Video Screencast Help

Dynamic GUP based on location

Created: 18 Sep 2013 • Updated: 20 Sep 2013 | 9 comments
This issue has been solved. See solution.

We currently have branch offices that connect to a central site containing SEPM. We have created client groupings for each office, and each group has a policy that specifies a local GUP. We have mobile users that travel between locations, and we have had to force them to download from our central SEPM server. What I would like to do is have all clients in the mobile group choose a GUP from their local subnet. I tried using a policy that specifies multiple GUP providers in the following format: Rule>IP Address/Hostname>DNS names of all GUPs. When I apply the policy and move a test laptop into that group, the client just downloads straight from the SEPM server. Am I missing a step, or am I going about the problem incorrectly? Any input is appreciated!

Operating Systems:

Comments 9 CommentsJump to latest comment

.Brian's picture

Are you on SEP 12.1 RU2 or higher? If so, the explicit GUP should solve your issue. See here:

Understanding "Explicit Group Update Providers (GUPs) for Roaming Clients" in Symantec Endpoint Protection (SEP) 12.1.2

http://www.symantec.com/docs/TECH198640

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

.Brian's picture

So sounds like you're using multiple GUP option?

Do you have multiple locations setup under the mobile group? Are they showing up in the correct location?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Beppe's picture

Hello,

the approach is correct, it is the default behaviour having clients picking the GUP in the same subnet from a list of GUPs, you just need to list them by IP address so that the clients will be able to check which GUP is in the same subnet by using their subnet mask.

Regards,

Giuseppe

SOLUTION
SMLatCST's picture

The steps you've followed sound fine to me.  Did you allow enough time for the client to pick up the policy changes?  Can you confirm the GUPs know they are GUPs and have enabled the GUP functionality?

I think the below troubleshooting article might help:

http://www.symantec.com/docs/TECH104539

james.devan's picture

@SMLatCST All of the GUPs defined in the Multiple GUP rule are currently acting as GUPs in their own group policy. So the Branch A group has a GUP defined in that group's policy, and I also have it specified in the Mobile Devices group policy. They all serve updates properly to other members of their same group.

I did specify the IP address instead of hostname as Beppe suggested, and so far I have not seen the test device update from our central office. I will add hosts from each branch and see if they all work as intended.

SMLatCST's picture

Yeah, AFAIK defining GUPs by IP address doesn't make any difference to the Multiple/Single GUP operation, only to Explicit GUPs.

Have you enabled logging to see what the client is doing (as per the article I linked earlier)?  Feel free to post the log if you wish, just make sure you scrub it for any private data

james.devan's picture

After defining the GUPs by IP instead of hostname things are working properly. This is not a huge deal for us since we have static IP servers at each branch office. Down the road I will test using hostname, but I am glad to have things working. Thank you all for the input.

james.devan's picture

Further Update:

I found a solution that I found easier should anyone else be interested. I created locations for each branch based on the client default gateway, and used the single GUP policy we had used for desktop clients. As long as the client gets a local default gateway, it will download from the local GUP.