Endpoint Protection

 View Only

Configuring Group Update Providers in Symantec Endpoint Protection 11.0 RU5 

Sep 22, 2009 12:04 PM

Configuring Multiple GUPs in SEP 11.0 RU5 release, has added a certain dynamics's to the way virus definitions are provided to the clients.

The figure below is a representation of various possibilities of configuring a Group Update Provider:

gup5.jpg
As shown above, you can either configure a Single GUP or Multiple GUPs in SEPM.

When to use multiple GUPs:

  • You run the latest client software on the computers in your network Multiple Group Update Providers are supported on the computers that run the latest client software. Multiple Group Update Providers are not supported by legacy clients. Legacy clients cannot get content from multiple Group Update Providers. Legacy clients cannot be designated as a Group Update Provider even if they meet the criteria for multiple Group Update Providers. You can create a separate LiveUpdate Settings Policy and configure a single, static Group Update Provider for a group of legacy clients
  • You have multiple groups and want to use different Group Update Providers for each group You can use one policy that specifies rules for the election of multiple Group Update Providers. If clients change locations, you do not have to update the LiveUpdate Settings Policy. The Symantec Endpoint Protection Manager combines multiple Group Update Providers across sites and domains. It makes the list available to all clients in all groups in your network.
  • Multiple Group Update Providers can function as a failover mechanism. Multiple Group Update Providers ensure a higher probability that at least one Group Update Provider is available in each subnet.

Following screenshots will give you a glimpse of how to configure GUPs in RU5:

Here is the screen you see when you go to SEPM Console->Policies->Liveupdate Policy-> Liveupdate Settings Policy-> Server Settings-> Group Update Provider:

screenshot1.JPG





  • As we have chose multiple GUPs, we have to provide a GUP List:
gup list 1.JPG





  • When you click on Add, you have to specify Rule Criteria:

rule criteria.JPG



  • The first option you get is If you want to specify a Computer name or IP Address:

add computer by ip or hostname.JPG





  • The second option is to specify the registry Keys that will define a GUP:

registrey key as parent.JPG





  • Once you choose the main type as the Registry key, you can further specify 3 attribuites :


1. Registry Key : 


       registry key.JPG





2. Registry Value:


registry value.JPG





3. Registry key Name:


  registry key name.JPG












The Third option we have is to choose from the Supported Operating Systems for installing SEP 11 RU5.


supported os.JPG






  • All these rules can be in 1 Rule Set. You can have multiple Rule Sets in your GUP configuration.

multiple rule set.JPG



Here are some tips to know about the Rule Sets:

Rules are matched based on the logical OR and AND operators as follows:

* Multiple rule sets are OR'ed. A client must match one rule set. This can be useful while roaming across multiple locations. Your client will pass 1 rule set in a location and 2'nd Rule set in a different one, so the IP addresses of GUP will change automatically.

* Multiple rules are AND'ed. A client must match all the rules that are specified in a rule set.

* Multiple values for a rule condition are OR'ed. A client must match one value. For example, you might create RuleSet 1 that includes an IP address rule with several IP addresses. You then create RuleSet2 that includes a host name rule and an operating system rule each with multiple values.A client computer must match either RuleSet1 or RuleSet2.

Statistics
0 Favorited
2 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Jun 05, 2013 01:23 AM

Hi Rob,

If you want create single GUP, then all machines should be in single group and same nework (i think). otherwise you have to create mutliple group provider list for all sites

--

madhu

Mar 24, 2013 11:11 PM

Hi,

I'm new to GUP's and am having a little trouble understanding if i should put the multiple IP addresses into one rule or creating a rule for each IP address for machines that i want to be the GUP's.

I have nine machines i want to be GUP's and they are in 9 different geographic locations but all connected to the SEPM 12.1.2 via the WAN.

Can someone let me know if I just create one rule with all of the IP addresses or multiple rules with single IP addresses.

Many thanks in advance!

Rob

 

Oct 03, 2012 09:10 AM

Moved Post to Forums

Nov 11, 2011 06:30 AM

Its the latter - if a client fulfils those conditions it will advertise to SEPM that it can be used as a GUP - when other clients call updates the update file will download to this machine in a directory called central updates (or something simialr), client on same subnet will then update from this GUP.

 

If all your computers are eligiable to become GUP I believe they will download updates from SEPM being applying to themselves.

Oct 28, 2011 09:42 AM

Do we usually have a roaming GUP

* Multiple rule sets are OR'ed. A client must match one rule set. This can be useful while roaming across multiple locations. Your client will pass 1 rule set in a location and 2'nd Rule set in a different one, so the IP addresses of GUP will change automatically.

* Multiple rules are AND'ed. A client must match all the rules that are specified in a rule set.

* Multiple values for a rule condition are OR'ed. A client must match one value. For example, you might create RuleSet 1 that includes an IP address rule with several IP addresses. You then create RuleSet2 that includes a host name rule and an operating system rule each with multiple values.A client computer must match either RuleSet1 or RuleSet2."

I hope the Whole rule set is to identify a machine as GUP and not for a client to contact a particular GUP

Will wait for a response :)

Thanks

Aug 28, 2011 06:13 AM

SEP GUP Policy - Best practices

Apr 26, 2011 01:18 AM

It's working Now...

but i wan't to know GUP working only Same network or another Network.

Apr 21, 2011 08:03 AM

Hi Ashish,

 

This is an article, I would suggest you to open a new Forum Thread and post the iformation there, so we can discuss this on the forums.

Also, let me know the result of 

netstat -ano | findstr "2639"  on the GUP machine.

Regards,

Aniket Amdekar

Apr 21, 2011 03:33 AM

Thaks For your Reply !

When i am Telnet port no 2967 local host not sucess ang gup machine sharefolder not available.I have attach Syslog file

Apr 20, 2011 07:44 AM

Hi Ashish,

Please confirm a few things:

1. Policy defines that client as a GUP

2. The client has received the latest policy.

3. Check the presense of the folder sharedupdates inside the SEP folder.

4. On the GUP machine, run the following command:

netstat -ano | findstr "2639"

5. Check the PID. Then in task manager, enable the column for PID and confim that SEP GUP machine is Listening on that port.

6. If not, check sylinkmonitor logs.

 

Regards,

Aniket Amdekar

Apr 20, 2011 02:11 AM

Kindly Share Which Type we will telnet 2967 port

Apr 20, 2011 02:09 AM

i am not able to telnet 2967 port

Apr 20, 2011 01:36 AM

We have Complete All of setting but i have not able to Telnet port 2967.without telnet my Gup not working.

 

Apr 19, 2011 08:37 AM

The site where I have SEPM installed also contains clients.

I know I need to install GUP on all other sites where SEPM is not installed.

So I asume the clients on the site where SEPM is installed will just use SEPM to receive updates because none the the GUPs are local for the clients or is it recommended to also install GUPs in the same site as SEPM

 

Jason

Mar 25, 2011 08:58 AM

Hello,

YOU ARE A GUP MASTER... FROM VIDEO's TO ARTICLES ON GUP...

"CATCH THAT... YOU ARE TO THE POINT..."

Apr 08, 2010 09:17 AM

Is there a way of knowing a client is using a gup for updates via the SEP client or SEPM?

Nov 12, 2009 02:46 PM

good this tips

Nov 03, 2009 04:08 PM

Nice article..

Oct 19, 2009 03:57 PM

Is there anyway to prove that the update is being pushed via the GUP?  What do I look for?  I have GUPs configured they are on the correct subnet and I did a client search and can see my GUPs.  I know that they are there and working but I need a way to show upper management that they are being utilized.


Thanks!

Oct 13, 2009 04:05 AM

Bishop,

I also want to find if you can stroe the GUP defs in D: rather than CL, but so far cannot find an answer.

Corporate build has a smallish C: drive and an empty D: drive.

Oct 13, 2009 12:45 AM

Hi,

The main intention of having a GUP is that GUP will be local to the subnet. So its important that you have 1 GUP per location.

The inheritence I am talking about is for the Group Hierarchy. If you have 1 Site. That site has a Group called Laptops. Laptops has 2 subgroups Staff & Students.

In this case you need 1 GUP defined for Laptops group. You can have "Policy Inheritence UN-Checked" for laptops.

You can have "Policy Inheritence Checked" for staff and students groups. The inheritence I was mentioning in my earlier post was referring to the fact that the GUP can update the subgroups as well.

Aniket

Oct 12, 2009 05:53 PM

So what your saying is if I uncheck "inherit policies and settings from parent group" then each group will need its own GUP?  I have Servers that I have set in different groups being that I have different scan times and a very different set of centralized exceptions for each group.  90% of these servers are all in the same colo but you are saying that I would have to have 1 GUP for each Group?  This does not make sense.

I thought that the Client goes out and finds the GUP on their list that is closest to them i.e. their subnet and uses that GUP...if said GUP goes down they default to next nearest GUP or they go to SEP Management Console.  This is what I hope.

I plan on using a registry key as the way that GUPS get created please tell me I am not going to need a GUP per group can multiple groups use the same GUP?

Another question I have is what is the name of the folder that the SEP creates on the GUP to push data down to the clients and is this folder and its contents deleted after it finishes?  How much space does this need as we configure servers to have more data on D drive rather than C.

 

Oct 12, 2009 03:44 PM

HI,

GUP Supports inheritence. So, if a machine that is acting as a GUP for thrgroup Laptops, can also provide updates to the subgroups. However, if the subgroups represent different sites, its always recommended to have a GUP at each site.

So, if you have 3 different sites in your network, make sure that you have at least 1 GUP per site.

Also, please make sure that you have configured Bandwidth Throtteling for GUP.

Best,
Aniket

Oct 12, 2009 02:54 PM

 was told today by a support rep that any GUP that I assign has to be with that group of clients????

So I have to configure like 100 GUP policies now???  That doesn't sound right.

For instance...

SITEA
---COMPUTERS
   ----DESKTOPS
          -----LABA
          -----LABB
    ----LAPTOPS
           ----STAFF
           -----STUDENTS

According to his advice I would have to go to each of those groups and setup a GUP????  I am running RU5 and supposley can handle one policy with many GUPS???????

Also, I only have 1 server at most of my remote sites. This is the only box with a static IP and it is also a Domain Controller so this machine for one is on a different VLAN and another it is in a differetn folder all together then SITEA, etc......

Is there any way around this?  I really really really really need to get the GUP's working.  Symantec is killing our bandwidth at about 3 sites.

Any ideas????????

Oct 10, 2009 12:48 AM

In client go to View logs-->Client management-->System Log You will find logs related to GUP...
It will be like this...

10/10/2009 9:48:47 AM          Information       Start using Group Update Provider (proxy server) @ 172.X.X.X:2967.           

Oct 09, 2009 01:04 PM

Ahh that makes since.  Is there a way to tell from the client if they are utilizing the GUP and exactly which GUP they are using?  If not is there a way to know from the server?

Oct 08, 2009 10:38 PM

Hi Bishop,

The reason for that sentense is to provide a priority for the definitions source. First choice will always be SEPM, or GUP if its defined for that group. If the defined GUP is not accessible, or if no GUP is defined and SEPM is not accessible, only then clients will go to internet to take definitions.

Best,
Aniket

Oct 08, 2009 05:49 PM

Under LiveUpdate Server Settings in order to use the GUP I have to have the default management server selected but also if I do not select use a LiveUpdate Server I will not be able to allow my users to manually run Live Update. 

The problem here is that it says the client comptuer will retrieve updates from both servers I do not want to DOUBLE my push to clients am I not understanding the syntax: "If both the default management server and a LiveUpdate server are selected, the client comptuer will retrieve updates from both servers."

Thanks in advance.

Oct 08, 2009 09:52 AM

Here are a few points that will help you understand GUP:
1. Every machine that satisfies all the conditions in a rule set will become a GUP.
2. GUP will download definitions from SEPM.
4. The point behind defining multiple GUPs is the load balancing. If you define that every GUP will only accept 50 concurrent connections, when 51'st machine will contact GUP, GUP will not accept the connection. So the client moves on to the next GUP in
2. Clients will receive a list of GUPs from the SEPM. They will apply a subnet filter to the list. After applying the filter, clients will have a list of GUPs on the local subnet. Clients will save this local guop list locally. When they are looking for definitions, they will contact the first GUP in the list. If that GUP is unavailable/refuses connection, then they move on to the next GUP in the list.

Clients will keep checking for an updated list of GUPs at SEPM\data\outbox\agent\GUP folder.

Best,
ANiket

Oct 08, 2009 08:55 AM

Am no expert, but this is what I have learned:

1. You either specify one by an ip address or one can get ELECTED based on rules you define.  When a clients requests an update it contact SEPM which then tells the client which GUP to use.
2. No, thats the beauty of it, the client always connect to SEPM first > look at it like a broker
3. Exactly the same as any other SEP client i.e no special software/config.  When a client is a GUP it just have a different reg key in place - this enables SEPM to have it on its GUP list and thus knows client x is the GUP for site.


Hope it helps.

Oct 07, 2009 05:17 PM

This is awesome and very detailed thank you.  I have a question though how does the client know which GUP to connect too or to connect period?  Does the SEPMC tell the client what GUP to use and if so what does it use to do this?  If the client left one site and went to a new one how do they know to switch to the new GUP?

My thought was if there was a way to use a C-Name for the DFS and then the clients would be able to point directly to the right DFS no matter what location they went to as theC-Name would be constant across the network and automatically connect them.

So to clear this up:

1. How does the client know to connect to a GUP and not SEPMC?
2. When moving locations does the client first try and connect to its GUP or how does it know which GUP to connect too?
3. How is this client configured when a GUP is used?




Oct 07, 2009 02:26 AM

Thanks Aniket... Article is good...

Oct 06, 2009 10:24 PM

Hi,

GUP  functionality is provided in every SEP client. It is not dependent on any comonent activation. When SEPM provides a policy that says "hay..you are a GUP", the client activates that functionality.

Best,
Aniket

Oct 06, 2009 03:45 PM

Hello -

I have a package that was exported with only the Antivirus and Antispyware feature set. This has installed correctly on all machines, except on one I activated as a GUP. On this machine, the Network Threat Protection module was activated. Is this the correct behavior? Is NTP required when a client is a GUP?

Sep 29, 2009 07:17 AM

@Aniket Amdekar Thank you for the infomation. 

Sep 27, 2009 05:20 AM

Hi,

It is not possible to use wildcards for IP Addresses. However you can use WildCards for Computer names. E.g.symantec* will show you computers that have symantec in their name.

Best,
Aniket


Sep 25, 2009 03:51 AM

 

Is it possible to use wild characters in rule set? For example can I set the rule as ip address of gup should be 10.3.*.12


Sep 24, 2009 07:06 AM

Nice article..one image is enough to say thousand words..

Related Entries and Links

No Related Resource entered.