Understanding "Explicit Group Update Providers (GUPs) for Roaming Clients" in Symantec Endpoint Protection (SEP) 12.1.2

Article:TECH198640  |  Created: 2012-10-19  |  Updated: 2012-11-15  |  Article URL http://www.symantec.com/docs/TECH198640
Article Type
Technical Solution


Issue



SEP 12.1.2 includes a new "Explicit Group Update Providers (GUPs) for Roaming Clients" feature.
It is important to understand that the "Roaming" referred to here pertains to the clients ability to roam to a GUP outside of their own subnet, rather than their ability to find a nearest GUP. In previous SEP versions, the clients would only connect to a GUP outside of their own subnet, if such a GUP was configured as "backup" GUP. 
 
(There was an optional setting to "Specify the host name or IP address of a Group Update Provider on a different subnet to be used if Group Update Providers on the local subnet are unavailable"in  Group Update Provider List settings) 
 
 
 

Solution



Note: configuring an "Explicit Group Update Provider list" does not turn clients into Group Update Providers. 

To turn clients into GUPs, first configure single or multiple Group Update Providers. A client will become a GUP when the data entered matches its own attributes. The Explicit Group Update Provider list will then be used to map the clients to their respective Explicit GUPs. 

An example scenario when Explicit GUPs for Roaming Clients might be used is the following:
 
The environment consists of 3 Subnets divided by Computer Roles:
 
  • A Server Farm Subnet with Network Address 10.0.0.0
  • A Marketing Subnet with Network Address 172.10.0.0
  • An Engineering Subnet with Network Address 192.168.10.0
            
Note: in this example the Network Addresses are chosen for demonstration purposes only.
 
 
The client machines in the Marketing and Engineering subnets need to be configured to get updates from a GUP situated in the Server Farm network.
To create the Group Update Provider policy, the following steps have to be taken:
 
  • Identify the machines in the Server Farm Subnet that will become the GUPs
In this example the designated GUPs are the following:
A computer with IP address 10.10.10.1 and subnet mask 255.0.0.0
A computer with IP address 10.10.10.2 and subnet mask 255.0.0.0
 
 
  • Configure these two computers as Multiple Group Update Providers:

 

 

 

 

  • Configure the clients in the Marketing Subnet 172.10.0.0 to use one of the GUPs in the Server Farm Network
  • Configure the clients in the Engineering Subnet 192.168.10.0 to use one of the GUPs in the Server Farm Network

This can be done by either specifying the IP Address of an individual GUP in the Server Farm Network, or by specifying the Network Address of the Server Farm Network.

Note: You can calculate the value of the Client Subnet Network Address and the GUP Subnet Network Address by using one of the subnet calculators readily available on the Internet. This address is sometimes also referred to as the network prefix or network ID. 

Example:

  • Configure the clients in the Marketing Subnet 172.10.0.0 to use a GUP with IP Address 10.10.10.1 in the Server Farm Network

 

  • Configure the clients in the Engineering Subnet 192.168.10.0 to use any GUP in the Server Farm Network by specifying its Network Address

 

 

The workflow could be summarized as follows:

  • The Administrator uses a 12.1.2 SEPM to create mapping via a Policy: This Maps "client subnet" to  "GUP to use". 
  • A SEP 12.1.2 Client parses the new policy and extracts relevant data from the GUP list to select the new GUP Type. 
  • The SEP 12.1.2 Client then verifies:

"Am I in the subnet that is supposed to use the Explicit GUP?"

"Which subnet is the Explicit GUP in - is it in a different subnet than mine?"

"Who is the actual GUP?" 

  • The Client will first try to use available local GUPs before using any of the Explicit GUPs
  • The GUP itself need not be a 12.1.2 Client.

 

 




Article URL http://www.symantec.com/docs/TECH198640


Terms of use for this information are found in Legal Notices