Video Screencast Help

SEPM 12.1 - Need assistance on how to setup GUP

Created: 09 Dec 2013 • Updated: 11 Dec 2013 | 12 comments
This issue has been solved. See solution.


I'll try to explain my scenario as easy as possible:

We have several clients which can't communicate with our SEPM-server because of complicated network issues.

However, these clients got network communication with some of the other clients which again got connection to our SEPM, hence I have chosen to try to setup one of these as GUP.

What I've been doing:
I've created a client group for this purpose and created a non-shared LiveUpdate Settings Policy for this group where server X is GUP.
(Server X got communication with SEPM)
I've also moved server X into this group and it seems to be accepting the role of GUP.

These clients have never been in contact and recognized by our SEPM-server, thus is not listed in SEPM.

How do I update the policy on these servers and add them to the group in SEPM which use the GUP-client as update source?

Do I have to export an installation package for this specific group or something like that?

If so, how?

I feel like I'm banging my head against the wall, fearing I'm going about this the completly wrong way..

All help appriciated!

Operating Systems:

Comments 12 CommentsJump to latest comment

James007's picture
These clients have never been in contact and recognized by our SEPM-server, thus is not listed in SEPM.

How do I update the policy on these servers and add them to the group in SEPM which use the GUP-client as update source?

Do I have to export an installation package for this specific group or something like that?

If sep client not showing sepm console You can replace sylink.xml

How to change the sylink.xml file in Symantec Endpoint Protection (SEP) 12.1
Article:TECH157585 | Created: 2011-04-07 | Updated: 2012-06-07 | Article URL
Erikmy's picture

Would it work if I simply change the server references in SyLink.XML from the SEPM-server to the GUP-adresses and port?

(I have to request our network department to open the port, so I'm asking instead of just trying..)

If I export communications setting from the group in question, the SEPM IP and hostnavn are listed as server adresses in the SyLink.XML I export.

James007's picture

Yes Sep client move that Group if your SEPM not integrated with AD.

James007's picture

It will work but first you need to open firewall ports beetween SEP and SEPM server.

Erikmy's picture

You mean between the GUP and the SEP-clients in question?

James007's picture

If your SEP and GUP are Same VLAN you don't need to open 2967 Port.

Configuring the Group Update Provider (GUP) in Symantec Endpoint Protection 11.0 RU5 and later

Article:TECH96419 | Created: 2009-01-28 | Updated: 2012-04-23 | Article URL

Best Practices and Troubleshooting for Group Update Providers

Erikmy's picture

Unfortnately, it's not.

I'll ask the network department to open the port for me tomorrow.

Thanks so far! 

Beppe's picture


just applying the same policy is not enough!!! The SEP clients can't get any update from the GUP if they can't connect to the SEPM as well !!!

The SEPM is directing the clients to the GUP to get specific files based on what they need, the GUP does not check in to the SEPM on behalf of the clients to know what they need.



Erikmy's picture

This seems correct unfortunatley :-/:

"GUPs can be used to supplement or replace a SEPM for distributing content updates to SEP clients, but cannot be used to update policies or manage clients. This means that clients will still need network connectivity to a SEPM in order to perform the heartbeat process, which updates their policies, and informs them when new content is available to download from the GUP.

If the SEP clients you wish to update via a GUP are not able to connect to the SEPM of the HTTP port being used by the SEPM for client management, you will need to consider another method of updating clients. "

Is there any other way to get the clients to update except from telling them to get the updates from the internet?

Setting up a local LiveUpdate server and editing the SymLink.xml to request update from that one for example? Or will you still have the same problem regarding updates?

(As you probably can imagine by now, these servers are in a pretty locked up network enviroment.)

Beppe's picture

Dear Erik,

If you can't connect to Internet, neither to the SEPM... there's no magic solution to get the updates, I am afraid.

In such scenario (a group of unmanaged clients in an isolated network, very common, indeed), the most used solution is to use an internal LiveUpdate server.

1) for that isolated location, set up an internal LiveUpdate server (i.e., LiveUpdate Administrator - LUA)

2) of course, you need to allow the connectivity between your LUA and Symantec servers and your clients and your LUA, i.e. the content flow will be: Symantec > your LUA > your isolated clients.

3) AFAIK, you can't export/import policies directly from the SEPM to the SEP, it should be SEPM-to-SEPM or SEP-to-SEP, hence:

3.1) in the SEP Manager, set up the LiveUpdate policy for those clients to use your LUA server

3.2) assign the same policy to a test client able to connected to the SEPM and the LUA

3.3) export the policies from the test client (once you know it works)

3.4) manually import the policies into your isolated clients

OR, for unmanaged clients:


Commucation with SEPM is not required if LUA is used, neither the sylink.xml controls this communication, the sylink.xml is about the communication with SEPMs, nothing else.



Erikmy's picture

Hi again.

It turned out they had internet access after all, so this is what I did:

-Created a new location (Under clients -> Policies) with "Switch to this location when: Client computer does not connect to management server".

-Edited the LiveUpdate Setting Policy Server Settings to use the default Symantec LiveUpdate server.
(If I had to setup an internal LiveUpdate server, this could also be configured here.)

-Exported the policy from one of the clients which has connection to the SEPM, by opening the GUI on the client side, pressing "Help" -> "Troubleshooting".. and "Export.." under Policy Profile.

-Then I manually copied this policy.xml to the clients with no SEPM connection, imported the policy and then the location automatically changed and started to download updates from the internet.

I'm marking your post as the solution, though, as it would be if the servers didn't have internet connection.