Endpoint Protection

Hi,

We required recommendations for GUP server in remote location over MPLS connectivity.

Query

1.     We have 1 HO and 17 branch office locations where HO is having 800 endpoints and all the remote branch office are having approx minimum of 100 system. All the 17 branch office are connecting to HO through MPLS connectivity of 2 Mbps to 8 Mbps.

2. What is the recommendation to keep the GUP server over MPLS network bandwidth of 2 or 8 Mbps.
3. What is the minimum MPLS bandwidth required for 150 system or more in the remote branch office.
4. What is the minimum and maximum SEP client recommended on SEPM GUP over MPLS 4 Mbps bandwidth.

Please let me know the challenges and recommendations for above mentioned queries

Regards,

Nagaraj

The GUPs sit on the local subnet or locally to MPLS machines so they help the restrictec network badnwidth from the SEPM at HO. So as soon as the GUPs recieve the latest defintions they will start to push defs locally to the machines that have been requested to update to. So the more GUPs you have on a local sit the less machines will need to contact over the network to the SEPM. 

Below I've posted a few articles about GUPs that should give you some more information and help you decide how you want to implment them. If you have multiple GUPs on a site you can also set the policy for machines to only update from the GUPs too so only the GUPs get defs from the SEPM and update the sites locally reducing bandwidth congestion. 

About GUP Types

https://support.symantec.com/en_US/article.HOWTO80957.html

Best Practices for GUPs

https://support.symantec.com/en_US/article.TECH93813.html

GUP Configuration Guide

https://support.symantec.com/en_US/article.TECH96419.html

Troubleshooting GUPs

https://support.symantec.com/en_US/article.TECH104539.html

Hi Nagaraj,

hope this answers your question.

1.What is the recommendation to keep the GUP server over MPLS network bandwidth of 2 or 8 Mbps    

    - its should be okay to have a GUP as the bandwidth suffice the need

2.What is the minimum MPLS bandwidth required for 150 system or more in the remote branch office.

  there isn't any minimum bandwidth requirement for setting up GUP but 1 Mbps or more is recommended

3.What is the minimum and maximum SEP client recommended on SEPM GUP over MPLS 4 Mbps bandwidth.
 
again there isn't any minimum sep clients required to setup gup as even one client can have a GUP but it is not the best way to optimize the resource. so a decent setup would be to have alteast 50 SEP cleients to have update from a GUP and for maximum a GUP can easily handle upto 5000 clients provided it has enough juice to its hardware/bandwidth.

The maximum number of simultaneous downloads that the Group Update Provider distributes to clients.

This option concerns memory and CPU utilization on the Group Update Provider computer. The option controls how many threads are allocated to handle incoming requests. Memory utilization is associated with the threads, so more threads require more memory. Also, processing the incoming requests requires CPU cycles, so more threads require more CPU cycles.

You should tune the value to the limitations of the Group Update Provider computer. The goal is to download content updates to clients as quickly as possible, without overwhelming the Group Update Provider computer. Set the value high enough to get reasonable concurrency, but low enough to avoid overtaxing the Group Update Provider computer.

Hi,

Thank you for posting your query on Symantec community.

1. What is the recommendation to keep the GUP server over MPLS network bandwidth of 2 or 8 Mbps.

--> There isn't any recommendations but do not allow clients to bypass GUP to take definitions from the SEPM directly if GUP isn't accessible.

2. What is the minimum MPLS bandwidth required for 150 system or more in the remote branch office.

--> There isn't any minimum limitation of Bandwidth however there must be sufficient bandwidth between the GUP and the SEPM to allow the GUP to download the full and delta definition packages being requested by SEP clients.  Make sure SEPM is configure to store 30 definitions (last 10 days definitions), latest version of SEPM stores 45 definitions (last 15 days definitions). If SEPM is holding requested definitions then it will be always delta update for GUP machine resulting in less bandwidth usage

3. What is the minimum and maximum SEP client recommended on SEPM GUP over MPLS 4 Mbps bandwidth.P

--> There isn't any recommendations but The current iteration of the GUP role supports up to 10,000 clients per GUP. Clients number doesn't make difference here because on behalf of clients only GUP will contact the SEPM to get definitions.

To summarize it,

1) Configure GUP & if possible configure another types of GUP as well, here is more info: https://www-secure.symantec.com/connect/articles/sep-121-ru2-and-explicit-group-update-providers

2) Do not allow clients to bypass GUP though it's not available.

3) By considering disk space usage configure SEPM to store maximum definitions, so mostly it will be delta updates between SEPM & GUP.

Note: Upgrade to the latest version if disk space causing any issue, latest version uses content storage optimization feature.

http://www.symantec.com/docs/TECH224055

HI Chetan,

Thanks for the valuable update but i have one more query related to version upgrade, if we upgrade the SEPM HO server all the client have to report to SEPM HO server only for upgrade GUP will not do the upgrade the, with this kind of setup what will be the solution.

Regards,

Nagaraj

Yes the client upgrade will be directly from the SEPM. GUPs are only for definition distribution.

You can use autoupgrade on the groups or the push wizard to upgrade directly from the SEPM. Or you can extract packages from the SEPM and use another method to push the packages to all the machine to upgrade them if you want to restrict network traffic to the SEPM. 

Hi Nagaraj,

GUP will provide only the definition updates and it cannot share the version upgrade files. So by design when you upgrade your SEPM and add the packages to auto upgrade clients the client will pull the differential files only from the sepm.

Hi Nagraj,

GUP can only provide definitions updates, it can't upgrade clients.

To upgrade remote clients & save bandwidth as well there is an application called ClientRemote.exe that will accomplish this.

See this guide: Push Deployment Wizard - Standalone deployment app for SEP install packages

http://www.symantec.com/docs/TECH195705