Due to hardware problems I had to perform a full reinstall of SEPM v11.0.5 and LiveUpdate Administrator v2.2 on an in-house 2003 Server. Prior to this incident SEPM and LUA have been running for the past two years without any problems.
I've recreated the SEPM groups, install packages, feature sets, etc. and added my workstations, notebook PCs, and servers successfully to SEPM. The LiveUpdate Admin receives downloads from symantec.liveupdate.com each night at 2:00 a.m. and distributes the updates to the SEPM server at 4:00 a.m.
The SEP clients are scheduled to receive any updates from the in-house SEPM server each morning at 8:45 a.m. The clients are configured to use ONLY the in-house SEPM server for updates. All clients receive their updates properly; all clients have the green circle displayed with the SEP shield in the system tray. This indicates all clients are being properly managed.
Why is it then that the client workstations periodically attempt to connect directly to Symantec's LiveUpdate web site? These attempts can happen any time during the day (not just at 8:45 a.m.) and when a number of the workstations do this simultaneously it consumes the entire bandwidth of my 1.5 t-lines. This effectively shuts down incoming connections that are in use by the company's web customers.
I've been using a web surfing monitoring application to block requests from the workstations to the IP addresses used by Symantec's LiveUpdate web sites. Symantec periodically changes these addresses so the possibility continues to exist that LiveUpdate will create self-induced denial of service attacks.
The SEP logs and Event logs on the workstations reveal nothing out of the ordinary. Symantec tech support has been unable or unwilling to help me with this issue. Any help you can give me is greatly appreciated.