Endpoint Protection

Hi,

How do I make sure a client is using the GUP listed in its policy?

I can see the following registry settings set on the client:

hklm\software\symantect\symantec endpoint protection\liveupdate\masterclienthost\<ip of gup server>
hklm\software\symantect\symantec endpoint protection\liveupdate\masterclienthost\usemasterclient - set to 1

When I use sylink monitor, I see requests going to the IP of the SEPM server, but nothing to the IP of the gup.

C:\Program Files\Symantec\Symantec Endpoint Protection\debug.log and C:\Program Files\Symantec\Symantec Endpoint Protection\gup.log have no information containing the GUP IP.

On the GUP itself, the debug.log has no information about the client, and gup.log is blank.

The GUP and clients are set to PULL, due to firewall restrictions - am I correct in thinking that the client just pulls the NEED to get an update from the SEPM server, and then queries the GUP IP specified in its registry key?

Everything is using SEPM ver 11.0.6005.562

Thanks in advance.

Check this:

How to confirm if Clients are receiving LiveUpdate content from Group Update Providers (GUPs)

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/9ea89a195497b6558825768000048660?OpenDocument

Hi Brian,

I have enabled the logging, and in the Sylink log, there is no mention of the GUP server, nor is the string GetLUFileRequest found in either of them - the logs were checked after sending an Update Content command to the client.

Any other ideas?

Edit - I am also using the SEP Content Distribution Monitor, but it does not seem to show clients of the GUP, just the GUP status itself.

To check if they are taking the updates from the GUP server check the sylink log & look for port 2967 ( i.e default ) in the sylink logs.
Also you need to make sure the policy assignment on the client and the GUP server. if you are using the mulitple GUP then the Subnet of the GUP server & client should be same.
Also if possible try to put in the IP address of the GUP in the Optional tab in the GUP policy &  check if it showd the information in the Sylink logs.

Hi Kavin,

On the GUP itself (which uses itself as a gup to update it agent), this appears in the sylink log : <GupItem Address="172.31.3.9" Port="2967"/>
There is no mention of port 2967 on the other client.

Is your GUP client updated???
And if there is no entry for the port 2967 on the other client can you tell me are you using single GUP or multiple GUP??

Hi Kavin,

Yes the GUP is updated.
We are using a single gup at the moment, due to implementation testing.

Is the GUP have having the same subnet mask as the clients in the network. and is the GUP server & the GUP client having the same Policy serial number? I mean are they both having the same policy applied.

Hi Kavin,

Yes all in the same subnet, and all with the same policy number.

If the policy is aplied correclty then this sould not be the case. because the client should show the the entry for port 2967.
I think then you should try to contact symantec support.

Are you able to telnet to GUP client in 2967 port  from other PCs?

Is your GUP client on the same version as the SEPM?

Hi Aravind - yes I can connect to the GUP from another client on port 2967 using telnet

Hi Brian - yes it is the same version. I exported the executable from the main SEPM server with the policy for this location embedded.

I think it is better to contact symatec support....

I told that earlier. I think with the webex it would be easier to understand the root cause of the issue.

yes you are right.Before to it I want to assure that it is not related to any firewall and the policy got applied.it should be something related to environment and webex is a good option...

GUP's 101.

I spent some time trying to answer this question during Pilot and this is what I did to get some visability. Here is my 2 cents worth

GUPS will only work for clients on the same subnet. If your clients and servers are located on different subnets use SEPM/LiveUpdate
Confirm that the GUP is a GUP. Properties of the server will show Group Update Provider Status. This should be true.
Confirm using the Client Management Logs that the message "Start serving as the Group Update Provider (proxy server)" is seen.
Confirm the folder %Program Files%\Symantec\Symantec Endpoint Protection\SharedUpdates exists and that it contains content (GUP.DAT)
Use the netstat 5 -a | find "2967" in COMMAND PROMPT. This will poll every 5 seconds and show connections to this server/port.
Confirm that that a policy enables a GUP and a policy tells the client to use that server as a GUP. For example, If SERVERA is to be a GUP then add SERVERA to a LiveUpdate policy (Server Settings| Group Update Provider| Use a Group Update Provider | Multiple Group Update Providers) and apply to the group containing SERVERA. This will cause SERVERA to GO GUP.
Then for the client(s), Example CLIENTA, Apply the same Policy or create another policy, but the policy must contain the server name of the GUP. I use Multiple GUP's (even if there is only one). It is important for the GUP to be included in a policy that makes it a GUP. The policy for the clients will contain the same information but does not make the server a GUP (Unless using the policy) it just tells the clients to use those machines as GUP's.
If all is working well you will see the workstations ip address/name on the server (GUP) that is running the NETSTAT command as they connect to update content.

Hi Tonethegeek,

My probelm WAS most of the things you stated were appearing, but one wasnt.

The folder %Program Files%\Symantec\Symantec Endpoint Protection\SharedUpdates and file GUP.DAT both exist on the GUP server.
Running netstat 5 -a | find "2967" found connections from the intended client.
The policy applied has the correct GUP server IP embedded, and this value appears in the clients registry.

Confirm using the Client Management Logs that the message "Start serving as the Group Update Provider (proxy server)" is seen <<< THIS DOES NOT APPEAR ON THE  GUP. Should I see this within the SEPM agent logs? As far as I can see, there is no gui for the GUP part itself. I check this by opening the SEP GUI, clicking on View Logs, Client Management View Logs, System log - nothing was there!

Anyways, I think this is resolved by using the netstat command - I can finally see connections on port 2967 from the intended client.

Thanks everyone for their suggestions.