Endpoint Protection

 View Only
  • 1.  Configuring GUP and remote locations with identical subnets

    Posted Mar 19, 2013 06:50 PM

    I want to try using a GUP at a couple of locations but I'm not sure it is possible (or efficient) for my situation from how I understand how you configure GUPs and subnets. I haven't been able to come across anyone that has this situation. We are running SEP 12.1.2015

     

    I have about ten remote sites on slow connections that are basically behind routers of the home grade variety using it's DHCP and subnets of the 192.168.x.x (I did not set these up). They are not on a domain and usually don't connect back in to our main campus private network(10.24.x.x). Most of the remote sites have very few computers and thus don't have a bandwidth issue. About two or three locations have about a dozen computers that I would like to utilize a GUP at each one because it just makes sense for these spots.

    But because the each site basically uses the same subnet of 192.168.0.x or 192.168.1.x Computers at sites that aren't supposed to use a GUP will think they are a part of the same subnet for the GUP. Or even someone takes a laptop and connects it to their home network which would probably have the same subnet.

     

    In my example below, I made up something similar to what I have going on a smaller scale with a purposed 'Make GUP' for a couple of sites.

     

    Main Campus  
    SEPM 10.20.20.x
    PC300 10.20.21.5

     

    Centerville  
    PC1 Make GUP 192.168.1.2
    PC2 192.168.1.3
    PC3 192.168.1.5
    PC4 192.168.1.6

     

    Burtlington  
    PC5 Make GUP 192.168.1.2
    PC6 192.168.1.3
    PC7 192.168.1.5

     

    Greenville  
    PC8 192.168.1.2
    PC9 192.168.1.3

     

    At home  
    PC10 192.168.1.2
       

     

    I know you can set a time out if it can't get to a GUP and then it will fall back to SEPM or something like that. But I would think that would make unnecessary network traffic and take too long for a timeout. Is it possible to do this or a waste of time?



  • 2.  RE: Configuring GUP and remote locations with identical subnets

    Posted Mar 20, 2013 01:21 PM


  • 3.  RE: Configuring GUP and remote locations with identical subnets

    Posted Mar 20, 2013 01:35 PM

    Check this document as well

     

    What is the processing order of an Explicit GUP list within version 12.1.2 of Symantec Endpoint Protection?

    http://www.symantec.com/business/support/index?page=content&id=TECH196741


  • 4.  RE: Configuring GUP and remote locations with identical subnets

    Posted Mar 20, 2013 01:55 PM

    But because the each site basically uses the same subnet of 192.168.0.x or 192.168.1.x Computers at sites that aren't supposed to use a GUP will think they are a part of the same subnet for the GUP. Or even someone takes a laptop and connects it to their home network which would probably have the same subnet.

    - For this to work the GUP at each location needs to connect to your main site (SEPM). I suppose your network configuration at each remote site is NAT based? GUP will report to SEPM using some external IP address (from the router) then not the internal one - setting the internal IPs on SEPM won't bring anything.

    If those remote location are not very big and as you mentioned don't have bandwidth issue - maybe setting them for updates directly from the Symantec Liveupdate Servers would make more sense and make the whole configuration easier?

     

    I know you can set a time out if it can't get to a GUP and then it will fall back to SEPM or something like that. But I would think that would make unnecessary network traffic and take too long for a timeout. Is it possible to do this or a waste of time?

    - This is a kind of failover configuration - if the SEP client cannot reach GUP it goes to SEPM for update. You can disable this if your GUPs are available all the time and if direct traffic and bandwith considerations from SEP clients to SEPM are of concern.



  • 5.  RE: Configuring GUP and remote locations with identical subnets

    Posted Mar 21, 2013 01:24 PM


  • 6.  RE: Configuring GUP and remote locations with identical subnets

    Posted Mar 26, 2013 06:52 PM

    SebastianZ,

    You are correct that each remote site is behind a NAT which is what makes this difficult. They can contact the SEPM just fine. The remote sites do have bandwidth issues. Where my SEPM is located there is plenty of bandwidth. When it comes Monday and a dozen or more computers turn on, they tend to eat up some of the 1 Mb connection(more or less at some places).

    I will not have a guarentee that a GUP will be on all the time, so I would have to implement the failover.

    So in summary it sounds like it is not doable with my current configuration, correct?



  • 7.  RE: Configuring GUP and remote locations with identical subnets

    Posted Apr 01, 2013 10:33 AM

    I may have been ignorant on some of the GUP settings work (even though I read and reread many times).

    It looks as though I can do what I want by this method. I create a group for every place I want a GUP at. Create for each of those gropus a different LiveUpdate policy to use the Single GUP option for a specific computer in each group.

    This will make the computers in each group use their respective LiveUpdate policy and get updates from the GUP in their group. And if the GUP is unavailable, it will fallback to SEPM(if I set a timeout).

    Am I correct on this assumption and been stupid all along?



  • 8.  RE: Configuring GUP and remote locations with identical subnets

    Posted Jun 16, 2013 07:53 AM

    You are correct. That is the way to do it.



  • 9.  RE: Configuring GUP and remote locations with identical subnets

    Posted Jun 16, 2013 10:58 AM

    Very nice!!! In my environment I did it:

    I have a group, named Blocked with about 1000 clients in differents subnets, ok.

    So, I created a Multiple GUP policy, using 2 clients as GUP from each Subnet, I have a big list of clients, because I have many subnets!!!. If one GUP goes down, I have another, because of it, 2 per subnet.

    I understant that SEP client searchs for GUP in your subnet and use it. In the policy I configured if GUP does not work after 50 minutes, client can use the Manager to download.

    So, if the GUP is off, or I dont have a GUP for that subnet, client can goes to Manager. It is working great for me. I have around 99.80% of online clients up to date. But I need to take care with the bandwidth, because all clients from a subnet without GUP can goes to Manager and download big files :)

    Please, fix me if Im wrong. In Explicit GUP, if that client does not have a GUP in its subnet, it searchs for a GUP near its, and download it, right?

    Thanks,

    Diego