Endpoint Protection

Hi All,

As per topic, let's say we have assign a single GUP in a location... it will only cover clients with same subnet/ip segment right?

How if there's many vlan in that location?

I was thinking is this a limitation using single GUP? Would it be good if we use LUA to cover this location?

it may be help you.

http://www.symantec.com/business/support/index?page=content&id=TECH96419

http://www.symantec.com/business/support/index?page=content&id=TECH96417

I would rephrase my questions a below:

Will a single GUP enough to cover a location with multiple VLANs?

In this scenario, what's the advantage if we put a LUA instead of a single GUP?

Best practices for Group Update Provider (GUP) from Symantec Endpoint Protection

I would rephrase my questions a below:

Will a single GUP enough to cover a location with multiple VLANs?

Since assuming these would be different subnet, you can have multiple GUP functionality.

In this scenario, what's the advantage if we put a LUA instead of a single GUP?

Advantage of having LUA in case it has more clients to distribute content and you have other Symantec products which will get the updates from LUA.

Thanks all.

One of the issue there's only 1 PC/Server that we can dedicate as GUP... that's why we're exploring option via LUA.

We can't afford to have clients with different subnets/segment to get definitions directly from HQ.

having multiple GUP's ( each GUP in one of the subnet) along with the backup GUP might help to suit your requirement.

If the client do not find the GUP in subnet, it can check with the backup GUP (even out of subnet, however communicating with 2967) will update the clients in diff. subnet.

That's the thing, at some location there's only 1 PC/Server as dedicated GUP to cover the whole area.

We can't pick other PC/Server as GUP....

Would you think LUA better in this situation?

assuming the client is unable to communicate to GUP machine on the GUP port ( 2967). LUA would help here.

hmm

Sorry if bugging,

For my situation it won't be connecting to the single GUP right as those clients in different vlan are in different subnet?

HI

Are you able telnet port 2967.

When using Single GUP option, SEP clients are able to cross subnets to access the GUP.  As Manish has mentioned above, this will require you open the GUP port (2967 by default) between these subnets.

With the Multiple GUP option, SEP Clients will pick from the list of GUPs only the one that is in their own subnet to update from.  When using the Multiple GUP option, you are also able to define a Backup GUP.  This Backup GUP is used if a SEP client cannot contact the GUP in its own subnet.  The Backup GUP acts the sameway as a Single GUP, and may be used by SEP clients from other subnets.

All GUPs are meant to be able to handle upto about 10k SEP clients each (subject to hardware on the GUP).

Hopefully, this little bit of background info will help you decide how you want to proceed.

thumbs up to SMLatCST!

hopefully that answers you question. The backup GUP will serve as the distribution point.

When using Single GUP option, SEP clients are able to cross subnets to access the GUP.  As Manish has mentioned above, this will require you open the GUP port (2967 by default) between these subnets.

This is important piece of information. We had actually Symantec consultant coming in end of last year and we had discussion on GUP architecture.

He mentioned that if we use current setting (single GUP), only clients in that segment/subnet will that update via GUP.

Actually it's not mentioned specifically in the Readme/Guide that the clients will cross subnet to the single GUP..... (correct me if i'm wrong...i'm still looking around)

I'm kinda blur right now....need to do some testing on this

Here's a handy article :)

http://www.symantec.com/docs/TECH139867

• If you have configured a "Backup" Group Update Provider on a different subnet (if Group Update Providers on the local subnet are unavailable). 
• If you have configured a GUP from a different Subnet as a Single Group Update Provider."

yes, the consultant is correct. Since he/she is talking about the single GUP.

WHen you select the multiple GUP configuration there is provision of having backup gup. CLick on help button there, you will get this information

Ok, thanks again.

Can i 'cheat' the multiple GUP?

I will use exactly same GUP as primary and backup so that all clients will actually only connecting to one IP.

regards

As per the article, a Single GUP can be contacted by SEP clients from different subnets.

#EDIT# The only thing to add at this point is to suggest you test this all out, especially with conflicting accounts of the GUP behaviour...

I'm with the article with this one, that when using the Single GUP option, the SEP clients will use it regardless of whether or not it is in the same subnet (provided the GUP port is open).

Dear SMLatCST

Thank you, this is the most comprehensive answer in the thread. That really does cover all the major points in a clear manner.

Two things I'd like to add.

VLAN crossing will not happen is you have multiple GUPs defined in the LiveUpdate policy. It will only happen when a single GUP is defined (or clients communicate with the backup GUP as explained earlier). I'm restating differently what you said, to make it clearer.

Location awareness (together with multiple LiveUpdate policies) is very effective when all your clients are in one group.

IYou've got your HQ location with the SEPM

1. You've got one remote office (with multiple VLANs) where you want to place a GUP?
2. 1.  Create a seperate group for your clients
   2.  Create a new LiveUpdate policy for this new group
   3.  Assign only a single GUP to this LU policy

1.  You've got multiple remote offices (each with multiple VLANs) where you want to place one GUP each?
   1. Perform the sub-steps from the previous list for each group

1. You've got one client group, multiple remote offices (with multiple VLANs each) and need a GUP at each remote location?
   1. Use location awareness
      1. Create a new SEP location for every remote office.
      2. The definition of every SEP location must specify the default gateways of every VLAN at that remote office.
      3. For every SEP location, create a new LU policy, specifying only one GUP

 Hope that explains the available options for you.

Thanks for the reply all.

So VLAN crossing will happen if we have only single GUP at that location?  @@

Sorry i saw two different answer in this thread...

Refer to @Pete's answer below:

This is important piece of information. We had actually Symantec consultant coming in end of last year and we had discussion on GUP architecture.

He mentioned that if we use current setting (single GUP), only clients in that segment/subnet will that update via GUP.

--------------------------------

yes, the consultant is

yes, the consultant is correct. Since he/she is talking about the single GUP.

Essentially:

Single GUP mode - is not restricted by subnet.  The defined GUP can be in a different subnet than the SEP Client that is attempting to use it.

Multiple GUP mode - this is restricted to only the same subnet.  So the GUP must be in the same subnet as the SEP client that is attempting to use it.

Backup GUP - you can only configure this when using Multiple GUP mode, but acts the same as a Single GUP (i.e. is not restricted by subnet, and can be used by SEP Clients in a different subnet)

This supported by the article below:

http://www.symantec.com/docs/TECH139867

But as I mentioned before, because of the conflicting advice on this thread, I'd advise you just test it out to make sure you're happy with its operation in your own mind.

thumbs up again and sorry for the confusion.. :-(,