GUP HELP
I read through a few articles and blogs about setting up a remote site with a GUP. Our bandwithd outbound to most of our remotes sites has increased a lot since deploying SEP11. The inbound isn't that bad but the outbound at times can peak some of our slower sites.
Here is an example of how I have a remote site setup.
Currently only 2 policies are assigned. 1. Antivirus and Antispywere and 2. LiveUpdate Policy (Not Shared)
Under Live Update Policy I have the following selected only....
Use the default management server (recommended)
Use the Group Update Provider as the default LiveUpdate server
Group Update Provider: 10.x.x.x:2967 (The x's have the real IP's.)
Under the Group Update Provider Settings I have the following set:
Host: 10.x.x.x
Port: 2967
Bypass Group Update Provider: NEVER
Max Dis Cache Size: 500
Delete content updates if unused (days): 5
Maximum number of simultaneous downloads: 40
Since I don't allow them to control Live Update all other settings are greyed out and unavailable.
In an article I had read there was a section that said on the GUP you have picked in the policy, that machine will then have a new directory within the Endpoint program folder. None of my GUP's have this folder and all of my clients I still think are reporting to the SEPM for updates.
What else can I check?
The machine that is
The machine that is designated as the GUP will create a directory if it doesn’t already exists at the following location:
C:\Program Files\Symantec\Symantec Endpoint Protection\SharedUpdates
Below is an example of a system registry after the GUP is activated:
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\LiveUpdate]
"Description"="Created automatically during product installation."
"Enabled3rdPartyManagement"=dword:00000000
"MasterClientHost"="192.168.2.4"
"MasterClientPort"="2967"
"UseLiveUpdateServer"=dword:00000000
"UseManagementServer"=dword:00000001
"UseMasterClient"=dword:00000001
"HttpEncrypt"=dword:00000001
"HttpProxyMode"=dword:00000000
"HttpProxyRequireAuthentication"=dword:00000000
"FtpEncrypt"=dword:00000001
"FtpProxyMode"=dword:00000000
"FtpProxyRequireAuthentication"=dword:00000000
"AllowLocalScheduleChange"=dword:00000000
"AllowManualLiveUpdate"=dword:00000000
"EnableProductUpdates"=dword:00000000
"LastLuProductInventoryHash"=hex:72,59,31,36,a8,3f,47,02,70,5f,bd,52,29,d0,25,\49
"LastGoodSession"=hex:68,13,c8,94,d1,8b,c8,01
Ref : http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008040113243148
However since in your case the client is not showing any signs of GUP 1. Make GUP is communicating with SEPM properly.
Then make sure port 2967 is open in the local LAN so that other clients can connect to GUP
Try telnet on port 2967 from any client in the GUP lan to GUP PC.
Celebrating 2 years as a community member....
I have to have something
I have to have something setup wrong. I tried to telnet and here is my error:
H:\>telnet 10.x.x.x:2967
Connecting To 10.x.x.x:2967...Could not open connection to the host, on port
23: Connect failed
I don't have windows firewall on my server and we don't have the firewall policy enabled or assigned to servers so not sure what would block this?
Oh yea, this directory
Oh yea, this directory doesn't show up on any of my GUP's.
C:\Program Files\Symantec\Symantec Endpoint Protection\SharedUpdates
Thanks,
Kris
is the telnet service
is the telnet service started on both the computers ?
Celebrating 2 years as a community member....
On the server it was
On the server it was disabled. I enabled the service. The client I am testing it was also disabled. I enabled and started it. Can't connect still.
Thanks,
Kris
ohhh....that means the port
ohhh....that means the port is actually blocked...
Do you have NTP installed on the client with some strict Firewall rules..try turning off the NTP and then try telnet ( if NTP is installed )
Are the clients on same VLAN..
Celebrating 2 years as a community member....
The server that is designated
The server that is designated to the GUP server itself needs to have a liveupdate policy that tells it to be the GUP.
See if this posts helps
https://www-secure.symantec.com/connect/forums/gup...
Vikram, Right now on all our
Vikram, Right now on all our clients the only thing we have enabled is Proactive Threat and AntiVirus. On the server we only enable AntiVirus Protection. The clients are not on the same VLAN. Will this be a problem?
Bjohn, our policies toward our servers are all the same. They are in the same OU so they get the same policy even if they are at a remote site. So the server polices will always be different from our desktops/laptop policies.
In your setup it does look
In your setup it does look like a prob..
So all the Client and GUP are not on same VLAN...so there might be some VLAN Security in place..can you just consult with you network team once to make sure port 2967 is open for the clients to connect to the GUP.
Celebrating 2 years as a community member....
Whatever device you are using
Whatever device you are using for the GUP will still need to fall into a LiveUpdate Policy with itself assigned as a GUP. That is how the registry keys are made on the GUP. We also use different policies for Workstations and servers. Any Servers acting as GUPS each have thier own location with individual GUP server policy(Liveupdate policy).
I just read in another forum
I just read in another forum that MR5 will bring some big changes to GUP and Location Policies. Is there any posted info on what changes?
Would you like to reply?
Login or Register to post your comment.