Endpoint Protection

Hello All,

Here is the design we will be running in a new SEP infrastructure:

- 2 sites with a SEPM at each site. SEPM will use database replication to keep both servers in sync.

- 20 GUPs at branch offices which will get updates from the SEPM server.

What I need to know and understand is how the GUPs determine what SEPM to download from. Can this be configured? If not, how does it decide?

Some GUPs are closer to one SEPM than they are the other so we want half of the GUPS to only download from 1 SEPM server and the other half, the other SEPM

Can this be acheived?

Hello,

Check this Article:

How to confirm if SEP Clients are receiving LiveUpdate content from Group Update Providers (GUPs)

http://www.symantec.com/docs/TECH97190

I would also suggest you to check the Articles below which may interest you:

Troubleshooting the Group Update Provider (GUP) in Symantec Endpoint Protection (SEP)

http://www.symantec.com/docs/TECH104539

Group Update Provider(GUP): Sizing and Scaling Guidelines

http://www.symantec.com/business/support/index?page=content&id=TECH95353&locale=en_US

SEP Content Distribution Monitor / GUP monitoring tool

http://www.symantec.com/business/support/index?page=content&id=TECH156558

Thanks for the reply however I don't see any answers to my question in any of those articles.

I need to know specifically how a GUP decides which SEPM to connect to for updates when there are multiple SEPM servers. I also need to know if this can be configured.

Hi,

Suppose you have installed sep on a system and after that you require a GUP server in you organization,

then you will make a normal system GUP from SEPM console.

When you will configure a system as a GUP from SEPM then sepm that system will get update from that SEPM only. Not only definition even all required policy SEPM will send to that system. 

Please check below article.I hope you will get your all answer.

https://www-secure.symantec.com/connect/articles/configuring-group-update-providers-symantec-endpoint-protection-110-ru5

GUP will get the updates from the SEPM it is reporting to.

GUP is also a client. GUP needs to talk to SEPM to get updates.

If you have multiple SEPM in an hierarchy then you will have the Management server list set. for ex. priority 1 and prioriy 2.

if 1 is not available the clients will failover to server 2. So will the GUP and will get updates from that sepm.

http://www.symantec.com/business/support/index?page=content&id=HOWTO81154

Thanks for the replies. So am I right in thinking that there is NOT a way to get certain GUPs to report to a specified SEPM? The only option is that I have a load ballanced SEPM configuration (where both have a priority of 1) and the GUPs randomly pick between them?

How do i know which server it is reporting to? Is it configurable?

Yes you are right... it will select any one which ever is available.

Not necessarily - you can use the management server list to configure the GUP communication only for one specific SEPM:

http://www.symantec.com/docs/TECH103175

- you simply put the GUP in a one group

- assign the new management server list to this group -> this list should specify only one SEPM as priority 1

- the GUP (and the SEP client on this GUP) will only report to this SEPM

- GUP will get the updates only from this SEPM

Hi,

Thanks for the replies. So am I right in thinking that there is NOT a way to get certain GUPs to report to a specified SEPM?

--> It's not correct.

The only option is that I have a load ballanced SEPM configuration (where both have a priority of 1) and the GUPs randomly pick between them?

--->  You can install two or more management servers that communicate with one Microsoft SQL Server and configure them for failover or load balancing. Failover configuration causes one server to pick up the client communications load if another server becomes unavailable. Load balancing configuration causes servers to share the client communications load and automatically implements failover if one of the servers goes offline.

Manually point the GUP machine to specific SEPM if required.

Well this should have been part of Initia design but here is what I can suggest..

Create 2 separate group for GUPs.say GUPA and GUPB

Create a management Server list for GUPA and MSL should say Priority1 LocationA and Priority2 LocationB

Vice-versa for GUPB group.

Now with above setting what you acheive is GUPA gups will reports to LocationA SEPM and if LocationA sepm fails then only it will go to LocationB SEPM and same with GUPB gups.

Now while the GUPs are pointing to their respective SEPMs we also have to make sure that GUPs are doing what they should be doing.

Create Either 1 Liveupdate policy with all the GUPs in it or create 2 liveupdate policy for each SEPM either one is fine.

Then Assign this policy on the group with contains the GUP and the Group of clients for which they will act as a GUP.

Ideally, my recommendation would be to use the default MSLs for each site so that the clients and the GUPs use their local SEPM as priority one, and the other only if the local SEPM falls over.

The GUPs work in the same way as clients when determining which SEPM to use, and that is by following the priority order set out in the MSL.

From what I recall, ensuring the GUPs and the clients they support are talking to the same server is especially important when different SEP sites are involved.  This is due to the creation of delta files on the SEPM managing the client, not necessarily being present on the SEPM managing the GUP.  If this happens, the GUP will log errors stating the requested file was not found, and subsequently fail to update the client.

HI,

As your query 1) a.  GUP will receive update from only designated SEPM on which it configured as GUP and reporting to that SEPM. b. Which system will act as GUP, this decides from SEPM on which GUP IP configured to receive updates and distribute to local subnet. c. It decides from reporting SEPM on which GUP IP configured.

Query 2) As you mentioned some GUP closer to SEPM and you want some GUP's report to that SEPM and rest GUP to other SEPM's. Here if you have WAN connectivity, through MPLS or Leased line , geographical distance does not matter whether its near of far ur nearest SEPM, its depend on the bandwidth between ur branch office GUP and ur SEPM site, So you can point ur half GUP to any SEPM which bandwidth is appropriate,

As you mentioned you have 20 GUP's at ur branch offices reporting to 2 Site's SEPM and all connected to each other through WAN.  As designed architecture of SEPM for infrastructure you can connect all GUP systems with single SEPM at any one site for better managing and administering your all branch offices systems, if you have total number of systems less than 50000 for 11.0 version SEPM and up to 80,000 if you have 12.0 Version SEPM, No need to deploy separate SEPM at your other site if total number of systems not more than as mentioned above for better manage centrally.

I will appreciate and welcome for  any comment or changes on my post here  by other SEPM Admins and forum experts for their valuable feedback.