Question:
Do we have a whitepaper/write-up on how to deploy a successful patch deployment solution in a low bandwidth environment?
No, but it sounds like a good idea for one.
In the interim, though:
There are a lot of variables that could come into play that would make a recommendation valid/invalid in separate environments.
There are, however, a set of key functions that when used correctly and in conjunction with each other can overcome nearly all issues.
Cloud Enabled Management (CEM)
One of the traditional low-bandwidth scenarios encountered is remote machines connected via VPN.
With the release of 7.5, Symantec now provides the CEM capability where Gateway software is installed to the DMZ. For CEM enabled devices, the dependance upon VPN connection for management is no longer present.
Provided the CEM-Enabled resources are connected to the Internet, are able to connect to the CEM Gateway, and have the correct certificates – the machine can be patched without introducing load to VPN infrastructure.
Site Servers – Package Service
Correct implementation of Site Servers running the Package Service overcomes many low-bandwidth issues. By locating a Site Server at remote locations, managed resources at that location do not need to draw patch packages over the WAN or Internet links – they are provided from the Site Server at a LAN level.
In a correctly designed infrastructure, a package should only cross a WAN link once.
Targeted Agent Settings – Bandwidth Throttling
At the SMP level – Bandwidth Throttling settings and Blockout periods can be applied to groups of machines at a broad or granular level.
This allows for separate identification and control of computers on low-bandwidth connections without placing those same limitations upon managed resources with more optimal connections.
Multicasting
Multicasting can be used in conjunction with Site Servers to provide short term, extension of the Package Service. Multicasting allows clients within a larger rollout to re-broadcast packets to other computers at the LAN level as they download it from the Site Server. Multi-casting can also have it's own Bandwidth Throttling settings.
Again this removes the reliance upon WAN/Internet links that may suffer from low-bandwidth concerns.
Maintenance Windows
As with Targeted Agent Settings, Maintenance Windows can be applied to groups of machines at a broad or granular level.
This allows for control of when activities are being conducted so as to focus management activities into time periods where low-bandwidth connections are at minimal expected usage levels.
When using these core components of the SMP, customers can adapt the infrastructure to their specific needs, on the affected resources – without needing to sacrifice performance on resources that are not similarly restricted.
Symantec provides a robust and integrated set of functions to allow the customer to match their needs rather than having management/infrastructure dictated to them.