WHITE PAPER

Deploying Steelhead Appliances with Symantec

Endpoint Protection 11.0

Solutions Guide
Riverbed Technical Marketing

DEPLOYING STEELHEAD APPLIANCES WITH SYMANTEC ENDPOINT PROTECTION 11.0

DEPLOYING RIVERBED STEELHEAD APPLIANCES WITH SYMANTEC ENDPOINT

PROTECTION 11.0
Overview
As the internet has evolved, many enterprises face growing challenges in protecting their computers from computer viruses. Antivirus software has become just as important as any office productivity software. Without reliable anti-virus software, computers
are vulnerable to any number of attacks resulting in data loss or theft of important information, thus impacting todays business
environment.
Symantec Endpoint Protection 11.0 combines Symantec anti-virus with advanced threat protection to deliver unmatched defense
against malware for laptops, desktops and servers. It seamlessly integrates essential security technologies in a single agent and
management console, increasing protection and helping lower total cost of ownership.
However, one drawback of anti-virus software is its heavy burden on the WAN when deploying client software and new virus
definition files. This paper describes how to deploy the Riverbed Steelhead Appliances to optimize Symantec Endpoint Protection
performance and reduce WAN traffic for the enterprise.
Test results show that Steelhead Appliances provide up to 99% data reduction and 10 times performance improvement when
deploying Symantec Endpoint Protection client software, and up to 95% data reduction when deploying new virus definitions over
the WAN.
More detailed information on Symantec Endpoint Protection and anti-virus Protection can be found at:
http://www.symantec.com/business/endpoint-protection .
To get more information on the complete suite of features and services provided by Steelhead, please go to
http://www.riverbed.com/ .

2010 Riverbed Technology. All rights reserved.

DEPLOYING STEELHEAD APPLIANCES WITH SYMANTEC ENDPOINT PROTECTION 11.0

LiveUpdate
LiveUpdate is the Symantec technology for automatically updating Symantec virus definitions and products. The LiveUpdate
client is included with Symantec Endpoint Protection product and is installed automatically. Periodically, the LiveUpdate client
connects to a LiveUpdate server to check for new updates that apply to the Symantec products that are installed on the computer.
If any updates are found, the LiveUpdate client prompts the user to download and install the update.
LiveUpdate offers the option to use either a Symantec LiveUpdate server or, for host computers that are connected to a private
network, an internal Central LiveUpdate server. Each LiveUpdate client can be configured separately to use either server. When
a Symantec server is used, LiveUpdate clients connect using HTTP or FTP to a server that is located at a Symantec LiveUpdate
site. If an internal Central LiveUpdate server is used, clients communicate with it for new updates. Using a Central LiveUpdate
server means that clients do not need to connect to an external network for virus definitions and product updates. This reduces
the LiveUpdate traffic between the local network and Symantec LiveUpdate sites.
Figure 1 shows the various deployment scenarios for the Symantec Endpoint Protection 11.0 and LiveUpdate.

Figure 1 Endpoint Protection and LiveUpdate Deployment Scenarios

For option 1, the default Management Server downloads the updates from the default Symantec LiveUpdate server. Clients
communicate with the Management Server for updates. This option is the simplest, requiring only a connection between the
Management Server and the default Symantec LiveUpdate server over the WAN.
For option 2, clients communicate directly with the default Symantec LiveUpdate server for updates over the WAN.
For option 3, an internal LiveUpdate server is configured and communicates with the default Symantec LiveUpdate server for
updates over the WAN. Clients communicate with the internal LiveUpdate server for updates. This option is similar to option 1
but requires additional hardware for the internal LiveUpdate server. Updates are offloaded from the Manager Server to the
internal LiveUpdate server.

2010 Riverbed Technology. All rights reserved.

DEPLOYING STEELHEAD APPLIANCES WITH SYMANTEC ENDPOINT PROTECTION 11.0

Deployment Architecture and Requirements

For our deployment, we elected to use option 1 which is the simplest, requiring only a server configured with the Endpoint
Protection Manager 11.0 in the Datacenter that connects directly to the default Symantec LiveUpdate server to update Symantec
virus definitions and products.

Requirements

One Server in the Datacenter with the following:

o Microsoft Windows Server 2003 or Windows Server 2008
o Symantec Endpoint Protection 11.0

One Steelhead Appliance in the Datacenter running RiOS 6.1.0

One Steelhead Appliance in the Branch running RiOS 6.1.0

Two Desktop Clients with the following:

o Microsoft Windows XP or Windows 7

Figure 2 illustrates the test configuration used for this simple deployment.
Symantec
LiveUpdate

WAN

T1 / 100 ms
RTT latency

DATACENTER /
SYMANTEC ENDPOINT
PROTECTION

BRANCH OFFICE /
USERS

Figure 2 Test Configuration

2010 Riverbed Technology. All rights reserved.

DEPLOYING STEELHEAD APPLIANCES WITH SYMANTEC ENDPOINT PROTECTION 11.0

Test Scenario 1: Optimizing Deployment of Client Software over the WAN

Symantec Endpoint Protection was test in a simulated WAN environment using 100 millisecond latency across a T1 link. In this
test, a client install package was deployed over the WAN.
The package totaled approximately 194 MB and consisted of the following products:
1. Anti-virus and antispyware protection
2. Firewall protection
3. Intrusion Prevention protection
4. Application and Device Control protection
5. LiveUpdate Settings
A Cold Run is defined as a data transfer that has never been seen by the Steelhead appliance before (a completely new file). A
Warm Run is defined as a data transfer in which the Steelhead appliance has seen most or all of the data before.
By default, Symantec uses the WAN-friendly CIFS protocol to deploy the client software (see figure 3).

Figure 3 CIFS Port 445 for Deploying Client Software

Test results show that Riverbed Steelhead appliances dramatically accelerate Symantec Endpoint Protection, and significantly
reduce WAN bandwidth utilization. The deployment of client software resulted in more than a 10 times speed improvement (see
figure 4) and over 99% data reduction in bandwidth utilization (see figure 5). Depending on data types and WAN configuration,
your results may vary.

Deploying Client Software Time to Complete (in seconds)

Warm Run

Cold Run

Without Steelhead
0.00

500.00

1000.00

1500.00

2000.00

2500.00

Figure 4 Deploying Client Software (Time to complete in seconds)

2010 Riverbed Technology. All rights reserved.

DEPLOYING STEELHEAD APPLIANCES WITH SYMANTEC ENDPOINT PROTECTION 11.0

Deploying Client Software Bandwidth Utilization (KB)

Warm Run

Cold Run

Without Steelhead
0

50000

100000

150000

200000

250000

Figure 5 Deploying Client Software (Bandwidth Utilization in KB)

Test Scenario 2: Optimizing Deployment of New Virus Definitions over the WAN
In this test, new virus definitions were deployed from the Symantec Endpoint Protection Manager to the clients over the WAN.
By default, Symantec uses port 8014 for this communication (see figure 6).

Figure 6 Communication Port 8014 for Symantec Endpoint Protection Manager and Clients
Test results show that Riverbed Steelhead appliances dramatically accelerate deployment of new virus definitions and significantly
reduce WAN bandwidth utilization. The deployment of new virus definitions resulted in over 95% data reduction in bandwidth
utilization (see figure 6). Depending on data types and WAN configuration, your results may vary.

2010 Riverbed Technology. All rights reserved.

DEPLOYING STEELHEAD APPLIANCES WITH SYMANTEC ENDPOINT PROTECTION 11.0

Deploying New Virus Definitions Bandwidth Utilization (Bytes)

Warm Run

Cold Run

Without Steelhead
0

50000

100000

150000

200000

Figure 6 Deploying New Virus Definitions (Bandwidth Utilization in Bytes)

Conclusion
The test results presented indicate that Riverbed Steelhead Appliances are essential to the Enterprise when running Symantec
Endpoint Protection. Client software and new virus definitions are quite large and can place a heavy burden on the WAN.
Customers can expect significant data reduction and improved performance when deploying client software, and significant data
reduction when deploying new virus definitions over the WAN. Deploying Steelhead Appliances showed significant data reduction
up to 99% and improved performance up to 10 times faster when deploying client software.

About Riverbed
Riverbed Technology is the IT infrastructure performance company. The Riverbed family of wide area network (WAN) optimization
solutions liberates businesses from common IT constraints by increasing application performance, enabling consolidation, and
providing enterprise-wide network and application visibility all while eliminating the need to increase bandwidth, storage or
servers. Thousands of companies with distributed operations use Riverbed to make their IT infrastructure faster, less expensive
and more responsive. Additional information about Riverbed (NASDAQ: RVBD) is available at www.riverbed.com

Riverbed Technology, Inc.

199 Fremont Street
San Francisco, CA 94105
Tel: (415) 247-8800
www.riverbed.com

2010 Riverbed Technology. All rights reserved.

Riverbed Technology Ltd.

Farley Hall, London Road, level 2
Binfield
Bracknell. Berks RG42 4EU
Tel: +44 1344 354910

Riverbed Technology Pte. Ltd.

391A Orchard Road #22-06/10
Ngee Ann City Tower A
Singapore 238873
Tel: +65 6508-7400

Riverbed Technology K.K.

Shiba-Koen Plaza Building 9F
3-6-9, Shiba, Minato-ku
Tokyo, Japan 105-0014
Tel: +81 3 5419 1990