My organization has many sites located in remote locations around the world often using slow network links. The majority of staff use laptops and do roam between locations and also utilize VPN connections.
I would like to configure some distributed repositories at each location either on an existing server or using super agents with repositories enabled but would like to get some advice on the best way to set this up.
In terms of the agent policy do most people use a separate agent policy for each site or use ping times, subnet distance or a specific order so clients can locate their closest repository? As staff often roam I obviously want to make sure they utilize the closest repository. I also would like VPN staff to use the appropriate repository, VPN connections are assigned a particular IP range but this is not specific to the location. Is using ping times reliable?
I'll let someone else look at the repository issue, we do a dfs link for our repository, so AD tells them where the closest dats are and it works great no matter which office they are in...
For the vpn users, they can get to mcafee for their dats, hopefully helping your wan link out.
More answers from others will be helpful....
That actually sounds like a clever way to do it. I never throught to use a namespace as the repository link, im trying to avoid having individual agent policies. How do you configure your VPN users to automatically use the fallback site?
I'm racking my brain and I can't think of an exact way to have computers on the vpn use Mcafee's site by default (only when on the vpn). They would need a different agent policy. I'm not sure how best to do that when they will go through epo on the internal LAN. I'm guessing the remote offices use the WAN for internet access? If they each had their own internet, then you could have laptops use mcafee for their dat updates always. It sounds like more work than you want. Keep in mind that once a machine is current on dats, it will only need to download the gem update files, which are 200-300 kb. Have fun....
One final rambling... if you do use the namespace idea, then you should be able to do have a dfs link closest to where they come in on the vpn, and they would go there for their dats. It's worked out great for us, just make sure replication is working, spot check it to make sure it's current.
Sorry I was under the impression you already had the VPN web update method in place. Its not worthwhile for us anyway as we only have one Internet gateway so VPN staff will always still need to go through our central office. We also only have one VPN gateway so im not sure if DFS will be able to determine the closest site. It would be great if McAfee could use sites and services directly to find the closest repository.
DFS sounds like a good option as long as replication is healthy but im still keen to find out what other methods have proven sucessfull for people with similar situations.