SEPM single GUP limitation: Many vlan in a location?
Updated: 25 Jan 2012 | 25 comments
This issue has been solved. See solution.
Hi All,
As per topic, let's say we have assign a single GUP in a location... it will only cover clients with same subnet/ip segment right?
How if there's many vlan in that location?
I was thinking is this a limitation using single GUP? Would it be good if we use LUA to cover this location?
Discussion Filed Under:
Comments
it may be help
it may be help you.
http://www.symantec.com/business/support/index?page=content&id=TECH96419
http://www.symantec.com/business/support/index?page=content&id=TECH96417
Thanks In Advance.
Manish
Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.
I would rephrase my questions
I would rephrase my questions a below:
Will a single GUP enough to cover a location with multiple VLANs?
In this scenario, what's the advantage if we put a LUA instead of a single GUP?
Best practices for Group
Best practices for Group Update Provider (GUP) from Symantec Endpoint Protection
Problem
You would like recommendations on how to configure GUP's within the Symantec Endpoint Protection Manager MR3 or earlier builds to help preserve LAN and WAN bandwidth and to provide most reliable performance.
Solution
The following suggestions will help the overall efficiency and performance of the GUP's to preserve network bandwidth:
Thanks In Advance.
Manish
Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.
I would rephrase my questions
I would rephrase my questions a below:
Will a single GUP enough to cover a location with multiple VLANs?
Since assuming these would be different subnet, you can have multiple GUP functionality.
In this scenario, what's the advantage if we put a LUA instead of a single GUP?
Advantage of having LUA in case it has more clients to distribute content and you have other Symantec products which will get the updates from LUA.
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
Thanks all. One of the
Thanks all.
One of the issue there's only 1 PC/Server that we can dedicate as GUP... that's why we're exploring option via LUA.
We can't afford to have clients with different subnets/segment to get definitions directly from HQ.
having multiple GUP's ( each
having multiple GUP's ( each GUP in one of the subnet) along with the backup GUP might help to suit your requirement.
If the client do not find the GUP in subnet, it can check with the backup GUP (even out of subnet, however communicating with 2967) will update the clients in diff. subnet.
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
That's the thing, at some
That's the thing, at some location there's only 1 PC/Server as dedicated GUP to cover the whole area.
We can't pick other PC/Server as GUP....
Would you think LUA better in this situation?
assuming the client is unable
assuming the client is unable to communicate to GUP machine on the GUP port ( 2967). LUA would help here.
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
hmm Sorry if bugging, For
hmm
Sorry if bugging,
For my situation it won't be connecting to the single GUP right as those clients in different vlan are in different subnet?
HI Are you able telnet port
HI
Are you able telnet port 2967.
Thanks In Advance.
Manish
Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.
A little background...
When using Single GUP option, SEP clients are able to cross subnets to access the GUP. As Manish has mentioned above, this will require you open the GUP port (2967 by default) between these subnets.
With the Multiple GUP option, SEP Clients will pick from the list of GUPs only the one that is in their own subnet to update from. When using the Multiple GUP option, you are also able to define a Backup GUP. This Backup GUP is used if a SEP client cannot contact the GUP in its own subnet. The Backup GUP acts the sameway as a Single GUP, and may be used by SEP clients from other subnets.
All GUPs are meant to be able to handle upto about 10k SEP clients each (subject to hardware on the GUP).
Hopefully, this little bit of background info will help you decide how you want to proceed.
When using Single GUP option,
When using Single GUP option, SEP clients are able to cross subnets to access the GUP. As Manish has mentioned above, this will require you open the GUP port (2967 by default) between these subnets.
This is important piece of information. We had actually Symantec consultant coming in end of last year and we had discussion on GUP architecture.
He mentioned that if we use current setting (single GUP), only clients in that segment/subnet will that update via GUP.
Actually it's not mentioned specifically in the Readme/Guide that the clients will cross subnet to the single GUP..... (correct me if i'm wrong...i'm still looking around)
I'm kinda blur right now....need to do some testing on this
To help confirm my statements
Here's a handy article :)
http://www.symantec.com/docs/TECH139867
yes, the consultant is
yes, the consultant is correct. Since he/she is talking about the single GUP.
WHen you select the multiple GUP configuration there is provision of having backup gup. CLick on help button there, you will get this information
Specify the host name or IP address of a Group Update Provider on a different subnet to be used if Group Update Providers on the local subnet are unavailable
Specify the IP address or host name of a Group Update Provider on another subnet. Clients use this Group Update Provider if the Group Update Providers on the local subnet are unavailable.
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
Ok, thanks again. Can i
Ok, thanks again.
Can i 'cheat' the multiple GUP?
I will use exactly same GUP as primary and backup so that all clients will actually only connecting to one IP.
regards
There shouldn't be any need...
As per the article, a Single GUP can be contacted by SEP clients from different subnets.
#EDIT# The only thing to add at this point is to suggest you test this all out, especially with conflicting accounts of the GUP behaviour...
I'm with the article with this one, that when using the Single GUP option, the SEP clients will use it regardless of whether or not it is in the same subnet (provided the GUP port is open).
To clarify ...
IYou've got your HQ location with the SEPM
Hope that explains the available options for you.
Re: A little background...
Dear SMLatCST
Thank you, this is the most comprehensive answer in the thread. That really does cover all the major points in a clear manner.
Two things I'd like to add.
VLAN crossing will not happen is you have multiple GUPs defined in the LiveUpdate policy. It will only happen when a single GUP is defined (or clients communicate with the backup GUP as explained earlier). I'm restating differently what you said, to make it clearer.
Location awareness (together with multiple LiveUpdate policies) is very effective when all your clients are in one group.
Thanks for the reply
Thanks for the reply all.
So VLAN crossing will happen if we have only single GUP at that location? @@
Sorry i saw two different answer in this thread...
Refer to @Pete's answer below:
This is important piece of information. We had actually Symantec consultant coming in end of last year and we had discussion on GUP architecture.
He mentioned that if we use current setting (single GUP), only clients in that segment/subnet will that update via GUP.
--------------------------------
yes, the consultant is
yes, the consultant is correct. Since he/she is talking about the single GUP.
:-), hope this answers your
:-), hope this answers your question
There are two configuration
1) single GUP
Here only one GUP is confugured. GUP in a different subnet may be contacted, If you have configured a GUP from a different Subnet as a Single Group Update Provider.
2) Multiple GUP
Multiple GUP can be confgured and you have facility to add a backup GUP.This Backup GUP is used if a SEP client cannot contact the GUP in its own subnet.
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
thumbs up to
thumbs up to SMLatCST!
hopefully that answers you question. The backup GUP will serve as the distribution point.
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
It's all getting a little muddled isn't it?
Essentially:
Single GUP mode - is not restricted by subnet. The defined GUP can be in a different subnet than the SEP Client that is attempting to use it.
Multiple GUP mode - this is restricted to only the same subnet. So the GUP must be in the same subnet as the SEP client that is attempting to use it.
Backup GUP - you can only configure this when using Multiple GUP mode, but acts the same as a Single GUP (i.e. is not restricted by subnet, and can be used by SEP Clients in a different subnet)
This supported by the article below:
http://www.symantec.com/docs/TECH139867
But as I mentioned before, because of the conflicting advice on this thread, I'd advise you just test it out to make sure you're happy with its operation in your own mind.
thumbs up again and sorry for
thumbs up again and sorry for the confusion.. :-(,
i will be editing my earlier response.
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
Mark as answered?
Hi.
Please mark the post that answered your question the best as the answer to this thread. As to the confusing posts, please vote them down. That will help clear the confusion.
Thanks all for the respond
Thanks all for the respond and help.
This little thing and nuance that make it interesting to master SEP.
I'm going to vote @SMLatCST as best answer for clear explanation.
Would you like to reply?
Login or Register to post your comment.