Endpoint Protection

 View Only
Expand all | Collapse all

GUP and roaming client

  • 1.  GUP and roaming client

    Posted Jun 24, 2013 09:39 AM

    Hi,

    we have an organization with 2 management servers in different location that are in replica each other. We have also a large numbers of sites whit few clients. In the sites with more of 20 clients we have 1 file server that is also a GUP server.

    Our goals would be to make that clients that are on the same network of GUP server, download the signature from it, otherwise the clients need to download the signature from the management server. Expecially for the roamings clients.

    To archieve this condition we have tried to make a LiveUpdate Policy with this settings:

    1. Use the default management server checked

    2. Use a LiveUpdate server (Use the default Symantec Liveupdate server)

    3. Use a Group Update Provider

        a. Explicit Group Update providers for roaming clients

        b. For each network that has a GUP we have specified the client subnet network address the "IP Address" GUP mapping type and the IP address og GUP Mapping Value

    But this policy is uncorrect because when the client computers aren't in the subnet of GUP they don't download the signatures.

    What's wrong? Does exist a way to reach our goals? The best for us is to define the GUP servers and the relative network, the client must download the signatures from the GUP server on the same network if it exist, or from the management server in the other  cases.

    Thanks in advance for any suggestion  

     



  • 2.  RE: GUP and roaming client

    Posted Jun 24, 2013 09:43 AM

    Did you setup location awareness and apply the policy to that location?



  • 3.  RE: GUP and roaming client

    Posted Jun 24, 2013 09:45 AM

    That should work, do  you have set try for xx times if not reach to SEPM?

    Why dont you try Location specific policy.

    How to configure mobile computers to automatically download virus definitions when disconnected from the Symantec Endpoint Protection Management console



  • 4.  RE: GUP and roaming client

    Posted Jun 24, 2013 10:23 AM

    I'm actually suprised that it is working at all, as defning the Explicit GUP list alone is not enough (and for your purposes, not appropriate).

    I'd recommend setting a LU policy that enables:

    • Update via default management server
    • Update via GUP

    As you want SEP Clients to only use a GUP if it is in the same subnet, then only enable and define GUPs in the Multiple GUP section.  You do not need to touch the Explicit GUPs nor the Single GUP sections.

    Finally, you could (if you wanted to) create a separate LU policy that told clients to use Symantec LiveUpdate only and use Location Awareness to make clients use this if they are outside the corporate network.

    #EDIT#

    Oh yeah, and make sure you conform to the other GUP rules regarding policy assignment:

    • GUP knows it is a GUP
    • SEP Clients know what GUP to use


  • 5.  RE: GUP and roaming client

    Broadcom Employee
    Posted Jun 24, 2013 12:03 PM

    Hi,

    Thank you for posting in Symantec community.

    I would be glad to answer your question.

    To turn clients into GUPs, first configure single or multiple Group Update Providers. A client will become a GUP when the data entered matches its own attributes. The Explicit Group Update Provider list will then be used to map the clients to their respective Explicit GUPs. 

    You should check this article

    SEP 12.1 RU2 And Explicit Group Update Providers

    https://www-secure.symantec.com/connect/articles/sep-121-ru2-and-explicit-group-update-providers

    Helpful Public KB articles:

    About the types of Group Update Providers

    http://www.symantec.com/docs/HOWTO80957

    What is the processing order of an Explicit GUP list within version 12.1.2 of Symantec Endpoint Protection?

    http://www.symantec.com/docs/TECH196741

    Understanding "Explicit Group Update Providers (GUPs) for Roaming Clients" in Symantec Endpoint Protection (SEP) 12.1.2

    http://www.symantec.com/docs/TECH198640



  • 6.  RE: GUP and roaming client

    Posted Jun 24, 2013 12:46 PM
      |   view attached

    Thank's for the replies.
    For Brian81 and Rafeeq: we have setup location awareness. Actually we have two location: Internal and External. The clients are on internal location when are connected to any subnet of our LAN and download the signatures from the management server or from the GUP server.
    The clients to point to the correct GUP server because we have created some Groups with "Policy Inheritance" OFF. In these groups we have put the GUP servers and we have attached under these groups the Active Directory OU that contains the clients that are in the same network of GUPS. It's a bit complex but we started whit 11.5 version and this is the only solution that came from our Symantec consultants...
    I have attached one screenshoot where you can see this organization.... 
    When the clients are disconnected from our LANs are set in External location and the signature are downloaded from Liveupdate server (in the policy only "Use a Liveupdate server" is checked).

    For SMLatCST: If I understand our error is that we have to use "Multiple GUP" nor "Explict Group". I thought that "Multiple Group providers" only define the roule that make a client as GUP Provider... under the checkbox on Multiple GUP there is this explanation:
    "Defines criteria to turn clients into Group Update Providers" and under "Explicit Group" there is: "Defines a list of Group Update Providers that clients can use....". Isn't clear..



  • 7.  RE: GUP and roaming client

    Posted Jun 24, 2013 01:31 PM

    Hi Chetan thanks for the reply. Your solution is a combination of SMLatCST suggestion and our tentative.

    Well to achieve our goal we must:

    • Enable check box on "Use the default management server"
    • Enable check box on "Use a Live update Server" and then "Use the default Symantec Liveupdate server"
    • Enable check box on "Use a Group Update Provider
    • Enable check box on "Multiple Grupu Update Provider" and then configure what are the servers that we want to make GUP (for example by ip address or hostname)
    • Enable check box "Explicit Group Update Providers for roaming clients" and then define for each subnet what is the GUP to use
    • Define the maximum time that clients try to download updates from a GUP.

    It's correct? If it's correct one last question. On the http://www.symantec.com/docs/HOWTO81148 article the order in wich the client download the signature is:

    Providers on the Multiple Group Update Providers list, in order
    Providers on the Explicit Group Update Providers list, in order
    The Provider that is configured as a Single Group Update Provider

    but if the clients try first the GUPS in Multiple Group Update Providers list, the subnet bond that we want is not respected.... or not?



  • 8.  RE: GUP and roaming client

    Posted Jun 24, 2013 01:48 PM

    Symantec Endpoint Protection (SEP) Group Update Providers (GUPs) Selection Examples

     

    Understanding "Explicit Group Update Providers (GUPs) for Roaming Clients" in Symantec Endpoint Protection (SEP) 12.1.2

    check this why i check the others :) 


  • 9.  RE: GUP and roaming client

    Trusted Advisor
    Posted Jun 24, 2013 03:29 PM

    Hello,

    Check this Downloadable Utility from Symantec Downloads - 

    Generate LiveUpdate Policies that have many GUP Subnets

    http://www.symantec.com/connect/downloads/generate-liveupdate-policies-have-many-gup-subnets

    Hope that helps!!



  • 10.  RE: GUP and roaming client
    Best Answer

    Posted Jun 25, 2013 03:36 AM

    Yeah, the description can be a little unclear at times, but I can confirm that the LU config I provided will produce the behaviour you're after.  Here's a brief description of the GUP types.

    1. The Multiple GUP option defines/enables GUPs, and tells SEP Clients to use them if they are int he same subnet.
    2. The Explicit GUP option is only required if you have SEP Clients in subnets that don't have a GUP in the local network, and you want them to use an Explicit one on another subnet.  This does not define/enable GUPs, and must always be used in conjunction with Multiple GUPs.
    3. The Single GUP option defines/enables a single GUP that will be used by SEP Clients recevieing the policy, regardless of subnet.

    When a LU policy is used, it will go through the various GUPs in the order identified above.  The logic being that a SEP Client will look for a GUP in the local subnet first, if none found then look to see if it is in a subnet assigned with an explicit GUP, if none found then use the single/backup GUP, if none found then use the SEPM.

    Like I say, the config I provided in my earlier post should do the trick for you wink



  • 11.  RE: GUP and roaming client

    Posted Jun 26, 2013 06:11 AM

    Thank you SMLatCST for your support and explanations. Now I have understand clearly the mechanisms of GUPs.

    I tried to make a policy based on your suggestions in my test environment and all seems to work fine.

    Thanks again for your help

    Best regards



  • 12.  RE: GUP and roaming client

    Broadcom Employee
    Posted Jun 26, 2013 07:17 AM

    Hi,

    You have wrote down the correct sequence.

    Clients won't try the first the GUPS in Multiple Group Update Providers because It will defeat the purpose of Explicit Group Update provider.

    If the client does not find a GUP in its subnet it then looks at the Explicit GUP subnets to see if there is a GUP in other defined subnets.