Endpoint Protection

We are planning on using Windows XP SP3 clients as GUP (Dell 755, with 2GB ram).

Looking at the document, http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008081810593048, it says For a high number of Symantec Endpoint Protection clients, it is recommended to run the GUP on a Windows Server due to the limits of concurrent TCP connections in Windows XP and Vista.

How many clients are considered "high number of clients" by Symantec?
We would have roughly 200-250 clients that would be serviced by a GUP.

Thanks

XP has a 10 concurrent connection limit.  It would take a lot of time to update all 200-250 clients based on that.

Yes 200-250 would probably be too many. The TCP connection limit in Windows XP (SP2 and higher) and Vista limits TCP connection attempts to 10 per second. This helps to protect against worms spreading too quickly. Sorry you are right that "For a high numbe rof Symantec Endpoint Protection Clients" is a little vague. If someone has ran on GUP on Windows XP or Vista with this manies clients please post.

Thanks guys.

If anyone is using Windows XP machines as a GUP for rought about 200-250 clients, please chime in.
Thank You

I have a server acting as a GUP  and handling about 350-400 users.  Depending on how fast you want to get your def updates out and you configure your GUP as in fail over it may work.   Also consider the load on the xp box for dishing out the defs.  I am using my SMS site servers in field offices as my GUP's.

Is there any issue if I run GUP from my protection manager server ??

If you really have to use the XP box as GUP, Then it would be recommended to configure the autodisconnect time which is pretty simple.
http://support.microsoft.com/kb/314882

Assuming you mean the server running SEPM that already provides the functions of the GUP out of the box.  The main purpose of a GUP is to either A: relieve some of the load of updating viruse definitions from the SEPM or B: Prevent update traffic from spanning a WAN link.   I use the GUPs to keep the update traffic from going across my WAN links. 

Hi All,

I have used GUP in XP and distibuting the defs over 600 clients.

Its work very well but you have to configure it properly.

1 GUP for 600 clients using XP?
And what exactly do you mean by configuring it properly?
How long do these machines take to get their definition updates?

Yes john one GUP can handle 600 clients.

I have configure as per the document : -  http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/184f7ebb04cd173480257363006d2beb?OpenDocument

We set a 15 MIn heart beat.

Can anyone clarify the GUP functionality?

Mansoor,

I just want to confirm that you are using Windows XP as the GUP for 600 clients.
That sounds almost unrealistic. The clients that are serviced by this GUP have no issues getting their definition updates?

is a Group Update Provider. Every client installation of SEP 11 can act as a GUP without installing anything special.

In the Location policy you can specify an IP address for a GUP. When a SEP 11 client receives the policy and notices its own IP address is supposed to be a GUP, a mini HTTP server fires up. This mini HTTP server is completely independent of SEP itself.

The mini HTTP server will contact the SEPM server and download definitions. These downloaded definitions are 100% independent from the ones used by SEPM itself. Again, the GUP functionality is completely separate from the SEP itself so what the client shows as its definitions is no way representative of what the GUP has for definitions.

Other clients that receive the same Location policy will see they are supposed to go to a GUP for their definitions instead of the SEPM server.

For example, we have a server in each remote office. With SAV 10, we had to install all of the software to make it a secondary parent server so it could distribute definitions locally. With SEP, we simply set the IP address of the remote office server as a GUP. Then all clients in that office know to go to their local server for definition updates instead of across the WAN.

HTH,

Ray

Binayak please do not post a comment more than once and be specific while asking a question. please do not change the course of this discussion if you have question on gup what it is ?how it works?Please open a new discussion for that or first search the forum itself you will find many discussions on that.

TOP 25 articles on SEP - Start Here Before Posting Your SEP Questions in the Forum
https://www-secure.symantec.com/connect/forums/top-25-articles-sep-start-here-posting-your-sep-questions-forum

Symantec Endpoint Protection 11.0 Group Update Provider (GUP)
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007092720522748

Vikram Kumar
MCSA- Security
SCTS, STS (SAV/SEP/SNAC)
Product Support Analyst
Knowledge Centered Support (KCS) Level 2
Global Enterprise Technical Support
Symantec Corporation

I hope you understand

I think the purpose of the GUP is to minimize the overall bandwidth and connection usage to the main server. So if you were to use a GUP. I suggest you divide the PCs into departments and assign a GUP (or two) for that department. That way, they won't go across the company network to get an update. I'm sure that you have switches or routers for every group of PCs. That way, only one PC will get the update and then share it with the other PCs connected to the same switch or router.

Dear Binayak

GUP is Group Update pROVIDE WHICH IS  FEATURE FOR LIVE UPDATE TO CONSERVE THE BANDWITH AT THE TIME OF UPDATE, IN A HUGE NETWORK.

Hope u got that

Thanks all for explaining GUP.

One thousand
Yes

One thousand what?
Are you saying that you have a GUP running on Windows XP servicing one thousand clients?

Regardless if people may have gotten the GUP to work on 600+ clients using XP this is definetely not prefered. If you read the below article thouroughly you will get a better understanding of when and how a GUP could prove to be usefull. A specific quote from this article is this:

Using a GUP in a large group
We will have issues when the group gets large, i.e larger than 200. Certainly if a dedicated server is set as the proxy we can handle quite a bit of content. This is what secondary servers are today.

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/184f7ebb04cd173480257363006d2beb?OpenDocument

bjohn, I think kajal is referring to many thanks, he is not using GUP to 1000 clients.

Grant,
Don't you think that article is a little off and outdated?
SEP MR3 and above OFFICIALLY supports upto 1000 clients. (regardless of the fact that it's a workstation or server)
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008081810593048

Yes your right that article is outdated, as well as the support article I read to answer your original post hmm. Regardless my first post to your question holds I believe because the TCP connection attempts to 10 per second. I guess you could get away with more on the GUP but it depends on how often you are updating and how you have things set up, but I think it would still be a mistake to try to do more than 200 or so clients on a GUP with this sort of limitations. Sorry for the confusion about the old article too.

We had a Symantec Engineer over here last week and he told us that the 10-connection limit for an XP workstation is not valid because traffic is http and an http-connection doesn't count.
So, theoretically, the number of connections should be unlimited.
He also told us that GUP-functionalities will improve in further releases.

I think ernieken might have a point, http doesnt count as a session. But I am confused because I think http still uses tcp.

Hi

I can see many people commeting the smae post twice even thrice without any meaning. Whats happening in the community.
Guys if u have a question please post it, donot divert the existing posts discussion
Ajit

Hi Ernieken,

unfortunately the 10-connections limit is valid and I meet it every day when a customer calls us because SEPM is not working on XP. Paul is right, http uses TCP.

Here's the public document:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007102210033448

It is true that the GUP will be improved but the 10-connections limit is from Microsoft and we cannot change this.
The only good workaround is to change the communication settings of our SEP from push to pull mode.

Hi, can I set schedule wherein the GUP will get update from SEPM...let's say this GUP will get update at 4:00 AM? Base on my observation the GUP client update kicks in when there is client requesting update from GUP. Also, the SharedUpdate content started to populate when there is client requesting for update. Can we set schedule to both of this? Thanks!

Contents are always pushed to the GUP/Clients it doesn't matter communication mode is push or pull or time set is one day.
Whenever the SEPM downloads the definitions it will will published in its IIS website and clients will pull them immideately.

So in your scenario you can schedule your SEPM to download the deifintion at 4:00 AM.

Hello. We already set the SEPM download every 4 hours. What I want to know if there's a setting wherein you can set the schedule of GUP update from SEPM to GUP. Because as I said from my observation the update download (copied to SharedUpdates folder) kicks in only when there's client requesting update. We need this timing for the branch office scenario, wherein the GUP should first get the update from SEPM in proper timing because we have a bandwidth issue on our branch.

Have you gone through this doc?

How to configure GUP bandwidth throttling in Symantec Endpoint Protection 11.0 MR4?
https://www-secure.symantec.com/connect/forums/quarantine-server-errors-it-wont-get-defs-or-submit

this discussion
https://www-secure.symantec.com/connect/forums/gup-throttling-setup-and-definition-deltas

Yes. Thanks for the links but I think it does'nt answer my questions...

If i understood you correct.

Your GuP is also a client.Which connects to manager and get Liveupdate and then distributes.
HOwever, You cannot schedule liveudpate between Manager and GUP and Clients.

In SEPM

If you go to liveudpate policy, there is no schedule for liveupate when default manager is checked...
meaning they all will talk during the heart beat and get what they want.

Schedule for liveudpate is only available.when u select the second option..


"We need this timing for the branch office scenario, wherein the GUP should first get the update from SEPM in proper timing because we have a bandwidth issue on our branch."

You cannot have a schedule..Its the Heardbeat which tells when to connect. PUsh/Pull method...
 

No configuration for that..

Hi,

You have 200 to 250 clients connected to symantec

devide them into groups like department name Acoounts, Finance, Sales, IT, Admin  etc..

some thing else.
in each department make an GUP of windows XP.
it will make your job easy.

i don't have any issues, we have more than 9000 Clients on our network.