Best Practices with Symantec Endpoint Protection Group Update Providers
|Article:TECH93813|||||Created: 2009-01-05|||||Updated: 2013-09-18|||||Article URL http://www.symantec.com/docs/TECH93813|
This document describes how best to use Group Update Providers (GUPs) to keep Symantec Endpoint Protection (SEP) clients up-to-date.
The GUP role can be assigned to any SEP client. When assigned the GUP role, a SEP client will act as a caching HTTP proxy, storing both delta and full revisions of SEP content. Other SEP clients can be configured to utilize the GUP for definition and content updates via LiveUpdate policies from the Symantec Endpoint Protection Manager (SEPM).
There are several considerations that need to be made before utilizing GUPs are part of the overall content updating scheme in an environment:
- SEPM/SEP version considerations
- Network considerations
- The total number of clients
- The total physical hard disk space available on the GUP
- Other hardware limitations of the GUP
- Determining Worst Case Scenarios for bandwidth and storage usage
- GUP availability
SEPM/SEP version considerations:
There have been significant changes to both the GUP architecture and the content delta process over the development cycle of the SEP product. In order to take advantages of these changes, both the SEPM and the SEP clients will need to be running SEP 11.0 RU6 MP3 or newer. Because of these changes, it is highly recommended that both the SEPM and SEP clients are running the latest available version of SEPM/SEP.
GUPs can be used to supplement or replace a SEPM for distributing content updates to SEP clients, but cannot be used to update policies or manage clients. This means that clients will still need network connectivity to a SEPM in order to perform the heartbeat process, which updates their policies, and informs them when new content is available to download from the GUP.
If the SEP clients you wish to update via a GUP are not able to connect to the SEPM of the HTTP port being used by the SEPM for client management, you will need to consider another method of updating clients. Depending on the version of SEPM used in your environment, the default client management port is either 80 or 8014. This port is configurable within the product. The only method to update both content and policies on a client is through a SEPM.
Since the GUP is essentially a SEP client with the additional GUP role, it must also be able to access the SEPM via the client management port. In addition to this, the clients being served by the GUP must be able to connect to the HTTP port the GUP is listening on (2967 by default). It is recommended that a GUP be on the same network segment as all clients configured to update from the GUP.
The GUP will download definitions on-demand for itself and any clients configured to update through it. The GUP will cache all downloaded content according to the settings in its LiveUpdate policy. Clients that have been configured to use a GUP will download definitions directly from the GUP instead of SEPM. By this method, bandwidth is conserved. There must be sufficient bandwidth between the GUP and the SEPM to allow the GUP to download the full and delta definition packages being requested by SEP clients. The larger the spread of definition revisions used by the clients, the larger the bandwidth utilization between the SEPM and the GUP.
Though bandwidth usage can be significantly reduced by using GUPs strategically, it is still important to ensure that GUPs are positioned in the network to maximize their effectiveness. GUPs should only be configured to provide updates to for clients on their local network segment. The GUP must have sufficient bandwidth to deliver content packages of up to 260 MB to the clients it serves up to 3 times a day.
Total number of clients:
The current iteration of the GUP role can be configured to support up to 10,000 clients. Previous to SEP MR3, the GUP was only capable of supporting up to 100 clients or 1,000 clients with SEP MR4. To ensure that the GUP is capable of updating a large number of clients, you may need to configure the GUP to handle more than the default.
Total physical hard disk space available on the GUP:
By default the GUP will automatically purge content from its cache under two conditions:
- If the content on the GUP grows larger than the configured Maximum disk cache size for content updates setting. The GUP will purge the oldest content by last accessed time until there is room for any new content.
- If any individual content is older than the Delete content updates if unused setting, the GUP will remove that content
Other hardware/software limitations of the GUP:
Symantec has tested the GUP role on a variety of hardware and OS configurations and has found that the GUP role adds minimally to the CPU, memory and IO load on test systems. The load generated by the GUP role will increase based on the number of clients configured to update from the GUP, the amount of large delta or full content updates clients request, and the frequency at which definitions are updated in the environment.
Some basic guidelines for GUP hardware/software considerations are as follows:
- Ensure that the machine being used to serve as the GUP has sufficient reserves of CPU/memory capacity to allow for its normal operations to continue while serving content to clients
- By default, Windows is configured to allow a maximum of 5000 TCP connections simultaneously. With this configuration, the GUP is capable of serving 40 client connections per second.
- Windows can be configured to allow a maximum of 65534 TCP connections simultaneously. With this configuration, the GUP is capable of serving approximately 180 client connections per second.
If SEP clients are configured to get updates from only a single GUP and it is a requirement that clients be able to download content updates twenty-four hours a day and seven days a week, then it is important to ensure that the GUP machine is not turned off regularly. In such a situation, it may not be appropriate to have a user's workstation (which may be turned off nightly or over the weekend) function as a GUP. A server machine may would be more appropriate.
Furthermore, if the GUP's download speed from the SEPM is throttled or limited, the importance of using a machine which is rarely turned off is increased. In environments with very slow or severly throttled connections between the GUPs and SEPM, it is possible for it to take many hours for a GUP to download full content packages from the SEPM. A machine which is turned off after only a few hours may not have sufficient time to download full definitions packages before being turned off.
Article URL http://www.symantec.com/docs/TECH93813