Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Configuring GUP and remote locations with identical subnets

Created: 19 Mar 2013 • Updated: 20 Mar 2013 | 8 comments

I want to try using a GUP at a couple of locations but I'm not sure it is possible (or efficient) for my situation from how I understand how you configure GUPs and subnets. I haven't been able to come across anyone that has this situation. We are running SEP 12.1.2015

I have about ten remote sites on slow connections that are basically behind routers of the home grade variety using it's DHCP and subnets of the 192.168.x.x (I did not set these up). They are not on a domain and usually don't connect back in to our main campus private network(10.24.x.x). Most of the remote sites have very few computers and thus don't have a bandwidth issue. About two or three locations have about a dozen computers that I would like to utilize a GUP at each one because it just makes sense for these spots.

But because the each site basically uses the same subnet of 192.168.0.x or 192.168.1.x Computers at sites that aren't supposed to use a GUP will think they are a part of the same subnet for the GUP. Or even someone takes a laptop and connects it to their home network which would probably have the same subnet.

In my example below, I made up something similar to what I have going on a smaller scale with a purposed 'Make GUP' for a couple of sites.

Main Campus  
SEPM 10.20.20.x
PC300 10.20.21.5
Centerville  
PC1 Make GUP 192.168.1.2
PC2 192.168.1.3
PC3 192.168.1.5
PC4 192.168.1.6
Burtlington  
PC5 Make GUP 192.168.1.2
PC6 192.168.1.3
PC7 192.168.1.5
Greenville  
PC8 192.168.1.2
PC9 192.168.1.3
At home  
PC10 192.168.1.2
   

I know you can set a time out if it can't get to a GUP and then it will fall back to SEPM or something like that. But I would think that would make unnecessary network traffic and take too long for a timeout. Is it possible to do this or a waste of time?

Operating Systems:

Comments 8 CommentsJump to latest comment

.Brian's picture

Have you looked at the new Explicit GUP feature in 12.1.2

https://www-secure.symantec.com/connect/articles/s...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Rafeeq's picture

Check this document as well

What is the processing order of an Explicit GUP list within version 12.1.2 of Symantec Endpoint Protection?

http://www.symantec.com/business/support/index?page=content&id=TECH196741
SebastianZ's picture

But because the each site basically uses the same subnet of 192.168.0.x or 192.168.1.x Computers at sites that aren't supposed to use a GUP will think they are a part of the same subnet for the GUP. Or even someone takes a laptop and connects it to their home network which would probably have the same subnet.

- For this to work the GUP at each location needs to connect to your main site (SEPM). I suppose your network configuration at each remote site is NAT based? GUP will report to SEPM using some external IP address (from the router) then not the internal one - setting the internal IPs on SEPM won't bring anything.

If those remote location are not very big and as you mentioned don't have bandwidth issue - maybe setting them for updates directly from the Symantec Liveupdate Servers would make more sense and make the whole configuration easier?

I know you can set a time out if it can't get to a GUP and then it will fall back to SEPM or something like that. But I would think that would make unnecessary network traffic and take too long for a timeout. Is it possible to do this or a waste of time?

- This is a kind of failover configuration - if the SEP client cannot reach GUP it goes to SEPM for update. You can disable this if your GUPs are available all the time and if direct traffic and bandwith considerations from SEP clients to SEPM are of concern.

CALSjh's picture

SebastianZ,

You are correct that each remote site is behind a NAT which is what makes this difficult. They can contact the SEPM just fine. The remote sites do have bandwidth issues. Where my SEPM is located there is plenty of bandwidth. When it comes Monday and a dozen or more computers turn on, they tend to eat up some of the 1 Mb connection(more or less at some places).

I will not have a guarentee that a GUP will be on all the time, so I would have to implement the failover.

So in summary it sounds like it is not doable with my current configuration, correct?

CALSjh's picture

I may have been ignorant on some of the GUP settings work (even though I read and reread many times).

It looks as though I can do what I want by this method. I create a group for every place I want a GUP at. Create for each of those gropus a different LiveUpdate policy to use the Single GUP option for a specific computer in each group.

This will make the computers in each group use their respective LiveUpdate policy and get updates from the GUP in their group. And if the GUP is unavailable, it will fallback to SEPM(if I set a timeout).

Am I correct on this assumption and been stupid all along?

dimago's picture

Very nice!!! In my environment I did it:

I have a group, named Blocked with about 1000 clients in differents subnets, ok.

So, I created a Multiple GUP policy, using 2 clients as GUP from each Subnet, I have a big list of clients, because I have many subnets!!!. If one GUP goes down, I have another, because of it, 2 per subnet.

I understant that SEP client searchs for GUP in your subnet and use it. In the policy I configured if GUP does not work after 50 minutes, client can use the Manager to download.

So, if the GUP is off, or I dont have a GUP for that subnet, client can goes to Manager. It is working great for me. I have around 99.80% of online clients up to date. But I need to take care with the bandwidth, because all clients from a subnet without GUP can goes to Manager and download big files :)

Please, fix me if Im wrong. In Explicit GUP, if that client does not have a GUP in its subnet, it searchs for a GUP near its, and download it, right?

Thanks,

Diego