Endpoint Protection

 Is it possible to have a single LU policy that uses multiple GUPs and can connect to liveupdate via the internet if the GUPs aren't available?

I'd like to have just one LU policy that would try contacting the GUPs and SEPM server for updates first but will also try getting updates from the internet if the GUPs and SEPM can't be contacted, say the user is working at home but not connected to VPN.

It is possible.While configuring GUP you can specify it has to buy pass the GUP if it is not available for this much time(30min etc.) .In the same policy you have to configure liveupdate server also.

It is possible to have that configuration.

First you have to specify the the GUP details.
http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/cb487ea7138bf8d24925763f00708be0?OpenDocument

Then select "Use an alternate LiveUpdate server" then select default symantec liveupdate server.
REF:http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008032011064948

If the client is in ur corporate network the it takes from GUP.
When the client is not connected to corporate network. it will take update from the liveupdate server you have configured. 

1. It is possible to have multiple GUPs. Any group may have a multiple GUP at a time.
2. If you mark the option of "Get the updates from the default update server" which is below the "get the updates from the manage net server", then the clients will try the Internet connection if the server is unavailable.

I advice this policy for the servers (not the clients), so that the servers will have a second choice if the management server is unavailable.

 Thank you shp! I just wanted to make sure that while the client is connected to our network that it gets updates from the GUP first and falls to the liveupdate server if it can't find the GUP.

I have another question...

Is there a log that shows where it's pulling the updates from (either a GUP or internet) and not just that it received the updates?

I don't believe it's actually working the way shp said it should. 

I have a test group set up with a LU policy that has "Use the default management server", "Use a LU server (the default Symantec LU server is checked)", and "Use a GUP" checked on the Server Settings tab. For the GUP option I have Multiple GUPs added to the list via Host Names.

My own laptop and another laptop are in this test group. The GUP that is on my LAN is on subnet 192.168.150.x. My laptop is on 192.168.145.x and the other laptop is on 192.168.150.x and both laptops are pulling updates from the liveupdate server instead of the GUP that I have designated on this LAN. I know this from checking the log.liveupdate file @ C:\Users\All Users\Application Data\Symantec\LiveUpdate. Both laptops have a green dot and are connected to the SEPM server.

What am I missing?

Do you scheduled liveupdate? 
If yes try by removing it..

 AravindKM: No, I did not set schedule it to run.

I just got done working on another computer in our plant and decided to check the System Log on that one and it has me confused. It seems as though that desktop PC is set to be used as a GUP even though I didn't specify it to be one. Here's a small snippet from the system log of that machine.

 Anybody???

I have only set up LU policies to use handful of servers but when I search for GUPs, it's listing a lot of desktops and servers and when I've check the system log on some of those machines, they show the same thing that I copied into my last post. This is getting to be very frustrating!!! 

Do you find any tick mark on Use a Group Update provider...

Log says that it is configured to use a GUP on certain factor other that ip address so it no showing the IP in the logs. 

So check the policy and find out which is the other factors you have specified for a GUP

 The only factors specified is the Host name of the machine I want to be a GUP.

 Is there a log or something on the machine being specified as a GUP that would definitively prove that it is a GUP?

 And another question...

We have quite a few subnets in our network but only a handful of servers defined as GUPs. If computers aren't on the same subnet as the GUP, will they attach to the closest GUP on a different subnet or just revert to the SEPM for updates?

HI....

2. Roaming

-The systems that become GUPs, send that data to the SEPM to let them know that they are now a GUP. The GUP then populates a single list of all known GUPs. This list is provided to all SEP clients that are configured to use the GUP. The way this will work is that when a client talks to SEPM, and realizes it is time to update content, the SEPM tells the client to speak to the GUP, and the client looks at the GUP list to find the GUP on the same subnet as the client. If there is no GUP on that subnet, the client (optionally) can speak directly to SEPM, or another GUP.

REF:https://www-secure.symantec.com/connect/articles/types-group-update-providers-ru5-release-symantec-endpoint-protection-110


There are two video's about GUP created by Aniket... Check these links... its Superb..
https://www-secure.symantec.com/connect/videos/group-update-providers-part-1
https://www-secure.symantec.com/connect/videos/group-update-providers-part-2