hour
    • Enable Download Randomization, set the Randomization window for 4 hours
  2. Make these changes to the Virus and Spyware Protection policy:
    • Disable all scheduled scans
    • Disable the option to "Allow startup scans to run when users log on" (This is disabled by default)
    • Disable the option to "Run an Active Scan when new definitions Arrive"
  3. Avoid features like application learning, which send information to the SEPM and rely on client state to optimize traffic flow

 

Image Maintenance

Add these steps to the routine maintenance schedule for base images. Symantec recommends that you perform these maintenance tasks at least once a week.

  1. Update all applicable definitions and security content on the base image with the latest content available
  2. Confirm the SEP client on the base image is able to communicate with its SEPM server(s)
  3. Confirm the SEP client is using the correct VDI-specific policies
  4. Before you redistribute the image:
    • Remove any temporary files associated with the SEP client, including 
    • Remove hardware key information from the base image. See Prepare Endpoint Protection clients for cloning.
    • Navigate to one of the following registry keys:
      • On 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\
      • On 64-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\SMC\ (14.3 RU4 and earlier)
      • On 64-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\ (14.3 RU5 and later)
    • Create a new subkey named Virtualization
    • In the Virtualization sub-key, create a key of type DWORD named IsNPVDIClient
       and assign it a value of 1.

NOTE: Due to recent changes in SEP version 14.3 RU5, the path used for SMC was changed to HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\, therefore you must also add these same subkeys in the new path to be honored. 

Follow the general best practices below for periodic image maintenance and testing.

  1. Manually upgrade the SEP client on the base image rather than using AutoUpgrade for the VM client policy groups
  2. Test performance optimizations. For instance, reduced memory allocated to a VM can cause increased operating system (OS) swapping and defeat hypervisor optimizations like memory page deduplication
  3. To minimize the size of the base VM image, disable the client to install cache and set content cache revisions to 1. See About Content Cache Control.
  4. Configure VM refreshes to occur on logoff. Set the pool of available VM's large enough so that users can easily access a running image that was updated in the background.

 

Symantec Endpoint Protection Manager settings

  1. Configure SEPM to keep definitions at least as long as the minimum image refresh frequency. For example, if the maximum image age is 14 days, keep definitions for 30 days.
  2. SEPM will 'remember' all-new images that attach to it, which can build up quickly in a VDI environment. To avoid this, check the Delete non-persistent VDI clients that have not connected for a specified time box in the domain properties.

Additional Information

Link to tech docs best practices:

https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/using-in-virtual-infrastructures-v57269588-d81e6/using-in-non-persistent-virtual-desktop-infrastruc-v75342792-d81e1119.html

Powered by Wolken Software