Nice article..one image is enough to say thousand words..

Is it possible to use wild
characters in rule set? For example can I set the rule as ip address of gup
should be 10.3.*.12

@Aniket Amdekar Thank you for the infomation. 

Hello -

I have a package that was exported with only the Antivirus and Antispyware feature set. This has installed correctly on all machines, except on one I activated as a GUP. On this machine, the Network Threat Protection module was activated. Is this the correct behavior? Is NTP required when a client is a GUP?

Hi,

GUP  functionality is provided in every SEP client. It is not dependent on any comonent activation. When SEPM provides a policy that says "hay..you are a GUP", the client activates that functionality.

Best,
Aniket

Thanks Aniket... Article is good...

This is awesome and very detailed thank you.  I have a question though how does the client know which GUP to connect too or to connect period?  Does the SEPMC tell the client what GUP to use and if so what does it use to do this?  If the client left one site and went to a new one how do they know to switch to the new GUP?

My thought was if there was a way to use a C-Name for the DFS and then the clients would be able to point directly to the right DFS no matter what location they went to as theC-Name would be constant across the network and automatically connect them.

So to clear this up:

1. How does the client know to connect to a GUP and not SEPMC?
2. When moving locations does the client first try and connect to its GUP or how does it know which GUP to connect too?
3. How is this client configured when a GUP is used?

Am no expert, but this is what I have learned:

1. You either specify one by an ip address or one can get ELECTED based on rules you define.  When a clients requests an update it contact SEPM which then tells the client which GUP to use.
2. No, thats the beauty of it, the client always connect to SEPM first > look at it like a broker
3. Exactly the same as any other SEP client i.e no special software/config.  When a client is a GUP it just have a different reg key in place - this enables SEPM to have it on its GUP list and thus knows client x is the GUP for site.

Hope it helps.

Here are a few points that will help you understand GUP:
1. Every machine that satisfies all the conditions in a rule set will become a GUP.
2. GUP will download definitions from SEPM.
4. The point behind defining multiple GUPs is the load balancing. If you define that every GUP will only accept 50 concurrent connections, when 51'st machine will contact GUP, GUP will not accept the connection. So the client moves on to the next GUP in
2. Clients will receive a list of GUPs from the SEPM. They will apply a subnet filter to the list. After applying the filter, clients will have a list of GUPs on the local subnet. Clients will save this local guop list locally. When they are looking for definitions, they will contact the first GUP in the list. If that GUP is unavailable/refuses connection, then they move on to the next GUP in the list.

Clients will keep checking for an updated list of GUPs at SEPM\data\outbox\agent\GUP folder.

Best,
ANiket

Under LiveUpdate Server Settings in order to use the GUP I have to have the default management server selected but also if I do not select use a LiveUpdate Server I will not be able to allow my users to manually run Live Update. 

The problem here is that it says the client comptuer will retrieve updates from both servers I do not want to DOUBLE my push to clients am I not understanding the syntax: "If both the default management server and a LiveUpdate server are selected, the client comptuer will retrieve updates from both servers."

Thanks in advance.

Hi Bishop,

The reason for that sentense is to provide a priority for the definitions source. First choice will always be SEPM, or GUP if its defined for that group. If the defined GUP is not accessible, or if no GUP is defined and SEPM is not accessible, only then clients will go to internet to take definitions.

Best,
Aniket

Ahh that makes since.  Is there a way to tell from the client if they are utilizing the GUP and exactly which GUP they are using?  If not is there a way to know from the server?

In client go to View logs-->Client management-->System Log You will find logs related to GUP...
It will be like this...

10/10/2009 9:48:47 AM          Information       Start using Group Update Provider (proxy
server) @ 172.X.X.X:2967.           

 was told today by a support rep that any GUP that I assign has to be with that group of clients????

So I have to configure like 100 GUP policies now???  That doesn't sound right.

For instance...

SITEA
---COMPUTERS
   ----DESKTOPS
          -----LABA
          -----LABB
    ----LAPTOPS
           ----STAFF
           -----STUDENTS

According to his advice I would have to go to each of those groups and setup a GUP????  I am running RU5 and supposley can handle one policy with many GUPS???????

Also, I only have 1 server at most of my remote sites. This is the only box with a static IP and it is also a Domain Controller so this machine for one is on a different VLAN and another it is in a differetn folder all together then SITEA, etc......

Is there any way around this?  I really really really really need to get the GUP's working.  Symantec is killing our bandwidth at about 3 sites.

Any ideas????????

HI,

GUP Supports inheritence. So, if a machine that is acting as a GUP for thrgroup Laptops, can also provide updates to the subgroups. However, if the subgroups represent different sites, its always recommended to have a GUP at each site.

So, if you have 3 different sites in your network, make sure that you have at least 1 GUP per site.

Also, please make sure that you have configured Bandwidth Throtteling for GUP.

Best,
Aniket

So what your saying is if I uncheck "inherit policies and settings from parent group" then each group will need its own GUP?  I have Servers that I have set in different groups being that I have different scan times and a very different set of centralized exceptions for each group.  90% of these servers are all in the same colo but you are saying that I would have to have 1 GUP for each Group?  This does not make sense.

I thought that the Client goes out and finds the GUP on their list that is closest to them i.e. their subnet and uses that GUP...if said GUP goes down they default to next nearest GUP or they go to SEP Management Console.  This is what I hope.

I plan on using a registry key as the way that GUPS get created please tell me I am not going to need a GUP per group can multiple groups use the same GUP?

Another question I have is what is the name of the folder that the SEP creates on the GUP to push data down to the clients and is this folder and its contents deleted after it finishes?  How much space does this need as we configure servers to have more data on D drive rather than C.

Hi,

The main intention of having a GUP is that GUP will be local to the subnet. So its important that you have 1 GUP per location.

The inheritence I am talking about is for the Group Hierarchy. If you have 1 Site. That site has a Group called Laptops. Laptops has 2 subgroups Staff & Students.

In this case you need 1 GUP defined for Laptops group. You can have "Policy Inheritence UN-Checked" for laptops.

You can have "Policy Inheritence Checked" for staff and students groups. The inheritence I was mentioning in my earlier post was referring to the fact that the GUP can update the subgroups as well.

Aniket

Bishop,

I also want to find if you can stroe the GUP defs in D: rather than CL, but so far cannot find an answer.

Corporate build has a smallish C: drive and an empty D: drive.

Is there anyway to prove that the update is being pushed via the GUP?  What do I look for?  I have GUPs configured they are on the correct subnet and I did a client search and can see my GUPs.  I know that they are there and working but I need a way to show upper management that they are being utilized.

Thanks!

Nice article..

good this tips

Hello,

YOU ARE A GUP MASTER... FROM VIDEO's TO ARTICLES ON GUP...

"CATCH THAT... YOU ARE TO THE POINT..."

The site where I have SEPM installed also contains clients.

I know I need to install GUP on all other sites where SEPM is not installed.

So I asume the clients on the site where SEPM is installed will just use SEPM to receive updates because none the the GUPs are local for the clients or is it recommended to also install GUPs in the same site as SEPM

Jason

We have Complete All of setting but i have not able to Telnet port 2967.without telnet my Gup not working.

Thaks For your Reply !

When i am Telnet port no 2967 local host not sucess ang gup machine sharefolder not available.I have attach Syslog file

Hi Ashish,

This is an article, I would suggest you to open a new Forum Thread and post the iformation there, so we can discuss this on the forums.

Also, let me know the result of 

netstat -ano | findstr "2639"  on the GUP machine.

Regards,

Aniket Amdekar

It's working Now...

but i wan't to know GUP working only Same network or another Network.

SEP GUP Policy - Best practices

Do we usually have a roaming GUP

* Multiple rule sets are OR'ed. A client must match one rule set. This can be useful while roaming across multiple locations. Your client will pass 1 rule set in a location and 2'nd Rule set in a different one, so the IP addresses of GUP will change automatically.

* Multiple rules are AND'ed. A client must match all the rules that are specified in a rule set.

* Multiple values for a rule condition are OR'ed. A client must match one value. For example, you might create RuleSet 1 that includes an IP address rule with several IP addresses. You then create RuleSet2 that includes a host name rule and an operating system rule each with multiple values.A client computer must match either RuleSet1 or RuleSet2."

I hope the Whole rule set is to identify a machine as GUP and not for a client to contact a particular GUP

Will wait for a response :)

Thanks

Moved Post to Forums

Hi,

I'm new to GUP's and am having a little trouble understanding if i should put the multiple IP addresses into one rule or creating a rule for each IP address for machines that i want to be the GUP's.

I have nine machines i want to be GUP's and they are in 9 different geographic locations but all connected to the SEPM 12.1.2 via the WAN.

Can someone let me know if I just create one rule with all of the IP addresses or multiple rules with single IP addresses.

Many thanks in advance!

Rob

Hi Rob,

If you want create single GUP, then all machines should be in single group and same nework (i think). otherwise you have to create mutliple group provider list for all sites

--

madhu