Sure. Thanks for the help BTW.
Please excuse the probable misuse of terminology since some of this is out of my normal scope. ;-)
I created a SEP Group for the machines designated as GUPs and assigned that role to the group. The GUPs point at the SEPMGR and each other for updates.
A DNS alias was created for NetScaler (ex. sepupdate.domain.com)
The NetScaler was set to forward all traffic from sepupdate.domain.com to one of the machines assigned the GUP role based on whatever magic the NetScaler does.
NetScaler validates the GUPs are available by querying via HTTP GET request on "http://<Your GUP IP>:2967/content/ContentInfo.txt" for each GUP.
All the SEP clients point to Single GUP sepupdate.domain.com