Endpoint Protection

Hi everyone - 

environment is operating at SEP 12 RU6 MP2 . We have several site offices having 500 to 600 workstations over  20 subnets in each branch office. We are planning to have a GUP at the branch office to reduce the load on the WAN which connects our head office with the branch office. Due to infrastructure limitations, we will be able to use only one server as a GUP at each branch office. 

My idea is to create  a LiveUpdate Policy for all groups. The Policy will have Multiple GUP and Explicit GUP option enabled. Multiple GUP option will have rule sets that will define the IPs of all the GUPs at the branch offices. 

The Explicit GUP list will map all  subnets in each branch office with the GUP available in that location. This way , my guess is the clients at the branch office will be able to communicate across subnet  in the same branch office and still conserve the bandwidth over WAN. Now at the same time I also want to have a failover GUP for the sites for i.e if the GUP assigned for one site goes down the clients in that site will take the defs from the GUP configured for another group and vice versa . So in explicit GUP mapping when I am mapping client subnet to a GUP can I specfiy two GUPs one Priamary and one secondary to be used when the Primary GUP is un-availble ?

Kindly help me my letting me know if this idea would work and suggest any alternatives if this wouldn't work or if there is any better way of achieving this. Thanks 

There is no ability to setup primary/secondary. You would setup your explicit GUPs, if any become unavailable then clients would go to your fall back (SEPM or Symantec LU)

Thanks Brian for your reply . Yes I am aware of the fact that I can use Symantec LU or SEPM as a failover mechanism . But I was wonderig that if I can acheive it via a GUP which is a more controlled way of doing this. Regards 

There is no option in the GUP policy for a secondary or fallback GUP. Each GUP would tried before using another method.

If more than one type of GUP is used, then the order in the client will look for the GUP is as follows.

1) Multiple
2) Explicit
3) Single

Reference: http://www.symantec.com/docs/HOWTO81148

Hence you can make use of this order to configure a failover-like setup. But you will need to have separate liveupdate policy for each group and will be using all types of GUP configuration in every group.

For every group, the order of GUP will have to be defined as follows:

Multiple GUP: The Primary GUP of that site should be defined in the multiple GUP. This will make the client with same subnet as the GUP to fetch the updates from primary GUP.

Explicit GUP: The Primary GUP has to be mapped to every other subnet (of the clients that are in the group) that is not same as the GUP subnet. This will force the rest of the client to fetch updates from the primary GUP.

(Note: At this point all the client in the group will be fetching updated only from primary GUP as long as it is online)

Single GUP: The Secondary (failover) GUP must be defined as single GUP. This will server as GUP to all clients in the group without any subnet limitations. However, the clients will not contact this GUP as long as the primary is available. In case, if the primary GUP is offline, then all the client in the group will contact this backup GUP and will fetch the updates.

Thanks Syed for your reply much appreciated . Just to confirm one last thing if a single GUP is configured for a Group clients in the same group will always grab the defs from the single GUP regardless what subnet they are on whether the same as GUP or not it will always be the GUP for all the clients ( diffrent subnets ) for the same group . 

In case of the un-availability of single GUP they will switchover either to SEPM or Symantec LiveUpdate if they are checked and enabled in the LU Policy 

Correct. A single GUP will server all client in the assigned group  irrespective of the clients's subnet.

About the SEPM and LU-Server, YES, if you have enabled the option to contact SEPM/LU and if the GUPs are unreachable then the client will conact SEPM/LU for updates.