Endpoint Protection

We want to configure 4 GUPs for the internal network and one GUP for Internet connected clients. Our intention is to let the NetScaler handle load balncing and routing. We have been told that this can be done. Unfortunately I cannot find documentation on how to accomplish it. Can anyone point me to useful documentation?

Thanks!

Did Symantec tell you this?

Only article I could find was this:

How To Optimize Endpoint Protection for Branch Offices using GUPs, Load Balancing, and Location Awareness

A SEPM consultant did (not employed by Symantec).

This does bring up a pretty important question. If I do setup the NetScaler to forward the traffic to the GUPs then I would configure a single GUP in SEPM. Will those GUPs respond as GUPs to the forwarded traffic? Is there something I need to do on those client machines to tell them they are GUPs?

 

Why bother using a GUP for Internet-connected clients at all?  I have three location policies... one for on-network, one for on-VPN, and one for "disconnected".  Only my on-network clients use our GUPs and I have the other two to use the Internet directly to update the definitions.

This is less fiddly and it takes pressure off of our own network and systems.

And check out this thread:

https://www-secure.symantec.com/connect/forums/gups-roaming-workstations

My environment is different than yours, of course, but you can configure a single GUP policy that covers your entire org that's smart enough to let the clients decide what's best.  No need to involve the load balancers.

InfoSec does not allow us to update from Symantec directly.

We have no slow links involved here. All the GUPs will reside in the datacenters.

Under Multiple Group Update Providers I have added the machines in the DC since it states "Defines criteria to turn clients into Group Update Providers". From that I assume that is what tells the clients to act as GUPs.

I then enabled Single Group Update Provider and pointed it to the DNS alias for the NetScaler.

Does that sound correct?

Yes that should work, your netscaler will handle the routing job.

Multiple Group Update Providers will tell the clients to act as GUPs.  But it will also publish the list of the the GUP IP addresses to the clients so the clients know where to pull their definitions from.

Single Group Update Provider does not override anything.  It's the same as above but for just that... defining one GUP.

Clients pull from the GUP that is in their subnet, if one is present.   If no GUP then they phone home to the SEPM.  You can override this behavior by using the Explicit Group Update Provider list to inform clients of GUPs outside of their own subnet.

I suspect that you might have to define your VIP as a GUP in your Multiple GUP list and not configure Explicit GUP list or Single GUP.

OK. How about this...

I create two LiveUpdate policies. One has the Multiple GUP definition and it is assigned to the GUPs ONLY. The other policy for all other clients defines the single GUP pointing to the NetScaler alias.

 

I think you're charting new territory with this.  Give it a try as I doubt that it would harm anything.  Worst case is that your clients don't update but you should be able to figure that out pretty quickly.

Thanks for the feedback. Now I need to figure out how to determine where the clients are actually getting their updates.

I hope this works. :-)

 

You'll be able to tell in the client logs.

Good luck.  I'm still not convinced that the load balancer approach is necessary but hey there's many ways to make something work ;)

It is working. :-)

Care to share what you did to get this working? And then mark one of your posts (or someone else's) as a solution?

Sure. Thanks for the help BTW.

Please excuse the probable misuse of terminology since some of this is out of my normal scope. ;-)

I created a SEP Group for the machines designated as GUPs and assigned that role to the group. The GUPs point at the SEPMGR and each other for updates.

A DNS alias was created for NetScaler (ex. sepupdate.domain.com)

The NetScaler was set to forward all traffic from sepupdate.domain.com to one of the machines assigned the GUP role based on whatever magic the NetScaler does.

NetScaler validates the GUPs are available by querying via HTTP GET request on "http://<Your GUP IP>:2967/content/ContentInfo.txt" for each GUP.

All the SEP clients point to Single GUP sepupdate.domain.com