Endpoint Protection

 View Only

SEP 12.1 RU2 And Explicit Group Update Providers 

Nov 22, 2012 08:35 AM

Hi,

With the release of SEP 12.1 RU2 Symantec has introduced new GUP feature 'Explicit Group Update Provider'

It is important to understand that now the clients have ability to roam to a GUP outside of their own subnet, rather than their ability to find a nearest GUP. In previous SEP versions, the clients would only connect to a GUP outside of their own subnet, if such a GUP was configured as "backup" GUP.

Explicit Group Update Provider:

It will allow clients to use specific GUP's outside their subnet.

Only configurable through SEPM

This is not auto discovery feature

Path: SEPM --> Policies --> Liveupdate Policy --> Edit liveupdate setting policy --> Server Settings --> Group Update Provider

It's important to know how a normal client becomes a GUP

1) Client receives a profile with GUP enabled
2) It checks whether its local environment (such as registry, OS type, IP, hostname, etc.) matches policy;
3) If yes, start to listen the GUP port on every local interface

Then it's important to know how clients decides to download contents from GUP or not

1) SEPM will generate the globalIndex.xml and globallist.xml periodically from the information clients posted.
2) Client checks whether GUP is configured by LU policy;
3) Client downloads the globalIndex from SEPM. Based on the checksum of globallist.xml included in it, client determines whether SEPM has updated globallist.xml;
4) If SEPM publishes a new globallist file, client downloads it and reset the active GUP list in local memory.
5) Client filters out the addresses of the different subnet in globallist.xml;
6) Client tries to connect the remained addresses one by one until finds an available GUP, it iterates in the order of the addresses in globallist.
7) If none of the GUPs in globallist can be used, try the pre-defined GUP in LU policy.
8) If pre-defined GUP is unavailable either, to determine whether to bypass to SEPM based on the "bypass" setting
 

If all types of Group Update Providers are configured in the policies on a Symantec Endpoint Protection Manager, then clients try to connect to Group Update Providers in the global list in the following order:

Top down execution of GUP providers.

  • Providers on the Multiple Group Update Providers list, in order

  • Providers on the Explicit Group Update Providers list, in order

  • The Provider that is configured as a Single Group Update Provider

To accomplish above steps GUP sequence order in liveupdate Policy has also changed, check the screenshot for the same.

You can add Group Update Providers to a list that clients use to connect to Group Update Providers that are on subnets other than the client's own subnet. You map the subnet that the clients are located on to the subnets of the Group Update Providers that you want the client to use.

About the effects of configuring more than one type of Group Update Provider in your network

http://www.symantec.com/docs/HOWTO81148

When you configure single or multiple Group Update Providers in policies, then Symantec Endpoint Protection Manager constructs a global list of all the providers that have checked in. By default, on 32-bit operating systems, this file is \Program Files\Symantec\Symantec Endpoint Protection Manager\data\outbox\agent\gup\globallist.xml. Symantec Endpoint Protection Manager provides this global list to any client that asks for it so that the client can determine which Group Update Provider it should use. Because of this process, clients that have policies with only multiple or explicit Group Update Providers configured can also use single Group Update Providers, if the single provider meets the explicit mapping criterion. This phenomenon can occur because single providers are a part of the global list of providers that the clients get from their Symantec Endpoint Protection Manager.

So, all of the Group Update Providers that are configured in any of the policies on a Symantec Endpoint Protection Manager are potentially available for clients' use. If you apply a policy that contains only an explicit Group Update Provider list to the clients in a group, all of the clients in the group attempt to use the Group Update Providers that are in the Symantec Endpoint Protection Manager global Group Update Provider list that meet the explicit mapping criteria.

Note: A Symantec Endpoint Protection client may have multiple IP addresses. Symantec Endpoint Protection considers all IP addresses when it matches to a Group Update Provider. So, the IP address that the policy matches is not always bound to the interface that the client uses to communicate with the Symantec Endpoint Protection Manager and the Group Update Provider


 

Helpful Public KB articles:

About the types of Group Update Providers

http://www.symantec.com/docs/HOWTO80957

What is the processing order of an Explicit GUP list within version 12.1.2 of Symantec Endpoint Protection?

http://www.symantec.com/docs/TECH196741

Understanding "Explicit Group Update Providers (GUPs) for Roaming Clients" in Symantec Endpoint Protection (SEP) 12.1.2

http://www.symantec.com/docs/TECH198640

 

 

 

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Sep 19, 2013 04:27 AM

I want to change the config LU policy for my branch site  called B1. B1 has single GUP already configured and working - using Single GUP IP address option and set to "Never bypass". I now want to configure a failover GUP that already provides updates to branch site B2 and B3(these have no GUP's on site) exists on the same subnet called BHQ. What option do I choose on the LU policy - the Explicit GUP for roaming clients to add the BHQ GUP as the failover? Is this correct and do I leave the original GUP IP address option checked. Customer wants updates from local GUP, however if this local GUP goes offline - then the closest GUP must take over to provide updates.

Jun 18, 2013 05:16 AM

Hi Elisha,

Thanks for the update.

@Diego: Explicit Group Update Providers can be static or dynamic, depending on how you configure them. If you use an IP address or a host name to configure an explicit Group Update Provider, then it is a static Group Update Provider. This difference affects how Group Update Providers act in networks that mix legacy version clients and managers with clients and managers from the current release.
 
If you use a subnet to designate a Group Update Provider, it is dynamic, as clients search for a Group Update Provider on that subnet.
 
Reference: About the types of Group Update Providers

 

Jun 17, 2013 04:06 PM

In Explicit GUP, if that client does not have a GUP in its subnet, it searchs for a GUP near its, and download it, right?

Yes.  If the client does not find a GUP in its subnet it then looks at the Explicit GUP subnets to see if there is a GUP in other defined subnets.

Jun 16, 2013 10:54 AM

Very nice!!! In my environment I did it:

I have a group, named Blocked with about 1000 clients in differents subnets, ok.

So, I created a Multiple GUP policy, using 2 clients as GUP from each Subnet, I have a big list of clients. If one GUP goes down, I have another, because of it, 2 per subnet.

I understant that SEP client searchs for GUP in your subnet and use it. In the policy I configured if GUP does not work after 50 minutes, client can use the Manager to download.

So, if the GUP is off, or I dont have a GUP for that subnet, client can goes to Manager. It is working great for me. I have around 99.80% of online clients up to date. But I need to take care with the bandwidth, because all clients from a subnet without GUP can goes to Manager and download big files :)

Please, fix me if Im wrong. In Explicit GUP, if that client does not have a GUP in its subnet, it searchs for a GUP near its, and download it, right?

Thanks,

Diego

Jun 04, 2013 07:25 PM

Mar 22, 2013 06:38 AM

Thumbs up from me also.

Thank a lot for sharing article Chetan.

Mar 21, 2013 12:16 PM

Ajin

Thumbs Up!!!!!

Regards

Ajin

Related Entries and Links

No Related Resource entered.