Endpoint Protection

Hello,

as I understand since 12.1 RU2, Explicit GUP permits to map a GUP regardless subnets and Globallist.xml, and without assigning any GUP in this group (Single GUP option needed for that). Single GUP forces clients of this group to map this GUP regardless subnets and Globallist.xml, and assigning the GUP selected in the option.

=> What is hte real difference between the 2 options excepted the GUP assignment ? if these 2 guarantee that clients won't go on another GUP even if on the same subnet of my clients, but only on the one in the LU (Explicit or Single), I don't understand...

Thanks in advance for your help.

Regards

About the types of Group Update Providers

See this

https://www-secure.symantec.com/connect/forums/group-update-provider-gup-0

See here

Understanding "Explicit Group Update Providers (GUPs) for Roaming Clients" in Symantec Endpoint Protection (SEP) 12.1.2

• Single Group Update Provider

  A single Group Update Provider is a dedicated client computer that provides content for one or more groups of clients. A single Group Update Provider can be a client computer in any group. To configure a single Group Update Provider, you specify the IP address or host name of the client computer that you want to designate as the Group Update Provider. A single Group Update Provider is a static Group Update Provider.

  Configuring a single Group Update Provider turns a single client into a Group Update Provider.

• Explicit Group Update Providers list

  You can configure an explicit list of Group Update Providers that clients can use to connect to Group Update Providers that are on subnets other than the client's subnet. Clients that change location frequently can then roam to the closest Group Update Provider on the list.

  An explicit Group Update Providers list does not turn clients into Group Update Providers. You use an explicit Group Update Provider list to map the client subnet network addresses to the Group Update Providers. You identify the Group Update Providers by any of following means:

  
  

  • IP address

  • Host name

  • Subnet

  Explicit Group Update Providers can be static or dynamic, depending on how you configure them. If you use an IP address or a host name to configure an explicit Group Update Provider, then it is a static Group Update Provider. This difference affects how Group Update Providers act in networks that mix legacy version clients and managers with clients and managers from the current release.

  If you use a subnet to designate a Group Update Provider, it is dynamic, as clients search for a Group Update Provider on that subnet.

  Note:

  This subnet is the Group Update Provider subnet network address, which is sometimes also referred to as the network prefix or network ID.

Check this document

What is the processing order of an Explicit GUP list within version 12.1.2 of Symantec Endpoint Protection?

http://www.symantec.com/docs/TECH196741

Hello,

I understand the difference regarding the fact that Explicit GUP is only for clients, contrarly to Single GUP that is used for GUP and clients.

But I still have some doubts about the subnet criteria and the fact that Single or Explicit may guarantee the usage of a specific GUP (and only this one), whatever the subnet and even if another GUP on the same subnet than the client.

Regards

All the Gups are made available to clients

Please go through these lines, apologies if you hav already checked this or linked earlier

==========

When you configure single or multiple Group Update Providers in policies, then Symantec Endpoint Protection Manager constructs a global list of all the providers that have checked in. By default, on 32-bit operating systems, this file is \Program Files\Symantec\Symantec Endpoint Protection Manager\data\outbox\agent\gup\globallist.xml. Symantec Endpoint Protection Manager provides this global list to any client that asks for it so that the client can determine which Group Update Provider it should use. Because of this process, clients that have policies with only multiple or explicit Group Update Providers configured can also use single Group Update Providers, if the single provider meets the explicit mapping criterion. This phenomenon can occur because single providers are a part of the global list of providers that the clients get from their Symantec Endpoint Protection Manager.

So, all of the Group Update Providers that are configured in any of the policies on a Symantec Endpoint Protection Manager are potentially available for clients' use. If you apply a policy that contains only an explicit Group Update Provider list to the clients in a group, all of the clients in the group attempt to use the Group Update Providers that are in the Symantec Endpoint Protection Manager global Group Update Provider list that meet the explicit mapping criteria.

If all types of Group Update Providers are configured in the policies on a Symantec Endpoint Protection Manager, then clients try to connect to Group Update Providers in the global list in the following order:

You can configure the following types of explicit mapping criteria:

Multiple mapping criteria can be used in an explicit Group Update Provider list in a single policy. Symantec recommends that you be very careful how you configure multiple mapping criteria to avoid unintended consequences. For example, you can strand your clients without a means of obtaining updates if you misconfigure an explicit mapping.

Consider a scenario with the following multiple explicit mapping criteria configured in a single policy:

With this explicit Group Update Provider policy, if a client is in subnet 10.1.2.0, the first four rules apply; the fifth rule does not. If the client is in a subnet for which no mapping is specified, such as 10.15.1.0, then none of the rules apply to that client. That client's policy says to use an explicit Group Update Provider list, but there is no mapping that the client can use based on these rules. If you also disabled that client's ability to download updates from Symantec Endpoint Protection Manager and the Symantec LiveUpdate server, then that client has no usable update method.