Hi,
If a definition update is available does it go over the WAN to the GUP defined for their group even though there may be a GUP at the location they are at? I’m guessing yes.
--> Your guess is correct.
Single Group UpdateProvider:
A single Group Update Provider is a dedicated client computer that provides content for one or more groups of clients. A single Group Update Provider can be a client computer in any group. To configure a single Group Update Provider, you specify the IP address or host name of the client computer that you want to designate as the Group Update Provider.
Multiple Group Update Provider
Multiple Group Update Providers use a set of rules, or criteria, to elect themselves to serve groups of clients across subnets. To configure multiple Group Update Providers, you specify the criteria that client computers must meet to qualify as a Group Update Provider.
If a client computer meets the criteria, the Symantec Endpoint Protection Manager adds the client to its list of Group Update Providers. Symantec Endpoint Protection Manager then makes the list available to all the clients in your network. Clients check the list and choose the Group Update Provider that is located in their subnet.
You can also configure a single, dedicated Group Update Provider to distribute content to clients when the local Group Update Provider is not available.
Check this article for more details:
https://www-secure.symantec.com/connect/articles/whats-new-group-update-providers-ru5-release-symantec-endpoint-protection-110