Video Screencast Help

Multiple GUPs for all the network

Created: 18 Feb 2013 | 5 comments
diabolicus23's picture

12.1 RU2

I have some GUPs and I want to use them for all the network. I don't want to list all the subnets in explicit gups section (let me say, such 500 subnet), ALL the network,

I want to assign all the GUPs to the entire network and I want every clients to choose the "fastest" GUPs (as reply time).

Is it possible?


Comments 5 CommentsJump to latest comment

SebastianZ's picture

Best Practices with Symantec Endpoint Protection (SEP) Group Update Providers (GUP)

You should be able the mutilple gup configuration:

About configuring rules for multiple Group Update Providers

There is currently no option for the clients to get the fastest GUP - by default the SEP clients will go always for the GUP available in the same subnet.

diabolicus23's picture

But if I use Multiple GUPs I can provide GUP service only to clients in the same network of the GUPs themselves.
And with Explicit GUP I have to list all the networks...

Mithun Sanghavi's picture


Explicit Group Update Providers

You can configure an explicit list of Group Update Providers that clients can use to connect to Group Update Providers that are on subnets other than the client's subnet. Clients that change location frequently can then roam to the closest Group Update Provider on the list.

An explicit Group Update Providers list does not turn clients into Group Update Providers. You use an explicit Group Update Provider list to map the client subnet network addresses to the Group Update Providers. You identify the Group Update Providers by any of following means:

  • IP address

  • Host name

  • Subnet

Explicit Group Update Providers can be static or dynamic, depending on how you configure them. If you use an IP address or a host name to configure an explicit Group Update Provider, then it is a static Group Update Provider. This difference affects how Group Update Providers act in networks that mix legacy version clients and managers with clients and managers from the current release.

If you use a subnet to designate a Group Update Provider, it is dynamic, as clients search for a Group Update Provider on that subnet.

Multiple Group Update Providers

Multiple Group Update Providers use a set of rules, or criteria, to elect themselves to serve groups of clients in their own subnets. To configure multiple Group Update Providers, you specify the criteria that client computers must meet to qualify as a Group Update Provider. You can use a host name or IP address, registry keys, or operating system as criteria. If a client computer meets the criteria, the Symantec Endpoint Protection Manager adds the client to a global list of Group Update Providers. Symantec Endpoint Protection Manager then makes the global list available to all the clients in the network. Clients check the list and choose the Group Update Providers that are located in their own subnet. Multiple Group Update Providers are dynamic Group Update Providers.

Use multiple Group Update Providers when your network includes any of the following scenarios:

  • The client computers on your network are not legacy clients.

    Multiple Group Update Providers are supported on the computers that run Symantec Endpoint Protection 11.0.5 (RU5) software or a later version. You cannot use multiple Group Update Providers with the legacy clients that run versions of Symantec Endpoint Protection earlier than 11.0.5 (RU5). Legacy clients cannot get content from multiple Group Update Providers. A legacy client cannot be designated as a Group Update Provider even if it meets the criteria for multiple Group Update Providers.

    You can create a separate LiveUpdate Settings policy and configure a single, static Group Update Provider for a group of legacy clients.

  • You have multiple groups and want to use different Group Update Providers for each group

You can use one policy that specifies rules for the election of multiple Group Update Providers. If clients change locations, you do not have to update the LiveUpdate Settings policy. The Symantec Endpoint Protection Manager combines multiple Group Update Providers across sites and domains. It makes the list available to all clients in all groups in your network.

  • Multiple Group Update Providers can function as a failover mechanism. The use of Multiple Group Update Providers ensures a higher probability that at least one Group Update Provider is available in each subnet.


About the types of Group Update Providers

Symantec Endpoint Protection (SEP) Group Update Providers (GUPs) Selection Examples

Understanding "Explicit Group Update Providers (GUPs) for Roaming Clients" in Symantec Endpoint Protection (SEP) 12.1.2

There is a tool I created to help you build a LiveUpdate policy with multiple explicit GUPS.  Check out this page for details on the tool:

Generate LiveUpdate Policies that have many GUP Subnets

Hope that helps!!

Mithun Sanghavi
Associate Security Architect


Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Brɨan's picture

As a side note, check out this tool which was recently created

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Chetan Savade's picture


I want to assign all the GUPs to the entire network and I want every clients to choose the "fastest" GUPs (as reply time).

--> I don't think it's possible.

It's not auto discovery process. Manual work is required to design the GUP architecture.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<