Endpoint Protection

I understand that RU5's (awesome) new multiple GUP settings in LiveUpdate policies are not applied to downlevel SEP clients. Unfortunately, not only are the new settings not applied, my MR4 MP2 clients won't even contact a SEPM for content updates if I set up RU5 settings. They do not update content at all until I remove the multiple GUP settings from the LiveUpdate policy.

That's really bad news because we have a bunch of VPN clients out in the field that we won't see at the main office for software updates for at least a year. So we won't be able to use the new GUP functionality until every last one is updated.

Is it supposed to work like that?? Is there any way to get the RU5 clients to use the RU5 GUP settings while leaving the MR4 MP2 clients to contact a SEPM for updates--without creating new SEPM groups for downlevel clients? I know the Locations feature won't work...can't use client version as a filter with Locations, unfortunately.

Greetings Jeff,

I would suggest adding an Install Package to the group that VPN clients belong to. When these machines connect to the SEPM it will force a silent upgrade to RU5 which will then allow them to use the proper GUP settings.

If the machines can contact the Endpoint Manager to check for a GUP then they will be able to get the RU5 package auto-upgraded.

To migrate client software
-Log-on to the newly migrated Symantec Endpoint Protection Manager Console if you are not logged on.
-Click Admin > Install Packages.
-In the lower-left pane, under Tasks, click Upgrade Groups with Package.
-In the Welcome to the Upgrade Groups Wizard panel, click Next.
-In the Select Client Install Package panel, all existing client packages are listed in the drop down box.  Select one Endpoint Protection 11.0.5002.x
-Click Next.
-In the Specify Groups panel, check one or more groups that contain the client computers to be migrated, then click Next.
-In the Package Upgrade Settings panel, check Download client from the management server.
-Click Upgrade Settings.
-In the Add Client Install Package dialog box, on the General tab, specify whether or not to keep existing client features or specify new ones
-Click OK.
-In the Upgrade Groups Wizard dialog box, click Next.
-In the Upgrade Groups Wizard Complete panel, click Finish.

As soon as these VPN clients check in it will pull down the RU5 package and upgrade for you.

Hi,

       Distributing content using Group Update Providers

A Group Update Provider is a client computer that you designate to locally distribute content updates to clients.AGroup Update Provider downloads content updates from the management server and distributes the updates to clients. AGroup Update Provider helps you conserve bandwidth by offloading processing power from the server to the Group Update Provider. A Group Update Provider is ideal for delivering content updates to clients that have limited network access to the server. You can use a Group Update Provider to conserve bandwidth to clients in a remote location over a slow link.

Managing Group Update Providers

Step 1: Verify client communication - Before you configure Group Update Providers, verify that the clients can receive content updates from the server. Resolve any client-server communication problems. You can view client-server activity in the System logs.

Step 2: Configure Group Update Providers - You configure Group Update Providers by specifying settings in the LiveUpdate Settings Policy. You can configure a single Group Update Provider or multiple Group Update Providers.

Step 3: Assign the LiveUpdate Settings Policy to groups - You assign the LiveUpdate Settings Policy to the groups that use the Group Update Providers. You also assign the policy to the group in which the Group Update Provider resides. For a single Group Update Provider, you assign one LiveUpdate Settings Policy per group per site. For multiple Group Update Providers, you assign one LiveUpdate Settings Policy to multiple groups across subnets.

Step 4: Verify that clients are designated as Group Update Providers - You can view the client computers that are designated as Group Update Providers. You can search client computers to view a list of Group Update Providers. A client computer's properties also shows whether or not it is a Group Update Provider.




About the types of Group Update Providers


You can configure two types of Group Update Providers: a single Group Update Provider or multiple Group Update Providers:

Single Group Update Provider: A single Group Update Provider is a dedicated client computer that provides content for one or more groups of clients. A single Group Update Provider can be a client computer in any group. To configure a single Group Update Provider, you specify the IP address or host name of the client computer that you want to designate as the Group Update Provider.
Multiple Group Update Provider:  Multiple Group Update Providers use a set of rules, or criteria, to elect themselves to serve groups of clients across subnets. To configure multiple Group Update Providers, you specify the criteria that client computers must meet to qualify as a Group Update Provider. If a client computer meets the criteria, the Symantec Endpoint Protection Manager adds the client to its list of Group Update Providers. Symantec Endpoint Protection Manager then makes the list available to all the clients in your network. Clients check the list and choose the Group Update Provider that is located in their subnet. You can also configure a single, dedicated Group Update Provider to distribute content to clients when the local Group Update Provider is not available.
You use a LiveUpdate Settings Policy to configure the type of Group Update Provider. The type you configure depends on how your network is set up and whether or not your network includes legacy clients.
Note : The Group Update Provider does not proxy op-states, events, commands, command status, or profiles between the server and the clients.
When to use a particular Group Update Provider type:


Single:

Use a single Group Update Provider when your network includes any of the following scenarios:

Your network includes legacy clients

Legacy clients can get content from a single Group Update Provider; legacy clients can also be designated as a Group Update Provider. Legacy clients do not support multiple Group Update Providers.

You want to use the same Group Update Provider for all your client computers

You can use a single LiveUpdate Content Settings Policy to specify a static IP address or host name for a single Group Update Provider. However, if clients change locations, you must change the IP address in the policy. If you want to use different Group Update Providers in different groups, you must create a separate LiveUpdate Settings Policy for each group.


Multiple:

Use multiple Group Update Providers when your network includes any of the following scenarios:

You run the latest client software on the computers in your network

Multiple Group Update Providers are supported on the computers that run the latest client software. Multiple Group Update Providersare not supported by legacy clients. Legacy clients cannot get content from multiple Group Update Providers. Legacy clients cannot be designated as a Group Update Provider even if they meet the criteria for multiple Group Update Providers. You can create a separate LiveUpdate Settings Policy and configure a single, static Group Update Provider for a group of legacy clients

You have multiple groups and want to use different Group Update Providers for each group - 

You can use one policy that specifies rules for the election of multiple Group Update Providers. If clients change locations, you do not have to update the LiveUpdate Settings Policy. The Symantec Endpoint Protection Manager combines multiple Group Update Providers across sites and domains. It makes the list available to all clients in all groups in your network.

Multiple Group Update Providers can function as a failover mechanism. Multiple Group Update Providers ensure a higher probability that at least one Group Update Provider is available in each subnet.




About configuring rules for multiple Group Update Providers


Multiple Group Update Providers use rules to determine which client computers act as a Group Update Provider.


Rules are structured as follows:

Rule sets

A rule set includes the rules that a client must match to act as a Group Update Provider.

Rules

Rules can specify IP addresses, host names, client registry keys, or client operating systems. You can include one of each rule type in a rule set.

Rule conditions

A rule specifies a condition that a client must match to act as a Group Update Provider. If a rule specifies a condition with multiple values, the client must match one of the values.



Rule types

IP address or host name - This rule specifies client IP addresses or host names.

Registry keys - This rule specifies client registry keys.

Operating system - This rule specifies client operating systems.



Rules are matched based on the logical OR and AND operators as follows:

Multiple rule sets are OR'ed. A client must match one rule set.
Multiple rules are AND'ed. A client must match all the rules that are specified in a rule set.
Multiple values for a rule condition are OR'ed. A client must match one value. For example, you might create RuleSet 1 that includes an IP address rule with several IP addresses. You then create RuleSet2 that includes a host name rule and an operating system rule each with multiple values.Aclient computer must match either RuleSet1 or RuleSet2. A client matches RuleSet1 if it matches any one of the IP addresses. A client matches RuleSet2 if it matches any one of the host names and any of the operating systems.



Configuring a Group Update Provider


You configure a Group Update Provider by specifying settings in the LiveUpdate Settings Policy.

You can configure the LiveUpdate Settings Policy so that clients only get updates from the Group Update Provider and never from the server. You can specify when clients must bypass the Group Update Provider. You can configure settings for downloading and storing content updates on the Group Update Provider computer.

You can also configure the type of Group Update Provider.


Note: If the Group Update Provider runs a non-Symantec firewall, you might need to modify the firewall to permit the TCP port to receive server communications. By default, the Symantec Firewall Policy is configured correctly. Updating definitions and content Distributing content using Group Update Providers


To configure a Group Update Provider

In the console, click Policies.
Under View Policies, click LiveUpdate.
In the LiveUpdate Policies pane, on the LiveUpdate Settings tab, select the policy to edit.
In the Tasks pane, click Edit the Policy.
In the LiveUpdate Policy window, click Server Settings.
On the ServerSettings page, under InternalorExternalLiveUpdateServer, check Use the default management server (recommended). Do not check Use a LiveUpdate server. The Group Update Provider that you configure acts as the default LiveUpdate server.
Under Group Update Provider, check Use the Group Update Provider.
Click Group Update Provider.
In the GroupUpdateProvider dialog box, configure the type of Group Update Provider. (Note: Legacy clients can only use a single Group Update Provider. Legacy clients do not support multiple Group Update Providers. )
In the Group Update Provider dialog box, configure the options to control how content is downloaded and stored on the Group Update Provider computer. Click Help for information about content downloads.
Click OK.


Configuring a single Group Update Provider

You can configure only one single Group Update Provider per LiveUpdate Settings Policy per group. To create a single Group Update Provider for multiple sites, you must create one group per site, and one LiveUpdate Settings Policy per site.

To configure a single Group Update Provider

Follow the steps to configure a Group Update Provider.
In the Group Update Provider dialog box, under Group Update Provider SelectionforClient, check SingleGroupUpdateProviderIPaddressorhost name.
In the Single Group Update Provider IP address or host name box, type the IP address or host name of the client computer that acts as the single Group Update Provider.

Click Help for information about the IP address or host name.


Configuring multiple Group Update Providers

You can configure multiple Group Update Providers by specifying criteria in a
LiveUpdate Settings Policy. Clients use the criteria to determine if they qualify
to act as a Group Update Provider.

To configure multiple Group Update Providers

Follow the steps to configure a Group Update Provider.
In the Group Update Provider dialog box, under Group Update Provider Selection for Client, check Multiple Group Update Providers.
Click Configure Group Update Provider List.
In the Group Update Provider List dialog box, select the tree node Group Update Provider.
Click Add to add a rule set.
In the SpecifyGroupUpdateProviderRuleCriteria dialog box, in the Check drop-down list, select one of the following:
Computer IP Address/Host Name
Registry Keys
Operating System
If you selected Computer IP Address/Host Name or Registry Keys, Click Add.
Type or select the IP address, registry key, or operating system information. Click Help for information on configuring rules.
Click OK until you return to the Group Update Provider dialog box.
In the GroupUpdate Provider List dialog box, optionally add more rule sets.
Type a Group Update Provider IP address or host name in the Specify the host name or IP address of a Group Update Provider on a different subnet to be used, if Group Update Providers on the local subnet are unavailable text box.
Click OK.


Searching for the clients that act as Group Update Providers

You can verify that clients are available as Group Update Providers. You can view a list of Group Update Providers by searching for them on the Clients tab.

Note: You can also check a client's properties. The properties include a field that indicates whether or not the client is a Group Update Provider.


To search for the clients that act as Group Update Providers

In the console, click Clients.
On the Clients page, on the Clients tab, in the View box, select Client status.
In the Tasks pane, click Search Clients.
In the Find box, select Computers.
In the In Group box, specify the group name.
Under Search Criteria, in the Search Field column, select Group UpdateProvider.
Under Search Criteria, in the Comparison Operator column, select =.
Under Search Criteria, in the Value column, select True. Click Help for information on the search criteria.
Click Search

Thanks for your replies. Don't mean to sound ungrateful, but neither of you actually answered the question in the last paragraph.

Regarding SEPM install packages, we use Group Policy for installs and prefer it. And the VPN clients are in the same SEPM Group as all the workstations because there's nothing different about them from the standpoint of SEP settings. Some of the VPN clients are on 56K dialup connections. It would take a year for them to download it, and since you don't use background bandwidth, they won't have any bandwidth left for other tasks. And if substantial numbers of the broadband VPN clients connected simultaneously, I'm concerned it would suck up all available bandwidth at the main office. (Please don't raise the IIS throttling tangent. It's been discussed to death elsewhere, and does not solve all aspects of these problems.)

Regarding the long article you copied-and-pasted, there is only one relevant paragraph. But it says only that legacy clients won't get updates from the new multiple GUPs. That's fine by me...they don't get updates from GUPs now. It does say I can create a separate Group for legacy clients and use a single-GUP LU policy. But I don't care about using GUPs for VPN clients; the VPN clients have access to a SEPM with plenty of capacity.

What the article DOES NOT SAY is that legacy clients won't get updates AT ALL, even from a SEPM, if a multiple-GUP LU policy is applied to them.

If that's true, as it appeared to be here, then (a) the article should say so, and (b) that's a really poor design. If it's not true, then I'd like to troubleshoot why it's happening here so I can use multiple-GUP updates with new clients and the SEPM updates with legacy clients without further needlessly complicating SEPM design and administration.

Because bottom line for us is that if we can't use the new GUP functionality for a year, we won't use it for a year. We're not going to push SEP from SEPM. I've had far too many problems with Symantec push install technologies over the years and I won't go there again. Group Policy software installs are dead nuts reliable, and we've puzzled out a procedure that covers every possible scenario.

What I'm toying with doing is scripting BITS to use background bandwidth to deliver SEP install files to the client, and modifying Group Policy to install SEP from the local copy when it finally arrives. Sort of a hybrid of WSUS and Group Policy. That would be useful for a lot of things beyond SEP. But that project is back burner, and it will still take a long time to deliver to the dialup clients.

So, back on-topic: Is it supposed to work this way??

OK, I found a workaround.

I had hoped to apply one LU Policy at the top level inherited by all Groups that would turn my DCs into GUPs (looks for SYSVOL registry value). Instead, I applied the policy to the Group in which all DCs are located. They're all at RU5 so they're OK with this.

Legacy and RU5 non-GUP clients are mixed together in several other Groups. They have a LU Policy with no GUP settings at all. All are receiving content updates now, where previously, where the new LU policy was applying to RU5 and legacy clients alike, only RU5 clients were updating.

My understanding of the new GUP functionality is that the RU5 Clients will get a GUP list from the SEPM, and will use it whether there's a GUP-enabled policy that applies to their Group or not. Legacy clients will not get a GUP list and will not use a GUP.

If my understanding is correct, then my problem is basically solved. I don't have to have separate Groups for legacy and RU5 clients as long as my GUPs can be in a separate Group (and they already were). 

And a year from now, when all clients are RU5 or later, I'll be able to apply the GUP policy that filters for DCs applied at the top level and have it inherited by all.