Thanks for you help,
The clients in network (level =3) can access only on the GUP in the same LAN. The GUP can get update only from network with level n-1 (one interface on the LAN and one other in the network level -1). So, client in level 2 or 3 can not access directly to SEP manager.
Edit post:
The article "How To Optimize Endpoint Protection for Branch Offices using GUPs, Load Balancing, and Location Awareness, Article: TECH94122", describe than "GUPs cannot be used to update policies or manage clients. This means that clients will still need network connectivity to a SEPM in order to perform the heartbeat process, which updates their policies, and informs them when new content is available to download from the GUP."
Please confirm than client without direct SEP manager communication, can not use GUP, update policy or update program?