One of the most effective ways to determine if a client is taking definitions from the GUP is to analyze the debug logs taken from the GUP. When you enable debug logging on a client, debug.log is created in the SEP installation folder.
The plugin that takes care of GUP is called GUProxy. When you open the debug.log, you can look for GUProxy in the log.
You can locate the event sequence for clients requesting definitions from GUP. You will also notice that the clients will send separate requests for every URL they need to download. You can determine which clients are taking definitions from GUP. If you have a lot of clients taking definitions from a GUP, you can increase the size of the log file to accomodate the increased amount of information.
Following are the events that are happening at the client:
1. Client contacts SEPM to get the latest content. Receives the latest index file.
2. From index file, it comes to know that the definitions are different from the manager. So it will send a request to create delta definitions.
3. After receiving this request, SEPM will start preparing the delta definitions.
4. When SEPM completes the delta creation, it will make those deltas available in IIS [ SEPM\Inetpub\content\ ] folder.
5. SEPM will send the download URL for this delta to the client.
6. Now, the client will contact the GUP configured to provide that delta. It also sends the URL for delta definition.
GUProxy: accepted socket 1820 for 10.26.16.74 port 3157
GUPROXY - GUProxy HTTP in - GET /content/{C60DC234-65F9-4674-94AE-2158EFCA433}/91206022/xdelta912
GUPROXY - GUProxy File - /content/{C60DC234-65F9-4674-94AE-62158EFCA433}/91206022/xdelta91205021.dax
GUPROXY - GUProxy mangled file - #content#{C60DC234-65F9-4674-94AE-62158EFCA433}#91206022#xdelta91205021!dax
GUProxy - Add request into download queue.
7. GUP realizes that it does not have that delta, so, it uses the same URL, and downloads the delta in its own cache.
- #content#{C60DC234-65F9-4674-94AE-62158EFCA433}#91206022#xdelta91205021!dax
GUPROXY - GUProxy - Contacting the SEPM server at - cwndcw01.reynoldspkg.rpg.local
GUProxy - SO_RCVBUF is [8192]
GUPROXY - GUProxy Response - HTTP/1.1 200 OKContent-Length: 142197Content-Type: application/x-S
GUProxy - Recving content of [0X00022893] Bytes
GUProxy recved content of [0X00022893] Bytes in [2] seconds, speed is about [0X00011449] BPS or [0X00000235] kbps
8. When GUP finishes downloading the definitions from SEPM, it will save it in the cache and send it to the client.
GUProxy content cached - sending to client
GUProxy send content to the client all right
You can notice that in this snippet, the request was sent for [C60DC234-65F9-4674-94AE-62158EFCA433] which is the moniker for 32 Bit Antivirus Definitions
Following is a snippet of log where you can notice that GUP determines that the requested content is present in the cache and uses the same to serve the request from the client:
12/07 19:13:03 [1804:2992] GUProxy: accepted socket 1756 for 10.26.16.48 port 3026
12/07 19:13:03 [1804:2144] GUProxy: Begin to handle accepted socket 1756
12/07 19:13:03 [1804:2144] GUPROXY - GUProxy HTTP in - GET /content/{812CD25E-1049-4086-9DDD-A4FAE649FBDF}/91204018/Full.zip
12/07 19:13:03 [1804:2144] GUPROXY - GUProxy File - /content/{812CD25E-1049-4086-9DDD-A4FAE649FBDF}/91204018/Full.zip
12/07 19:13:03 [1804:2144] GUProxy content cached - sending to client
12/07 19:13:03 [1804:2144] GUProxy send content to the client all right.
You can notice that in this snippet, the request was sent for [812CD25E-1049-4086-9DDD-A4FAE649FBDF] which is the moniker for Symantec Security Content A1 - MicroDefsB.CurDefs