Endpoint Protection

Hello to all of the Gurus of SEP :) . I have a requirement to comply and need your valuable feedback to accomplish it succuefully below is the scenerio. I need to configure GUP for one of the implementation of SEP I am doing. Below are the subnets that are being used in diffrent regions

REGION A :

• 172.17.31.0/25 (City 1)      172.25.100.0/23 (City 20)  
• 172.25.15.0/23  (City 2)     172.25.102.0/23 (City 19)  
• 172.25.15.0/24   (City 3)    172.25.188.0/23 (City 18)  
• 172.25.118.0/22   (City 4)     172.25.176.0/23 (City 17)  
• 172.25.152.0/22  (City 5)      172.25.158.0/22 (City 16)  
• 172.25.46.0/24  (City 6)      172.25.67.0/24  (City 15)  
• 172.25.38.0/23   (City 7)      172.25.87.0/24  (City 14)  
• 172.25.20.0/23    (City 8)     172.25.124.0/24  (City 13)  
• 172.25.174.0/23   (City 9)      172.25.3.0/24  (City 12)  
• 172.25.115.0/24   (City 10)     172.25.2.0/23  (City 11)  
• 172.25.97.0/24

REGION B :

• 172.20.40.0/23  (City 1)  
• 172.20.42.0/23   (City 2)  
• 172.20.44.0/23   (City 3)  
• 172.20.46.0/24  (City 4)  
• 172.20.47.0/24  (City 5)  
• 172.20.48.0/24  (City 6)  
• 172.20.49.0/24  (City 7)  
• 172.20.51.0/26  (City 8)  
• 172.20.3.64/26  (City 11)  
• 172.20.5.128/26  (City 12)  
• 172.20.7.192/26  (City 13)  
• 172.20.9.0/24  (City 14)  
• 172.20.15.0/24  (City 15)  
• 172.20.17.0/24  (City 16)  

REGION C :

• 172.20.20.0/24 (City 1)  
• 172.20.21.0/26  (City 2)  
• 172.20.22.0/24  (City 3)  
• 172.20.25.0/24  (City 4)  
• 172.20.23.32/27  (City 5)  
• 172.20.24.0/25  (City 6)  
• 172.20.30.0/24  (City 7)  

REGION D :

• 172.22.80.0/24  (City 1)  
• 172.22.11.0/24  (City 2)  
• 172.22.12.0/24  (City 3)  
• 172.22.33.0/24  (City 4)  
• 172.22.14.0/24  (City 5)  
• 172.22.15.0/24  (City 6)  
• 172.22.16.0/24  (City 7)  
• 172.22.17.0/23  (City 8)  
• 172.22.18.0/23  (City 9)  

Now for each region I can configure 2 GUPs so that all endpoints ( subnets) in each the regions i.e A,B,C,D can take updates from either one of these two GUPs configured in their respective regions.

so this is what I have in my mind to achieve this to use Multiple GUPs ( that tell which agent is the GUP ) in conjunction with explicit GUPs ( to map indivual city subnets to their corresponding GUPs in their region

1. Configure a single Live update policy. 
2. In multiple GUPs specify all the GUPs i.e for the corresponding regions
3. in Explicit GUP do the mapping of the city each individual city subnet to take updaes the region GUP 

• For example for REGION A I can specify the agents 172.25.15.1 and 172.25.115.1 as the GUP and do the expicit GUP mapping so that all the subnets in REGION A take updates from either one of these two GUPS
• For example for REGION B I can specify the agents 172.20.46.5 and 172.20.49.4 as the GUP and do the expicit GUP mapping so that all the subnets in REGION B take updates from either one of these two GUPS
• For example for REGION C I can specify the agents 172.20.22.10 and 172.20.30.30 as the GUP and do the expicit GUP mapping so that all the subnets in REGION C take updates from either one of these two GUPS
• For example for REGION D I can specify the agents 172.22.15.67 and 172.22.12.2 as the GUP and do the expicit GUP mapping so that all the subnets in REGION D take updates from either one of these two GUPS

Am I right in this regard . Please do share your valuable suggestions and inputs so that I can complete the requirement in desired manner

Regards

This looks correct. I assume you've went thru all of the documentation on it? Seems you did your homework...

Yup that looks fine to me.  Don't forget, it's possible to introduce GUP failover as well by adding two entries for each client subnet as described in the below article:

http://www.symantec.com/docs/TECH196741

Therefore for Region A, you may consider the below entries (note how the GUPs are reversed in order on the second subnet in order to provide a manual form of load-balancing):

172.17.31.0 goes to 172.25.15.1 and
172.17.31.0 goes to 172.25.115.1

Then have:

172.25.15.0 goes to 172.25.115.1 and 
172.25.15.0 goes to 172.25.15.1

This is obviously a bucket load more entries, so you may want to take a look at the below threads too:

https://www-secure.symantec.com/connect/downloads/generate-liveupdate-policies-have-many-gup-subnets

https://www-secure.symantec.com/connect/articles/how-save-time-entering-multiple-explicit-group-update-providers-gups

Hello Brian , thanks for your reply. Yes I have gone through the documentation and have given it quite a thought and this is what I have come up with. If you have any better suggestions or input to cater and achieve this requirement then please do share with me.

Regards

Looks solid IMO. SMLatCST also had some good advice above :)

Hello SMLacst thanks for your kind reply. I have gone though the aricles shared by you. Yup I can do the GUP failover that way as well but the purpose I have designated two GUPs for each region is so that all the subnets for that particular regions take updates via either one of these GUPs if one ore the other is not available and yes the failover  subnet mapping you have shared above is nice as well that will aid in that way as well.

The plan which I have shared above in the post for acheiving this requirement is logical and makes sense but I dont know whether it will work in the same way as I am expecting it to work

Apart from this there any other suggestion that you would like to give to make it work as we are expecting it work ?

Regards

Brian and SMLacst your kind suggestions on my above post would be highly appreciated :)

The config you've proposed looks like it should work the way you want it to :)

I hope they do SMLacst couse I am going to implement them in a day or two

the purpose of sharing it here was to get the valuable suggestions and the inputs from the expert that are around :)

Regards