Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrade.
Please accept our apologies in advance for any inconvenience this might cause.

Single GUP’s vs. Group Update Provider List

Created: 17 Aug 2012 | 3 comments

In our environment we have several sites with groups defined for each (actually an Active Directory sync).  Within each group a local GUP server is defined to update clients on the local LAN.  What I’m wondering about is that if a user whose machine is in a group that has the GUP defined for their local LAN travels to another site.  If a definition update is available does it go over the WAN to the GUP defined for their group even though there may be a GUP at the location they are at?  I’m guessing yes.

If I create a group update provider list will this resolve the problem?  I’m thinking that the way this works is that the client see’s that there’s an update available and then checks the local subnet for a GUP and pulls the update from it?

If the site would not have a GUP setup and nothing is configured in the group update provider list that falls within the subnet that the client is located in would the client then go to the SEPM server get its update?

Comments 3 CommentsJump to latest comment

Ashish-Sharma's picture

Hi,

Read this artical...

Understanding and Identifying the different Group Update Provider (GUP) Options in SEP 11.0.5 RU5 and Later

http://www.symantec.com/business/support/index?page=content&id=TECH139867

 

What's new in Group Update Providers in RU5 release of Symantec Endpoint Protection 11.0

https://www-secure.symantec.com/connect/articles/whats-new-group-update-providers-ru5-release-symantec-endpoint-protection-110

Thanks In Advance

Ashish Sharma

 

 

Chetan Savade's picture

Hi,

If a definition update is available does it go over the WAN to the GUP defined for their group even though there may be a GUP at the location they are at?  I’m guessing yes.

--> Your guess is correct.

Single Group UpdateProvider:

A single Group Update Provider is a dedicated client computer that provides content for one or more groups of clients. A single Group Update Provider can be a client computer in any group. To configure a single Group Update Provider, you specify the IP address or host name of the client computer that you want to designate as the Group Update Provider.

Multiple Group Update Provider

Multiple Group Update Providers use a set of rules, or criteria, to elect themselves to serve groups of clients across subnets. To configure multiple Group Update Providers, you specify the criteria that client computers must meet to qualify as a Group Update Provider.

If a client computer meets the criteria, the Symantec Endpoint Protection Manager adds the client to its list of Group Update Providers. Symantec Endpoint Protection Manager then makes the list available to all the clients in your network. Clients check the list and choose the Group Update Provider that is located in their subnet.

You can also configure a single, dedicated Group Update Provider to distribute content to clients when the local Group Update Provider is not available.

Check this article for more details:

https://www-secure.symantec.com/connect/articles/w...

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Appel's picture

Some of the details in these articles are over my head I’m sorry to say but here’s my take on this.

We’re doing an active directory sync pulling in our OU structure.

Top level OU’s are Asia, Europe, and North America

So as an example for North America we have an OU for all domain controllers located right under North America. The other OU’s under North America are for companies that we have in North America.  Under each company OU we have different physical locations that a company may have and they have their own subnet and a domain controller from the domain controllers OU would be sitting on their LAN.  Under each physical location there is an OU for computers and under that, OU’s for laptops, servers, and workstations.  So the structure looks something like this.

NorthAmerica

  |_Domain Controllers

      |_ Company1

           |_ Site1

                |_Computers

                    |_laptops

                    |_ servers

                    |_ workstations

           |_ Site2

                |_Computers

                    |_laptops

                    |_ servers

                    |_ workstations

      |_ Company2

           |_ Site1

                |_Computers

                    |_laptops

                    |_ servers

                    |_ workstations

           |_ Site2

                |_Computers

                    |_laptops

                    |_ servers

                    |_ workstations

 

In my initial setup years ago at the site1 level I created a policy that defined a GUP that was located in the servers group under site1.  I continued to do this for all companies and sites.  Of course in order to do this I had to disable Inherent Policies.  Not a lot of fun doing this for 90+ sites.  This is all working properly.  So now looking back at all of this I’m considering this to simplify things for the future.  At most sites there is a domain controller at the site that is in the Domain Controllers OU.  The DC is in the sites subnet IP range sitting on their local LAN.  My thinking was to create a LiveUpdate policy for group update providers and add the DC’s to a group update provider list.  Once I created this I could apply this and turn inheritance back on.

When creating this policy I would check “use the default management server” and then select “use group update provider”, select the group update provider button, select Multiple Group Update Providers, and Configure List and add the IP addresses of the domain controllers.

So now, if I’ve added the IP address of a domain controller that is part of the sites subnet from the domain controllers OU it will now serve as the GUP for the clients in the same subnet.  If there isn’t an IP address in the same subnet listed in the group update provider list the clients will go to the SEPM server for their updates.

Does this sound correct?  Sorry for so much detail.