Try disabling the failover to SEPM in the policy.

Also ensure the port TCP 2967 is open and the clients are able to talk to the GUP on 2967

Hi,

      Managing Group Update Providers

Step 1: Verify client communication - Before you configure Group Update Providers, verify that the clients can receive content updates from the server. Resolve any client-server communication problems. You can view client-server activity in the System logs.

Step 2: Configure Group Update Providers - You configure Group Update Providers by specifying settings in the LiveUpdate Settings Policy. You can configure a single Group Update Provider or multiple Group Update Providers.

Step 3: Assign the LiveUpdate Settings Policy to groups - You assign the LiveUpdate Settings Policy to the groups that use the Group Update Providers. You also assign the policy to the group in which the Group Update Provider resides. For a single Group Update Provider, you assign one LiveUpdate Settings Policy per group per site. For multiple Group Update Providers, you assign one LiveUpdate Settings Policy to multiple groups across subnets.

Step 4: Verify that clients are designated as Group Update Providers - You can view the client computers that are designated as Group Update Providers. You can search client computers to view a list of Group Update Providers. A client computer's properties also shows whether or not it is a Group Update Provider.

You can configure two types of Group Update Providers: a single Group Update Provider or multiple Group Update Providers:

Single Group Update Provider: A single Group Update Provider is a dedicated client computer that provides content for one or more groups of clients. A single Group Update Provider can be a client computer in any group. To configure a single Group Update Provider, you specify the IP address or host name of the client computer that you want to designate as the Group Update Provider.
Multiple Group Update Provider:  Multiple Group Update Providers use a set of rules, or criteria, to elect themselves to serve groups of clients across subnets. To configure multiple Group Update Providers, you specify the criteria that client computers must meet to qualify as a Group Update Provider. If a client computer meets the criteria, the Symantec Endpoint Protection Manager adds the client to its list of Group Update Providers. Symantec Endpoint Protection Manager then makes the list available to all the clients in your network. Clients check the list and choose the Group Update Provider that is located in their subnet. You can also configure a single, dedicated Group Update Provider to distribute content to clients when the local Group Update Provider is not available.

Use multiple Group Update Providers when your network includes any of the following scenarios:

You run the latest client software on the computers in your network

Multiple Group Update Providers are supported on the computers that run the latest client software. Multiple Group Update Providersare not supported by legacy clients. Legacy clients cannot get content from multiple Group Update Providers. Legacy clients cannot be designated as a Group Update Provider even if they meet the criteria for multiple Group Update Providers. You can create a separate LiveUpdate Settings Policy and configure a single, static Group Update Provider for a group of legacy clients

You have multiple groups and want to use different Group Update Providers for each group - 

You can use one policy that specifies rules for the election of multiple Group Update Providers. If clients change locations, you do not have to update the LiveUpdate Settings Policy. The Symantec Endpoint Protection Manager combines multiple Group Update Providers across sites and domains. It makes the list available to all clients in all groups in your network.

Multiple Group Update Providers can function as a failover mechanism. Multiple Group Update Providers ensure a higher probability that at least one Group Update Provider is available in each subnet.

About configuring rules for multiple Group Update Providers

Multiple Group Update Providers use rules to determine which client computers act as a Group Update Provider.

Rules are structured as follows:

Rule sets

A rule set includes the rules that a client must match to act as a Group Update Provider.

Rules

Rules can specify IP addresses, host names, client registry keys, or client operating systems. You can include one of each rule type in a rule set.

Rule conditions

A rule specifies a condition that a client must match to act as a Group Update Provider. If a rule specifies a condition with multiple values, the client must match one of the values.

Rule types

IP address or host name - This rule specifies client IP addresses or host names.

Registry keys - This rule specifies client registry keys.

Operating system - This rule specifies client operating systems.

Rules are matched based on the logical OR and AND operators as follows:

Multiple rule sets are OR'ed. A client must match one rule set.
Multiple rules are AND'ed. A client must match all the rules that are specified in a rule set.
Multiple values for a rule condition are OR'ed. A client must match one value. For example, you might create RuleSet 1 that includes an IP address rule with several IP addresses. You then create RuleSet2 that includes a host name rule and an operating system rule each with multiple values.Aclient computer must match either RuleSet1 or RuleSet2. A client matches RuleSet1 if it matches any one of the IP addresses. A client matches RuleSet2 if it matches any one of the host names and any of the operating systems.

Configuring a Group Update Provider

You configure a Group Update Provider by specifying settings in the LiveUpdate Settings Policy.

You can configure the LiveUpdate Settings Policy so that clients only get updates from the Group Update Provider and never from the server. You can specify when clients must bypass the Group Update Provider. You can configure settings for downloading and storing content updates on the Group Update Provider computer.

You can also configure the type of Group Update Provider.

Note: If the Group Update Provider runs a non-Symantec firewall, you might need to modify the firewall to permit the TCP port to receive server communications. By default, the Symantec Firewall Policy is configured correctly. Updating definitions and content Distributing content using Group Update Providers

To configure a Group Update Provider

In the console, click Policies.
Under View Policies, click LiveUpdate.
In the LiveUpdate Policies pane, on the LiveUpdate Settings tab, select the policy to edit.
In the Tasks pane, click Edit the Policy.
In the LiveUpdate Policy window, click Server Settings.
On the ServerSettings page, under InternalorExternalLiveUpdateServer, check Use the default management server (recommended). Do not check Use a LiveUpdate server. The Group Update Provider that you configure acts as the default LiveUpdate server.
Under Group Update Provider, check Use the Group Update Provider.
Click Group Update Provider.
In the GroupUpdateProvider dialog box, configure the type of Group Update Provider. (Note: Legacy clients can only use a single Group Update Provider. Legacy clients do not support multiple Group Update Providers. )
In the Group Update Provider dialog box, configure the options to control how content is downloaded and stored on the Group Update Provider computer. Click Help for information about content downloads.
Click OK.

Configuring a single Group Update Provider

You can configure only one single Group Update Provider per LiveUpdate Settings Policy per group. To create a single Group Update Provider for multiple sites, you must create one group per site, and one LiveUpdate Settings Policy per site.

To configure a single Group Update Provider

Follow the steps to configure a Group Update Provider.
In the Group Update Provider dialog box, under Group Update Provider SelectionforClient, check SingleGroupUpdateProviderIPaddressorhost name.
In the Single Group Update Provider IP address or host name box, type the IP address or host name of the client computer that acts as the single Group Update Provider.

Click Help for information about the IP address or host name.

Configuring multiple Group Update Providers

You can configure multiple Group Update Providers by specifying criteria in a
LiveUpdate Settings Policy. Clients use the criteria to determine if they qualify
to act as a Group Update Provider.

To configure multiple Group Update Providers

Follow the steps to configure a Group Update Provider.
In the Group Update Provider dialog box, under Group Update Provider Selection for Client, check Multiple Group Update Providers.
Click Configure Group Update Provider List.
In the Group Update Provider List dialog box, select the tree node Group Update Provider.
Click Add to add a rule set.
In the SpecifyGroupUpdateProviderRuleCriteria dialog box, in the Check drop-down list, select one of the following:
Computer IP Address/Host Name
Registry Keys
Operating System
If you selected Computer IP Address/Host Name or Registry Keys, Click Add.
Type or select the IP address, registry key, or operating system information. Click Help for information on configuring rules.
Click OK until you return to the Group Update Provider dialog box.
In the GroupUpdate Provider List dialog box, optionally add more rule sets.
Type a Group Update Provider IP address or host name in the Specify the host name or IP address of a Group Update Provider on a different subnet to be used, if Group Update Providers on the local subnet are unavailable text box.
Click OK.

Hi Mark,

I am also trying to achieve the same thing as you, but where you are further down the path than me - I'm trying to find a feasible way of setting mulptle GUP's up./

we Have 200 sites, with probably around 330 subnets.

All clients are in the DESKTOPS group I created - Do I create a single LU policy or do I need one per subnet?

Still confused how to set this, because if a policy per subnet needs to be required, seems to be the same admin involved as specifiyng a single GUP (i.e one per ip range...etc) - I must be wrong but anyone help else around mutlple GUPS in a environment with many sites , but a single group in SEPM?

Good psot Sandip, reading now as well...

I have verified the following:

- I can telnet to the GUPs on 2967. 
- We are running RU5 on all of devices we are testing.
- The GUPs have the SharedUpdates directory and are updating from the SEPM server appropriately.
- We do not have firewalls running on the clients or GUPs.
- The Setup for the multiple GUPs looks like this:
     Rule Set 1
          IP Address and Host Names
              172.16.1.20
     Rule Set 2
          IP Address and Host Names
              172.17.1.20

Now my assumption by this is that if the IP of a device is on the 172.16.x.x network it should find the 172.16.1.20 GUP.  A device on the 172.17.x.x network should find the 172.17.1.20 GUP.  This would be with the hopes that if a device travels between these two networks from time to time, they will find the local GUP.  

@Divinci - That's where I'm hoping to end up.  I would imagine the use of Multiple GUPs would be useless if you had to create a separate LU policy per subnet.

I'm also having a similar problem.  We are rolling out SEP MU5.  SEP seems to only look at class C subnets and sees a class B subnet as a different one so it falls back to the SEP Manager Server.

I set a GUP up at 10.100.10.2 and a client at 10.100.100.20 both with a 255.255.0.0 subnet mask, and the client will not look to the GUP for updates.  When I set the client's IP to 10.100.10.5 it will work fine.

I called Symantec Ent. Support yesterday and I talked to a different tech today.  Both were NOT familliar with these new features of  MU5 and have not been very helpful.  As long as your are on the same class C range it seems to work fine.

We have about 30 sites with PCs and LaptopS, 2 groups, using 1 live update policy with the multiple GUPs specified by IP address.

...wait for the next update...?