Endpoint Protection

 View Only
  • 1.  Single GUP’s vs. Group Update Provider List

    Posted Aug 17, 2012 11:15 AM

    In our environment we have several sites with groups defined for each (actually an Active Directory sync).  Within each group a local GUP server is defined to update clients on the local LAN.  What I’m wondering about is that if a user whose machine is in a group that has the GUP defined for their local LAN travels to another site.  If a definition update is available does it go over the WAN to the GUP defined for their group even though there may be a GUP at the location they are at?  I’m guessing yes.

    If I create a group update provider list will this resolve the problem?  I’m thinking that the way this works is that the client see’s that there’s an update available and then checks the local subnet for a GUP and pulls the update from it?

    If the site would not have a GUP setup and nothing is configured in the group update provider list that falls within the subnet that the client is located in would the client then go to the SEPM server get its update?



  • 2.  RE: Single GUP’s vs. Group Update Provider List

    Posted Aug 17, 2012 11:30 AM

    Hi,

    Read this artical...

    Understanding and Identifying the different Group Update Provider (GUP) Options in SEP 11.0.5 RU5 and Later

    http://www.symantec.com/business/support/index?page=content&id=TECH139867

     

    What's new in Group Update Providers in RU5 release of Symantec Endpoint Protection 11.0

    https://www-secure.symantec.com/connect/articles/whats-new-group-update-providers-ru5-release-symantec-endpoint-protection-110



  • 3.  RE: Single GUP’s vs. Group Update Provider List

    Broadcom Employee
    Posted Aug 17, 2012 01:12 PM

    Hi,

    If a definition update is available does it go over the WAN to the GUP defined for their group even though there may be a GUP at the location they are at?  I’m guessing yes.

    --> Your guess is correct.

    Single Group UpdateProvider:

    A single Group Update Provider is a dedicated client computer that provides content for one or more groups of clients. A single Group Update Provider can be a client computer in any group. To configure a single Group Update Provider, you specify the IP address or host name of the client computer that you want to designate as the Group Update Provider.

    Multiple Group Update Provider

    Multiple Group Update Providers use a set of rules, or criteria, to elect themselves to serve groups of clients across subnets. To configure multiple Group Update Providers, you specify the criteria that client computers must meet to qualify as a Group Update Provider.

    If a client computer meets the criteria, the Symantec Endpoint Protection Manager adds the client to its list of Group Update Providers. Symantec Endpoint Protection Manager then makes the list available to all the clients in your network. Clients check the list and choose the Group Update Provider that is located in their subnet.

    You can also configure a single, dedicated Group Update Provider to distribute content to clients when the local Group Update Provider is not available.

    Check this article for more details:

    https://www-secure.symantec.com/connect/articles/whats-new-group-update-providers-ru5-release-symantec-endpoint-protection-110



  • 4.  RE: Single GUP’s vs. Group Update Provider List

    Posted Aug 17, 2012 04:14 PM

    Some of the details in these articles are over my head I’m sorry to say but here’s my take on this.

    We’re doing an active directory sync pulling in our OU structure.

    Top level OU’s are Asia, Europe, and North America

    So as an example for North America we have an OU for all domain controllers located right under North America. The other OU’s under North America are for companies that we have in North America.  Under each company OU we have different physical locations that a company may have and they have their own subnet and a domain controller from the domain controllers OU would be sitting on their LAN.  Under each physical location there is an OU for computers and under that, OU’s for laptops, servers, and workstations.  So the structure looks something like this.

    NorthAmerica

      |_Domain Controllers

          |_ Company1

               |_ Site1

                    |_Computers

                        |_laptops

                        |_ servers

                        |_ workstations

               |_ Site2

                    |_Computers

                        |_laptops

                        |_ servers

                        |_ workstations

          |_ Company2

               |_ Site1

                    |_Computers

                        |_laptops

                        |_ servers

                        |_ workstations

               |_ Site2

                    |_Computers

                        |_laptops

                        |_ servers

                        |_ workstations

     

    In my initial setup years ago at the site1 level I created a policy that defined a GUP that was located in the servers group under site1.  I continued to do this for all companies and sites.  Of course in order to do this I had to disable Inherent Policies.  Not a lot of fun doing this for 90+ sites.  This is all working properly.  So now looking back at all of this I’m considering this to simplify things for the future.  At most sites there is a domain controller at the site that is in the Domain Controllers OU.  The DC is in the sites subnet IP range sitting on their local LAN.  My thinking was to create a LiveUpdate policy for group update providers and add the DC’s to a group update provider list.  Once I created this I could apply this and turn inheritance back on.

    When creating this policy I would check “use the default management server” and then select “use group update provider”, select the group update provider button, select Multiple Group Update Providers, and Configure List and add the IP addresses of the domain controllers.

    So now, if I’ve added the IP address of a domain controller that is part of the sites subnet from the domain controllers OU it will now serve as the GUP for the clients in the same subnet.  If there isn’t an IP address in the same subnet listed in the group update provider list the clients will go to the SEPM server for their updates.

    Does this sound correct?  Sorry for so much detail.