Endpoint Protection

I've lot of confusion abt GUP's

I've few question below, can some one clarify  ... as per the GUP's guide am confused on multiple GUP's part.

Current  configuration in my organization.only one  SEPM for  global clients.

2. In each and every remote we have multiple subnets(confusion here only). For example  we have a remote site @  Singapore, and subnets are starting with 172.23.X; 172.24.X.X; 172.25.X.X like that upt o 172.30.X.X

Q1.we don't want to enable GUP's for each subnet, and we have 1000 + clients in each remote site.

Q2. In above scenario just we need to enable single GUP or Multiple GUP's ?

 we need to go IP base setting for GUP's instead of registry and OS? please  suggest best possible settings or suggestion for above example.

Let me know impact if enable GUP's , what are the methods we need to follow on daily basis..

Q1.we don't want to enable GUP's for each subnet, and we have 1000 + clients in each remote site.

Q2. In above scenario just we need to enable single GUP or Multiple GUP's ?

to answer above 2 queries, you can configure

1) single GUP --> irrespectie of the subnet the clients will get hte updates from the GUP for those clients

2) Multiple GUP with option of backup GUP ---> if the client cannot find the GUP in its subnet then it will fall back to backup GUP.

Let me know impact if enable GUP's , what are the methods we need to follow on daily basis..

just make sure the GUP can communiate to SEPm and it has enough space and respource to handle the clients request.

Q1.we don't want to enable GUP's for each subnet, and we have 1000 + clients in each remote site.

In your location, add each IP range and assign the policy. When clients check their location, they will see they have an IP in that range and pull updates from the GUP specified in the policy.

Q2. In above scenario just we need to enable single GUP or Multiple GUP's ?

For this, you would just need a single GUP if you don't want a GUP on every subnet. As long as you add each IP range to the location, it should be fine.

Hello,

For better understanding, I would suggest you these Articles below:

Configuring the Group Update Provider (GUP) in Symantec Endpoint Protection 11.0 RU5 and later

http://www.symantec.com/docs/TECH96419

Clients may use different Group Update Provider (GUP) than configured: SEP Single GUP acts as Multiple GUP

http://www.symantec.com/docs/TECH122515

Configuring Multiple GUP (subnet GUP) in SEP 11.0.RU5 and above and 12.1.x

http://www.symantec.com/docs/TECH191394

What is the maximum number of Group Update Providers which can function in a network?

http://www.symantec.com/docs/TECH138695

Hi San1985,

There is a type of contradiction on your request.

You don't want to set a GUP for each subnet and at the same time you would like the best setting.

As Brian mentioned, you could set just one single GUP if you really don't want a GUP on every subnet as long as you add each IP range to the location.

However regarding optimization it will be far away from it.

We basically recommend to set 1 GUP per each 100 clients even if a GUP can "officially" and "basically" support up to 1000 SEP clients (ie: TECH105652 but outdated article).

You might notice an important delay for the updates of all these clients if you have only one GUP set for all of them.

For this reason I would sligthly recommend you the solution 2) that Pete mentioned as a single-GUP will be busy all time for 1000+ clients ;-)

Kind Regards,

A. Wesker

PS: New GUP feature coming soon (NDA) in SEP 12.1 RU2 and might be interresting in your situation ;-)

As per my understanding from the above articles and suggestions, am just mentioning the one example with scenarios. Still am bit of confusion.. For clarification am writing this..

Scenario: 1

 We have only one group for all global desktop groups. Suppose if we enable the multiple GUP’s for this group adding IP’s region wise mostly all subnet IP’s, in this situation local clients get download contents from their local GUP’s. is this right .. Please correct me if am wrong..  (Here big task for us is adding all subnet IP’s) mostly we don’t prefer this

In Multiple GUP’s configuration ox and the bottom we are seeing that one option like “Optional Specify the hostname or IP address of a Group Update Provider on a different Subnet to be used, if Group Update Providers on the subnet are unavailable” what this option for?

Scenario: 2.

We have clients globally like Asia, Europe, US, here we are going to create separate group for each region and assign single GUP policy.   for example : Group 1  for Asia (having 5 remote sites with Class A , Class B , Class C subnets and we are just enabling the Class B  Subnet client as GUP , we are able to ping any IP from any Subnet no restrictions. In this situation Class A and Class C clients will get content updates from Class B GUP’s client?

Scenario: 1

We have only one group for all global desktop groups. Suppose if we enable the multiple GUP’s for this group adding IP’s region wise mostly all subnet IP’s, in this situation local clients get download contents from their local GUP’s. is this right .. Please correct me if am wrong.. (Here big task for us is adding all subnet IP’s) mostly we don’t prefer this

 you can assign a single liveupdate policy to all groups which contains GUP for each subnet.

In that case local clients download definition from their respective GUP.

In Multiple GUP’s configuration ox and the bottom we are seeing that one option like “Optional Specify the hostname or IP address of a Group Update Provider on a different Subnet to be used, if Group Update Providers on the subnet are unavailable” what this option for?

That option is for backup GUP...if any GUP from list is not working then clients will download definition from backup GUP.

Scenario: 2.

We have clients globally like Asia, Europe, US, here we are going to create separate group for each region and assign single GUP policy. for example : Group 1 for Asia (having 5 remote sites with Class A , Class B , Class C subnets and we are just enabling the Class B Subnet client as GUP , we are able to ping any IP from any Subnet no restrictions. In this situation Class A and Class C clients will get content updates from Class B GUP’s client?

Yes your class A and class C client will download definition from class B client provided class A and class B client are able to telnet class B GUP IP on port 2967.

Just to expand a bit on the answer from Riya31.

That option is for backup GUP...if any GUP from list is not working then clients will download definition from backup GUP.

This means you only have ONE backup for the failure of any defined GUP in that LiveUpdate policy. As an example, if GUP1 normally services 100 clients and GUP2 normally services 150 clients and GUP3 is the backup GUP in your policy, should GUP1 & GUP2 fail at the same time, GUP3 will have to update 250 clients (GUP1 clients + GUP2 clients). With definition corruptions and slow WAN links plus more classified as a failure to service a client, I believe this options does not scale very well.

Group 1 for Asia (having 5 remote sites ...

Yes, your class ...

If you only use one LiveUpdate policy for Group 1 and specify a single GUP in the Class B range, then Yes.

Use multiple LU policies because of location awareness or multi GUP lists and the answer is No.

This thread needs to be summarised on a coherent answer (and this isn't it).

You have many options available to you and it basically boils down how many LiveUpdate policies you want to manage.

Having multiple SEP groups as in Scenario 2 is only half the answer. The other half is do you inherit policies (incl. LiveUpdate policy) or use shared policies or create a new LiveUpdate policy per group.

We use one group for all 7000+ desktop machines spread around the world with one LiveUpdate policy with multiple GUPs specified. (I would prefer to use Location awareness using additional LU policies to control which GUP a client would use.)

You really have to consider a lot of variables to find a solution that fits you.

• What speeds are your WAN links?
• How many subnets and clients per each?
• How many break out points on to the Internet?
• Frequency of client churn (this helps determine if you enable workstations as GUPs or only servers)
• Frequency of network changes

You know what, it may actually pay you to get a Symantec consultant in to help you decide and clarify those conflicting requests.

Hi ,

Some what clear but I've One more questionto post here ,

In group we have 5 to 6 remote sites.. with different subnets for this group we are going to enable the mutiple subnet GUP.

for example below are few subnets ..

10.1.1.X

10.11.21.X

172.16.3.X

172.24.4.X

172.27.41.X

192.168.9.X

192.168.132.X

192.168.168.X

 we added only 10.1.1.0.X ;172.24.4.X ;192.168.9.X as GUP's fro multi GUP's option, now my question is , for 10.11.21.X will get conents from 10.1.1.X or from other subnets same thing to other subnets?

How clients will identify  from subnet they need to donload the contents?

Hi,

You have to define GUP for every subnet.

clients from subnet 10.1 1.21.X will not  get conents from 10.1.1.X GUP if you define multiple GUP policy.

Riya31 is correct.

If your LiveUpdate policy has specified multiple GUPs, clients will try to find a GUP only in their local subnet.

Depending on your LiveUpdate policy, those clients with no GUP in the local subnet will (listed in most likely order)

1. get updates from SEPM
2. get updates from a LiveUpdate server
3. never get any updates

The above assumes a SEP group with only one LiveUpdate policy assigned, i.e. no Locations.

In that case if we provide backup GUP in multiple subnet then 10.1 1.21.X will get contents from backup GUP?

with mulitple GUP you will need one GUP for each subnet and in case of Single GUP one gup will update all the subnets.. just keep this in mind and see what suits best for your requirement.

if the client does not reach out to the GUP in its subnet it will attempt to get the content from backup GUP

Yes, you understand correctly.

If your configuration looked like this (ignoring Ruleset 1 & 2):

Workstations in subnets 10.11.21.x, 172.24.4.x, 172.27.41.x. 192.168.132.x and 192.168.168.x would all use 10.2.2.2 as the GUP, because that is what is defined as the backup.