In this Senario there is no need to install a separte LU server rather install GUP at each site so the load and banwdith is distributed. If you a GUP configured at each site the clients will not come to the main SEPM for update but will take update locally from the machine that is configured as a GUP thus saving WAN traffic.
Symantec Endpoint Protection 11.0 Group Update Provider (GUP)
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007092720522748
Best practices for Group Update Provider (GUP)
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008081810593048
GUPs can be used to supplement or replace a SEPM for distributing content updates to SEP clients, but cannot be used to update policies or manage clients. This means that clients will still need network connectivity to a SEPM in order to perform the heartbeat process, which updates their policies, and informs them when new content is available to download from the GUP.
Since the GUP is essentially a SEP client with the additional GUP role, it must also be able to access the SEPM via the client management port.
The GUP will download definitions on-demand for itself and any clients configured to update through it. The GUP will cache all downloaded content according to the settings in its LiveUpdate policy. Clients that have been configured to use a GUP will download definitions directly from the GUP instead of SEPM. By this method, bandwidth is conserved. There must be sufficient bandwidth between the GUP and the SEPM to allow the GUP to download the full and delta definition packages being requested by SEP clients. The larger the spread of definition revisions used by the clients, the larger the bandwidth utilization between the SEPM and the GUP.