Configuring the Group Update Provider (GUP) in Symantec Endpoint Protection 11.0 RU5 and later

Article:TECH96419  |  Created: 2009-01-28  |  Updated: 2012-04-23  |  Article URL http://www.symantec.com/docs/TECH96419
Article Type
Technical Solution


Environment

Issue



How do I configure the Group Update Provider (GUP) in SEP 11.0 RU5 and later?

 


Solution




Distributing content using Group Update Providers

A Group Update Provider is a client computer that you designate to locally distribute content updates to clients. A Group Update Provider downloads content updates from the management server and distributes the updates to clients. A Group Update Provider helps you conserve bandwidth by localizing content distribution. A Group Update Provider is ideal for delivering content updates to clients that have limited network access to the server. You can use a Group Update Provider to conserve bandwidth to clients in a remote location over a slow link.

Managing Group Update Providers

Step 1: Verify client communication - Before you configure Group Update Providers, verify that the clients can receive content updates from the server. Resolve any client-server communication problems. You can view client-server activity in the System logs.

Step 2: Configure Group Update Providers - You configure Group Update Providers by specifying settings in the LiveUpdate Settings Policy. You can configure a single Group Update Provider or multiple Group Update Providers.

Step 3: Assign the LiveUpdate Settings Policy to groups - You assign the LiveUpdate Settings Policy to the groups that use the Group Update Providers. You also assign the policy to the group in which the Group Update Provider resides. For a single Group Update Provider, you assign one LiveUpdate Settings Policy per group per site. For multiple Group Update Providers, you assign one LiveUpdate Settings Policy to multiple groups across subnets.

Step 4: Verify that clients are designated as Group Update Providers - You can view the client computers that are designated as Group Update Providers. You can search client computers to view a list of Group Update Providers. A client computer's properties also shows whether or not it is a Group Update Provider.



About the types of Group Update Providers


You can configure two types of Group Update Providers: a single Group Update Provider or multiple Group Update Providers:
 

  1. Single Group Update Provider: A single Group Update Provider is a dedicated client computer that provides content for one or more groups of clients. A single Group Update Provider can be a client computer in any group. To configure a single Group Update Provider, you specify the IP address or host name of the client computer that you want to designate as the Group Update Provider.
  2. Multiple Group Update Provider: Multiple Group Update Providers use a set of rules, or criteria, to elect themselves to serve groups of clients across subnets. To configure multiple Group Update Providers, you specify the criteria that client computers must meet to qualify as a Group Update Provider. If a client computer meets the criteria, the Symantec Endpoint Protection Manager adds the client to its list of Group Update Providers. Symantec Endpoint Protection Manager then makes the list available to all the clients in your network. Clients check the list and choose the Group Update Provider that is located in their subnet. You can also configure a single, dedicated Group Update Provider to distribute content to clients when the local Group Update Provider is not available.



You use a LiveUpdate Settings Policy to configure the type of Group Update Provider. The type you configure depends on how your network is set up and whether or not your network includes legacy clients.





You use the Group Update Provider dialog box to configure the Group Update Provider settings.

The Group Update Provider gets content updates from the Symantec Endpoint Protection Manager and locally distributes the updates to groups of clients. For each LiveUpdate Settings Policy, you can configure a single Group Update Provider or multiple Group Update Providers.

Note: The Group Update Provider does not proxy op-states, events, commands, command status, or profiles between the server and the clients.


 

Setting
Description
Single Group Update Provider IP address or host name Check this option to configure a single Group Update Provider. The client computer that acts as the Group Update Provider can reside in any group.
Type the IP address or host name of the client computer.
Example IP address: 1.1.1.1
Example host name: mycompany
You can use the wild cards asterisk (*) and question mark (?) in the host name.
Multiple Group Update Providers Check this option to configure multiple Group Update Providers. Then click Configure Group Update Provider List.
Maximum time that clients try to download updates from a Group Update Provider before trying the default management server This option lets clients bypass a Group Update Provider if they try and fail to connect to the Group Update Provider. You can specify a length of time after which clients can bypass the Group Update Provider. When clients bypass the Group Update Provider, they get content updates from the default server.

Select one of the following options:
  • Check Never if clients only get updates from the Group Update Provider and never from the server. For example, you might use this option if you do not want client traffic to run over a wide area connection to the server.
  • Check After to specify the time after which clients must bypass the Group Update Provider. Specify the time in minutes, hours, or days.
Default port The TCP port that is used for client communications.
The default TCP port number is 2967. If the Group Update Provider receives IP addresses with DHCP, you should assign a static IP address to the computer or use the host name. If the Group Update Provider is at a remote location that uses network address translation (NAT), use the host name.

Note: If the Group Update Provider runs a firewall, you might need to modify the Symantec firewall policy to permit the TCP port to receive server communications. This note applies to Windows firewall, legacy Symantec Client Firewall, and third-party firewalls. If the Group Update Provider runs the Symantec Endpoint Protection client firewall, the Symantec firewall policy is configured automatically.
Maximum disk cache size allowed for downloading updates The maximum disk space to use on the Group Update Providers for storing content updates.

The unreserved disk space is kept to the limits as content updates are downloaded. Once the limit is reached, the Group Update Provider continues to serve the clients, but only for the existing content.
Delete content updates if unused Controls when the individual content updates that are downloaded to the Group Update Provider become eligible for deletion.

The content updates take up disk space on the Group Update Provider computer. You should configure the option to delete unused content updates. Content updates are considered unused if the clients have not requested the updates.
Maximum number of simultaneous downloads to clients The maximum number of simultaneous downloads that the Group Update Provider distributes to clients.

This option concerns memory and CPU utilization on the Group Update Provider computer. The option controls how many threads are allocated to handle incoming requests. Memory utilization is associated with the threads, so more threads require more memory. Also, processing the incoming requests requires CPU cycles, so more threads require more CPU cycles.

You should tune the value to the limitations of the Group Update Provider computer. The goal is to download content updates to clients as quickly as possible, without overwhelming the Group Update Provider computer. Set the value high enough to get reasonable concurrency, but low enough to avoid overtaxing the Group Update Provider computer.
Maximum bandwidth allowed for Group Update Provider downloads from the management server Controls the amount of bandwidth that the Group Update Provider uses to download content updates from the server.
Select one of the following options:
  • Check Unlimited to allow any amount of bandwidth.
  • Check Up to in order to limit the bandwidth to the amount that you specify.




When to use a particular Group Update Provider type:


Single:

Use a single Group Update Provider when your network includes any of the following scenarios:
 

  • Your network includes legacy clients

    Legacy clients can get content from a single Group Update Provider; legacy clients can also be designated as a Group Update Provider. Legacy clients do not support multiple Group Update Providers.
     
  • You want to use the same Group Update Provider for all your client computers

    You can use a single LiveUpdate Content Settings Policy to specify a static IP address or host name for a single Group Update Provider. However, if clients change locations, you must change the IP address in the policy. If you want to use different Group Update Providers in different groups, you must create a separate LiveUpdate Settings Policy for each group.



Multiple:

Use multiple Group Update Providers when your network includes any of the following scenarios:
 

  • You run the latest client software on the computers in your network

    Multiple Group Update Providers are supported on the computers that run the latest client software. Multiple Group Update Providers are not supported by legacy clients. Legacy clients cannot get content from multiple Group Update Providers. Legacy clients cannot be designated as Group Update Providers even if they meet the criteria for multiple Group Update Providers. You can create a separate LiveUpdate Settings Policy and configure a single, static Group Update Provider for a group of legacy clients
     
  • You have multiple groups and want to use different Group Update Providers for each group -

    You can use one policy that specifies rules for the election of multiple Group Update Providers. If clients change locations, you do not have to update the LiveUpdate Settings Policy. The Symantec Endpoint Protection Manager combines multiple Group Update Providers across sites and domains. It makes the list available to all clients in all groups in your network.
     
  • Multiple Group Update Providers can function as a failover mechanism. Multiple Group Update Providers ensure a higher probability that at least one Group Update Provider is available in each subnet.




About configuring rules for multiple Group Update Providers


Multiple Group Update Providers use rules to determine which client computers act as a Group Update Provider.


Rules are structured as follows:
 

  • Rule sets

    A rule set includes the rules that a client must match to act as a Group Update Provider.
     

     

  • Rules

    Rules can specify IP addresses, host names, client registry keys, or client operating systems. You can include one of each rule type in a rule set.
     
  • Rule conditions

    A rule specifies a condition that a client must match to act as a Group Update Provider. If a rule specifies a condition with multiple values, the client must match one of the values.



Rule types

IP address or host name - This rule specifies client IP addresses or host names.

Registry keys - This rule specifies client registry keys.

Operating system - This rule specifies client operating systems.


Rules are matched based on the logical OR and AND operators as follows:
 

  1. Multiple rule sets are ORed. A client must match one rule set.
  2. Multiple rules are ANDed. A client must match all the rules that are specified in a rule set.
  3. Multiple values for a rule condition are ORed. A client must match one value. For example, you might create RuleSet 1 that includes an IP address rule with several IP addresses. You then create RuleSet2 that includes a host name rule and an operating system rule each with multiple values. A client computer must match either RuleSet1 or RuleSet2. A client matches RuleSet1 if it matches any one of the IP addresses. A client matches RuleSet2 if it matches any one of the host names and any of the operating systems.



Configuring a Group Update Provider


You configure a Group Update Provider by specifying settings in the LiveUpdate Settings Policy.

You can configure the LiveUpdate Settings Policy so that clients only get updates from the Group Update Provider and never from the server. You can specify when clients must bypass the Group Update Provider. You can configure settings for downloading and storing content updates on the Group Update Provider computer.

You can also configure the type of Group Update Provider.


Note: If the Group Update Provider runs a non-Symantec firewall, you might need to modify the firewall to permit the TCP port to receive server communications. By default, the Symantec Firewall Policy is configured correctly. Updating definitions and content Distributing content using Group Update Providers.


To configure a Group Update Provider
 

  1. In the console, click Policies.
  2. Under View Policies, click LiveUpdate.
  3. In the LiveUpdate Policies pane, on the LiveUpdate Settings tab, select the policy to edit.
  4. In the Tasks pane, click Edit the Policy.
  5. In the LiveUpdate Policy window, click Server Settings.
  6. On the Server Settings page, under Internal or External LiveUpdate Server, check Use the default management server (recommended). Do not check Use a LiveUpdate server. The Group Update Provider that you configure acts as the default LiveUpdate server.
  7. Under Group Update Provider, check Use the Group Update Provider.
  8. Click Group Update Provider.
  9. In the Group Update Provider dialog box, configure the type of Group Update Provider. Note: Legacy clients can only use a single Group Update Provider. Legacy clients do not support multiple Group Update Providers.
  10. In the Group Update Provider dialog box, configure the options to control how content is downloaded and stored on the Group Update Provider computer. Click Help for information about content downloads.
  11. Click OK.



Configuring a single Group Update Provider

You can configure only one single Group Update Provider per LiveUpdate Settings Policy per group. To create a single Group Update Provider for multiple sites, you must create one group per site, and one LiveUpdate Settings Policy per site.

To configure a single Group Update Provider, follow these steps:

  1. In the Group Update Provider dialog box, under Group Update Provider Selection for Client, check Single Group Update Provider IP address or host name.
  2. In the Single Group Update Provider IP address or host name box, type the IP address or host name of the client computer that acts as the single Group Update Provider.


Click Help for information about the IP address or host name.


Configuring multiple Group Update Providers

You can configure multiple Group Update Providers by specifying criteria in a
LiveUpdate Settings Policy. Clients use the criteria to determine if they qualify
to act as a Group Update Provider.

To configure multiple Group Update Providers, follow these steps:

  1. In the Group Update Provider dialog box, under Group Update Provider Selection for Client, check Multiple Group Update Providers.
  2. Click Configure Group Update Provider List.
  3. In the Group Update Provider List dialog box, select the tree node Group Update Provider.
  4. Click Add to add a rule set.
  5. In the Specify Group Update Provider Rule Criteria dialog box, in the Check drop-down list, select one of the following:
      • Computer IP Address/Host Name
      • Registry Keys
      • Operating System
  6. If you selected Computer IP Address/Host Name or Registry Keys, Click Add.
  7. Type or select the IP address, registry key, or operating system information. Click Help for information on configuring rules.
  8. Click OK until you return to the Group Update Provider dialog box.
  9. In the Group Update Provider List dialog box, optionally add more rule sets.
  10. Type a Group Update Provider IP address or host name in the Specify the host name or IP address of a Group Update Provider on a different subnet to be used, if Group Update Providers on the local subnet are unavailable text box.
  11. Click OK.



Searching for the clients that act as Group Update Providers

You can verify that clients are available as Group Update Providers. You can view a list of Group Update Providers by searching for them on the Clients tab.

Note: You can also check a client's properties. The properties include a field that indicates whether or not the client is a Group Update Provider.


To search for the clients that act as Group Update Providers, follow these steps: 

  1. In the console, click Clients.
  2. On the Clients page, on the Clients tab, in the View box, select Client status.
  3. In the Tasks pane, click Search Clients.
  4. In the Find box, select Computers.
  5. In the In Group box, specify the group name.
  6. Under Search Criteria, in the Search Field column, select Group Update Provider.
  7. Under Search Criteria, in the Comparison Operator column, select =.
  8. Under Search Criteria, in the Value column, select True. Click Help for information on the search criteria.
  9. Click Search






References
 

1) Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 5

ftp://ftp.symantec.com/public/english_us_canada/products/symantec_endpoint_protection/11.0/manuals/ru5/Release_Notes_for_Symantec_Endpoint_Protection_11_0_5.pdf

2) How to: Setup a Group Update Provider (GUP)

http://www.symantec.com/docs/TECH105005

3) Best practices for Group Update Provider (GUP)

http://www.symantec.com/docs/TECH105652



Legacy ID



2009092901593448


Article URL http://www.symantec.com/docs/TECH96419


Terms of use for this information are found in Legal Notices