Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Configuring Group Update Providers in Symantec Endpoint Protection 11.0 RU5

Created: 22 Sep 2009 • Updated: 22 Sep 2009 | 38 comments
Language Translations
Aniket Amdekar's picture
+19 19 Votes
Login to vote

Configuring Multiple GUPs in SEP 11.0 RU5 release, has added a certain dynamics's to the way virus definitions are provided to the clients.

The figure below is a representation of various possibilities of configuring a Group Update Provider:

gup5.jpg
As shown above, you can either configure a Single GUP or Multiple GUPs in SEPM.

When to use multiple GUPs:

  • You run the latest client software on the computers in your network Multiple Group Update Providers are supported on the computers that run the latest client software. Multiple Group Update Providers are not supported by legacy clients. Legacy clients cannot get content from multiple Group Update Providers. Legacy clients cannot be designated as a Group Update Provider even if they meet the criteria for multiple Group Update Providers. You can create a separate LiveUpdate Settings Policy and configure a single, static Group Update Provider for a group of legacy clients
  • You have multiple groups and want to use different Group Update Providers for each group You can use one policy that specifies rules for the election of multiple Group Update Providers. If clients change locations, you do not have to update the LiveUpdate Settings Policy. The Symantec Endpoint Protection Manager combines multiple Group Update Providers across sites and domains. It makes the list available to all clients in all groups in your network.
  • Multiple Group Update Providers can function as a failover mechanism. Multiple Group Update Providers ensure a higher probability that at least one Group Update Provider is available in each subnet.

Following screenshots will give you a glimpse of how to configure GUPs in RU5:

Here is the screen you see when you go to SEPM Console->Policies->Liveupdate Policy-> Liveupdate Settings Policy-> Server Settings-> Group Update Provider:

screenshot1.JPG

  • As we have chose multiple GUPs, we have to provide a GUP List:

gup list 1.JPG

  • When you click on Add, you have to specify Rule Criteria:

rule criteria.JPG

  • The first option you get is If you want to specify a Computer name or IP Address:

add computer by ip or hostname.JPG

  • The second option is to specify the registry Keys that will define a GUP:

registrey key as parent.JPG

  • Once you choose the main type as the Registry key, you can further specify 3 attribuites :

1. Registry Key : 

       registry key.JPG

2. Registry Value:

registry value.JPG

3. Registry key Name:

  registry key name.JPG

The Third option we have is to choose from the Supported Operating Systems for installing SEP 11 RU5.

supported os.JPG

  • All these rules can be in 1 Rule Set. You can have multiple Rule Sets in your GUP configuration.

multiple rule set.JPG

Here are some tips to know about the Rule Sets:

Rules are matched based on the logical OR and AND operators as follows:

* Multiple rule sets are OR'ed. A client must match one rule set. This can be useful while roaming across multiple locations. Your client will pass 1 rule set in a location and 2'nd Rule set in a different one, so the IP addresses of GUP will change automatically.

* Multiple rules are AND'ed. A client must match all the rules that are specified in a rule set.

* Multiple values for a rule condition are OR'ed. A client must match one value. For example, you might create RuleSet 1 that includes an IP address rule with several IP addresses. You then create RuleSet2 that includes a host name rule and an operating system rule each with multiple values.A client computer must match either RuleSet1 or RuleSet2.

Comments 38 CommentsJump to latest comment

Vikram Kumar-SAV to SEP's picture

Nice article..one image is enough to say thousand words..

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

0
Login to vote
AravindKM's picture

 

Is it possible to use wild
characters in rule set? For example can I set the rule as ip address of gup
should be 10.3.*.12

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

+1
Login to vote
Aniket Amdekar's picture

Hi,

It is not possible to use wildcards for IP Addresses. However you can use WildCards for Computer names. E.g.symantec* will show you computers that have symantec in their name.

Best,
Aniket

+1
Login to vote
AravindKM's picture

@Aniket Amdekar Thank you for the infomation. 

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

0
Login to vote
Ryan Z's picture

Hello -

I have a package that was exported with only the Antivirus and Antispyware feature set. This has installed correctly on all machines, except on one I activated as a GUP. On this machine, the Network Threat Protection module was activated. Is this the correct behavior? Is NTP required when a client is a GUP?

0
Login to vote
Aniket Amdekar's picture

Hi,

GUP  functionality is provided in every SEP client. It is not dependent on any comonent activation. When SEPM provides a policy that says "hay..you are a GUP", the client activates that functionality.

Best,
Aniket

0
Login to vote
shp's picture

Thanks Aniket... Article is good...

Regards,
Srinivas H.P.
HCL Infosystems Ltd

0
Login to vote
Bishop21's picture

This is awesome and very detailed thank you.  I have a question though how does the client know which GUP to connect too or to connect period?  Does the SEPMC tell the client what GUP to use and if so what does it use to do this?  If the client left one site and went to a new one how do they know to switch to the new GUP?

My thought was if there was a way to use a C-Name for the DFS and then the clients would be able to point directly to the right DFS no matter what location they went to as theC-Name would be constant across the network and automatically connect them.

So to clear this up:

1. How does the client know to connect to a GUP and not SEPMC?
2. When moving locations does the client first try and connect to its GUP or how does it know which GUP to connect too?
3. How is this client configured when a GUP is used?

0
Login to vote
Davinci_uk's picture

Am no expert, but this is what I have learned:

1. You either specify one by an ip address or one can get ELECTED based on rules you define.  When a clients requests an update it contact SEPM which then tells the client which GUP to use.
2. No, thats the beauty of it, the client always connect to SEPM first > look at it like a broker
3. Exactly the same as any other SEP client i.e no special software/config.  When a client is a GUP it just have a different reg key in place - this enables SEPM to have it on its GUP list and thus knows client x is the GUP for site.

Hope it helps.

0
Login to vote
Aniket Amdekar's picture

Here are a few points that will help you understand GUP:
1. Every machine that satisfies all the conditions in a rule set will become a GUP.
2. GUP will download definitions from SEPM.
4. The point behind defining multiple GUPs is the load balancing. If you define that every GUP will only accept 50 concurrent connections, when 51'st machine will contact GUP, GUP will not accept the connection. So the client moves on to the next GUP in
2. Clients will receive a list of GUPs from the SEPM. They will apply a subnet filter to the list. After applying the filter, clients will have a list of GUPs on the local subnet. Clients will save this local guop list locally. When they are looking for definitions, they will contact the first GUP in the list. If that GUP is unavailable/refuses connection, then they move on to the next GUP in the list.

Clients will keep checking for an updated list of GUPs at SEPM\data\outbox\agent\GUP folder.

Best,
ANiket

0
Login to vote
Bishop21's picture

Under LiveUpdate Server Settings in order to use the GUP I have to have the default management server selected but also if I do not select use a LiveUpdate Server I will not be able to allow my users to manually run Live Update. 

The problem here is that it says the client comptuer will retrieve updates from both servers I do not want to DOUBLE my push to clients am I not understanding the syntax: "If both the default management server and a LiveUpdate server are selected, the client comptuer will retrieve updates from both servers."

Thanks in advance.

0
Login to vote
Aniket Amdekar's picture

Hi Bishop,

The reason for that sentense is to provide a priority for the definitions source. First choice will always be SEPM, or GUP if its defined for that group. If the defined GUP is not accessible, or if no GUP is defined and SEPM is not accessible, only then clients will go to internet to take definitions.

Best,
Aniket

+1
Login to vote
Bishop21's picture

Ahh that makes since.  Is there a way to tell from the client if they are utilizing the GUP and exactly which GUP they are using?  If not is there a way to know from the server?

0
Login to vote
shp's picture

In client go to View logs-->Client management-->System Log You will find logs related to GUP...
It will be like this...

10/10/2009 9:48:47 AM          Information       Start using Group Update Provider (proxy
server) @ 172.X.X.X:2967.           

Regards,
Srinivas H.P.
HCL Infosystems Ltd

+1
Login to vote
kristopherjturner's picture

 was told today by a support rep that any GUP that I assign has to be with that group of clients????

So I have to configure like 100 GUP policies now???  That doesn't sound right.

For instance...

SITEA
---COMPUTERS
   ----DESKTOPS
          -----LABA
          -----LABB
    ----LAPTOPS
           ----STAFF
           -----STUDENTS

According to his advice I would have to go to each of those groups and setup a GUP????  I am running RU5 and supposley can handle one policy with many GUPS???????

Also, I only have 1 server at most of my remote sites. This is the only box with a static IP and it is also a Domain Controller so this machine for one is on a different VLAN and another it is in a differetn folder all together then SITEA, etc......

Is there any way around this?  I really really really really need to get the GUP's working.  Symantec is killing our bandwidth at about 3 sites.

Any ideas????????

0
Login to vote
Aniket Amdekar's picture

HI,

GUP Supports inheritence. So, if a machine that is acting as a GUP for thrgroup Laptops, can also provide updates to the subgroups. However, if the subgroups represent different sites, its always recommended to have a GUP at each site.

So, if you have 3 different sites in your network, make sure that you have at least 1 GUP per site.

Also, please make sure that you have configured Bandwidth Throtteling for GUP.

Best,
Aniket

0
Login to vote
Bishop21's picture

So what your saying is if I uncheck "inherit policies and settings from parent group" then each group will need its own GUP?  I have Servers that I have set in different groups being that I have different scan times and a very different set of centralized exceptions for each group.  90% of these servers are all in the same colo but you are saying that I would have to have 1 GUP for each Group?  This does not make sense.

I thought that the Client goes out and finds the GUP on their list that is closest to them i.e. their subnet and uses that GUP...if said GUP goes down they default to next nearest GUP or they go to SEP Management Console.  This is what I hope.

I plan on using a registry key as the way that GUPS get created please tell me I am not going to need a GUP per group can multiple groups use the same GUP?

Another question I have is what is the name of the folder that the SEP creates on the GUP to push data down to the clients and is this folder and its contents deleted after it finishes?  How much space does this need as we configure servers to have more data on D drive rather than C.

 

0
Login to vote
Aniket Amdekar's picture

Hi,

The main intention of having a GUP is that GUP will be local to the subnet. So its important that you have 1 GUP per location.

The inheritence I am talking about is for the Group Hierarchy. If you have 1 Site. That site has a Group called Laptops. Laptops has 2 subgroups Staff & Students.

In this case you need 1 GUP defined for Laptops group. You can have "Policy Inheritence UN-Checked" for laptops.

You can have "Policy Inheritence Checked" for staff and students groups. The inheritence I was mentioning in my earlier post was referring to the fact that the GUP can update the subgroups as well.

Aniket

0
Login to vote
Davinci_uk's picture

Bishop,

I also want to find if you can stroe the GUP defs in D: rather than CL, but so far cannot find an answer.

Corporate build has a smallish C: drive and an empty D: drive.

0
Login to vote
Bishop21's picture

Is there anyway to prove that the update is being pushed via the GUP?  What do I look for?  I have GUPs configured they are on the correct subnet and I did a client search and can see my GUPs.  I know that they are there and working but I need a way to show upper management that they are being utilized.

Thanks!

0
Login to vote
DStapley's picture

Is there a way of knowing a client is using a gup for updates via the SEP client or SEPM?

0
Login to vote
Ashish-Sharma's picture

Kindly Share Which Type we will telnet 2967 port

Thanks In Advance

Ashish Sharma

 

 

0
Login to vote
Mithun Sanghavi's picture

Hello,

YOU ARE A GUP MASTER... FROM VIDEO's TO ARTICLES ON GUP...

"CATCH THAT... YOU ARE TO THE POINT..."

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

0
Login to vote
Ashish-Sharma's picture

i am not able to telnet 2967 port

Thanks In Advance

Ashish Sharma

 

 

0
Login to vote
jasontalbot75's picture

The site where I have SEPM installed also contains clients.

I know I need to install GUP on all other sites where SEPM is not installed.

So I asume the clients on the site where SEPM is installed will just use SEPM to receive updates because none the the GUPs are local for the clients or is it recommended to also install GUPs in the same site as SEPM

 

Jason

0
Login to vote
Ashish-Sharma's picture

We have Complete All of setting but i have not able to Telnet port 2967.without telnet my Gup not working.

 

Thanks In Advance

Ashish Sharma

 

 

0
Login to vote
Aniket Amdekar's picture

Hi Ashish,

Please confirm a few things:

1. Policy defines that client as a GUP

2. The client has received the latest policy.

3. Check the presense of the folder sharedupdates inside the SEP folder.

4. On the GUP machine, run the following command:

netstat -ano | findstr "2639"

5. Check the PID. Then in task manager, enable the column for PID and confim that SEP GUP machine is Listening on that port.

6. If not, check sylinkmonitor logs.

 

Regards,

Aniket Amdekar

0
Login to vote
Ashish-Sharma's picture

Thaks For your Reply !

When i am Telnet port no 2967 local host not sucess ang gup machine sharefolder not available.I have attach Syslog file

AttachmentSize
gup.txt 201.67 KB

Thanks In Advance

Ashish Sharma

 

 

0
Login to vote
Aniket Amdekar's picture

Hi Ashish,

 

This is an article, I would suggest you to open a new Forum Thread and post the iformation there, so we can discuss this on the forums.

Also, let me know the result of 

netstat -ano | findstr "2639"  on the GUP machine.

Regards,

Aniket Amdekar

0
Login to vote
Ashish-Sharma's picture

It's working Now...

but i wan't to know GUP working only Same network or another Network.

Thanks In Advance

Ashish Sharma

 

 

0
Login to vote
Acretian's picture

Do we usually have a roaming GUP

* Multiple rule sets are OR'ed. A client must match one rule set. This can be useful while roaming across multiple locations. Your client will pass 1 rule set in a location and 2'nd Rule set in a different one, so the IP addresses of GUP will change automatically.

* Multiple rules are AND'ed. A client must match all the rules that are specified in a rule set.

* Multiple values for a rule condition are OR'ed. A client must match one value. For example, you might create RuleSet 1 that includes an IP address rule with several IP addresses. You then create RuleSet2 that includes a host name rule and an operating system rule each with multiple values.A client computer must match either RuleSet1 or RuleSet2."

I hope the Whole rule set is to identify a machine as GUP and not for a client to contact a particular GUP

Will wait for a response :)

Thanks

0
Login to vote
Davinci_uk's picture

Its the latter - if a client fulfils those conditions it will advertise to SEPM that it can be used as a GUP - when other clients call updates the update file will download to this machine in a directory called central updates (or something simialr), client on same subnet will then update from this GUP.

 

If all your computers are eligiable to become GUP I believe they will download updates from SEPM being applying to themselves.

0
Login to vote
HotRob's picture

Hi,

I'm new to GUP's and am having a little trouble understanding if i should put the multiple IP addresses into one rule or creating a rule for each IP address for machines that i want to be the GUP's.

I have nine machines i want to be GUP's and they are in 9 different geographic locations but all connected to the SEPM 12.1.2 via the WAN.

Can someone let me know if I just create one rule with all of the IP addresses or multiple rules with single IP addresses.

Many thanks in advance!

Rob

 

0
Login to vote
madhu8.in's picture

Hi Rob,

If you want create single GUP, then all machines should be in single group and same nework (i think). otherwise you have to create mutliple group provider list for all sites

--

madhu

+1
Login to vote