SEP 12.1 RU2 And Explicit Group Update Providers
With the release of SEP 12.1 RU2 Symantec has introduced new GUP feature 'Explicit Group Update Provider'
It is important to understand that now the clients have ability to roam to a GUP outside of their own subnet, rather than their ability to find a nearest GUP. In previous SEP versions, the clients would only connect to a GUP outside of their own subnet, if such a GUP was configured as "backup" GUP.
Explicit Group Update Provider:
It will allow clients to use specific GUP's outside their subnet.
Only configurable through SEPM
This is not auto discovery feature
Path: SEPM --> Policies --> Liveupdate Policy --> Edit liveupdate setting policy --> Server Settings --> Group Update Provider
It's important to know how a normal client becomes a GUP
1) Client receives a profile with GUP enabled
2) It checks whether its local environment (such as registry, OS type, IP, hostname, etc.) matches policy;
3) If yes, start to listen the GUP port on every local interface
Then it's important to know how clients decides to download contents from GUP or not
1) SEPM will generate the globalIndex.xml and globallist.xml periodically from the information clients posted.
2) Client checks whether GUP is configured by LU policy;
3) Client downloads the globalIndex from SEPM. Based on the checksum of globallist.xml included in it, client determines whether SEPM has updated globallist.xml;
4) If SEPM publishes a new globallist file, client downloads it and reset the active GUP list in local memory.
5) Client filters out the addresses of the different subnet in globallist.xml;
6) Client tries to connect the remained addresses one by one until finds an available GUP, it iterates in the order of the addresses in globallist.
7) If none of the GUPs in globallist can be used, try the pre-defined GUP in LU policy.
8) If pre-defined GUP is unavailable either, to determine whether to bypass to SEPM based on the "bypass" setting
If all types of Group Update Providers are configured in the policies on a Symantec Endpoint Protection Manager, then clients try to connect to Group Update Providers in the global list in the following order:
Top down execution of GUP providers.
Providers on the Multiple Group Update Providers list, in order
Providers on the Explicit Group Update Providers list, in order
The Provider that is configured as a Single Group Update Provider
To accomplish above steps GUP sequence order in liveupdate Policy has also changed, check the screenshot for the same.
You can add Group Update Providers to a list that clients use to connect to Group Update Providers that are on subnets other than the client's own subnet. You map the subnet that the clients are located on to the subnets of the Group Update Providers that you want the client to use.
About the effects of configuring more than one type of Group Update Provider in your network
When you configure single or multiple Group Update Providers in policies, then Symantec Endpoint Protection Manager constructs a global list of all the providers that have checked in. By default, on 32-bit operating systems, this file is \Program Files\Symantec\Symantec Endpoint Protection Manager\data\outbox\agent\gup\globallist.xml. Symantec Endpoint Protection Manager provides this global list to any client that asks for it so that the client can determine which Group Update Provider it should use. Because of this process, clients that have policies with only multiple or explicit Group Update Providers configured can also use single Group Update Providers, if the single provider meets the explicit mapping criterion. This phenomenon can occur because single providers are a part of the global list of providers that the clients get from their Symantec Endpoint Protection Manager.
So, all of the Group Update Providers that are configured in any of the policies on a Symantec Endpoint Protection Manager are potentially available for clients' use. If you apply a policy that contains only an explicit Group Update Provider list to the clients in a group, all of the clients in the group attempt to use the Group Update Providers that are in the Symantec Endpoint Protection Manager global Group Update Provider list that meet the explicit mapping criteria.
Note: A Symantec Endpoint Protection client may have multiple IP addresses. Symantec Endpoint Protection considers all IP addresses when it matches to a Group Update Provider. So, the IP address that the policy matches is not always bound to the interface that the client uses to communicate with the Symantec Endpoint Protection Manager and the Group Update Provider
Helpful Public KB articles:
About the types of Group Update Providers
What is the processing order of an Explicit GUP list within version 12.1.2 of Symantec Endpoint Protection?
Understanding "Explicit Group Update Providers (GUPs) for Roaming Clients" in Symantec Endpoint Protection (SEP) 12.1.2