Endpoint Protection

Environment

1 SEPM server -- IP 192.168.1.x

5 GUP -- 1st set of network card IP 192.168.1.x  (2 network cards)

2nd network card IP : 10.1.x.x , 10.2.x.x, 10.3.x.x, 10.4.x.x, 10.5.x.x

10 clients each in different subnet 10.1.x.x, 10.2.x.x, 10.3.x.x, 10.4.x.x, 10.5.x.x

my 5 GUP can contact with SEPM server and get update and see in client management list, but all my clients in different subnet unable to see in client management list in SEPM server, is that normal ?

I've configure all 5 GUP also able to ping and telnet , the reason I configure this way because all clients in different subnet can't contact SEPM server at all. So is my configure correct ? 

I've configure all 5 GUP also able to ping and telnet , the reason I configure this way because all clients in different subnet can't contact SEPM server at all. So is my configure correct ? 

If I understand you correctly, your clients are unable to communicate with your SEPM. But in this case they are also unable to use their GUPs. GUPs are dumb slaves (sorry, GUP) of their SEPMs. In a GUP environment, the clients have to talk with their SEPMs just as in a scenario without GUPs. The only difference is the content  download (e.g. AV/AS signature) which the clients will get from the GUPs instead of the SEPM itself.

To manage all your clients by the SEPM and using the GUPs correctly, the clients have to communicate with the SEPM.

Is tcp port 8014 open?

1 things I need to mention is all clients don't have internet connection at all

Hi greg12, in my case what can I do to get all clients update the latest definitions ?

yes, port 8014 open for all clients

Clients only need to be able to talk to the SEPM, they don't need Internet access for that.

Enable sylink debugging on an affected client to see the communication between client/SEPM

The issue here is all client don't have connection with SEPM (due to different subnet)

I get that but is that intended? If they can't contact the SEPM then they cannot grab the policy which tells them to updates from the GUP. If this is intended then they will need to be updated manually using the Intelligent Updater.

If the clients don't have access to SEPM and no internet connection, you can use Intelligent Updater .exe files to manually update the clients. See this article:

Use Intelligent Updater to update definitions for Endpoint Protection

I've 5 pcs which have 2 network card , 1 network can connect to sepm, 1 network connect to all clients, so I manually export n import the update policy to all clients, does it work ?

No, the clients in the network that has no connection to SEPM cannot be updated by GUPs. While it's possible to manually export/import policies, for downloading content from GUPs the clients need to talk with the SEPM.

The reason is that only the SEPM has all relevant informations for content download. For example, the size and the nature (delta file or full file) of the content file must be negotiated between client and SEPM. The GUP is just a content proxy.