Symantec Endpoint Protection 11.0 Group Update Provider (GUP)

Article:TECH102541  |  Created: 2007-01-27  |  Updated: 2010-08-13  |  Article URL http://www.symantec.com/docs/TECH102541
Article Type
Technical Solution


Environment

Issue



You would like to have more information on the GUP functionality.


Solution



Group Update Provider Overview
The Group Update Provider was a feature request to support designating a particular client to serve as a computer that will get content updates and publish them. This is designed to provide functionality vaguely similar to configuring a legacy Symantec AntiVirus client as a secondary server.
The computer that is downloading and publishing the content is referred to as the “Group Update Provider.” The computers in the client group will use the designated “Group Update Provider” as a local proxy for content updates.



Scenario that will be addressed by adding a GUP
Customers with Branch offices
Think of situations where you would use a Secondary Server in Symantec AntiVirus 10.x, but where this was not an ideal solution. Typical a branch office.

The office has from 2 to 20 computers, often toward the lower number. One of these computers may be a server (A pharmacy or a grocery store for example), or there may only be workstations, as in banks. The network to the branch office does not have a large amount of bandwidth. This is what drives the need to proxy identical content.

In Symantec AntiVirus 10.x some customers might use a Secondary Server in this situation however, secondary servers with clients download an "XDB" file to provide virus definitions for the clients. The "XDB" file is around 12 MB in size, sometimes larger. The secondary server sends the clients a file with changes to the definitions at a size of 50 KB to 100 KB. The arithmetic is against the secondary server scenario or any automatic download of full content by the GUP. A secondary server would download far more content over the small amount of bandwidth than all of the clients combined. Break-even is around 200 computers.

This implies that the GUP provider will not download full content unless it is requested by a client, at which point it is hopefully of use to the other clients as well.


Challenges by adding a GUP

Using a GUP in every group
This will improve the performance of content distribution significantly, and greatly reduce the load on the server. The measurements in the lab showed that all significant load on the server comes from distributing content. The server is capable of directly processing logs, state updates, and handing index and profile requests at more than 200 clients per second with no strain. It does not generate much network traffic.

This meets the basic need for the secondary servers to offload the main server. For the primary need of distributing content this provides a better solution than Symantec AntiVirus Corporate Edition 10.


Using a GUP in a large group
We will have issues when the group gets large, i.e larger than 200. Certainly if a dedicated server is set as the proxy we can handle quite a bit of content. This is what secondary servers are today.


GUP Design Details
How does the GUP get defined?

    • A setting will be added to the LiveUpdate (LU) policy specifying one member of the client group as a "Content proxy." This computer will be the Group Update Provider (GUP)
    • Every Symantec Endpoint Protection Client contains mini HTTP server code that allows it to potentially become the GUP.
    • The LU Policy will specify a hostname or IP address and port of the GUP HTTP server computer. The default port is 2967, but can be reconfigured to an alternate port. The Admin can specify either the host name of the computer or the IP address.
    • The file transfer will be over HTTP and will be contained within the HTTP Response payload. This is exactly the same as the existing transport. The protocol will be the SyLink protocol.
    • HTTPS will NOT be supported for the Symantec Endpoint Protection 11.0 release.
    • Content delivered by Symantec Endpoint Protection Manager will be cached.
    • The GUP will NOT initially support the patch and the update channel.

GUP_config.jpg


When a client becomes the GUP

    • The mini HTTP server code will be a DLL extension to the SMC Agent. The design has the GUP running independently of the internal content handling. GUP is loaded by the SMC Agent when configured. When it starts up, it begins to listen on the configured port. It continues to listen until it is shut down.
    • All of the clients in the group receive the same proxy policy configuration. The one that matches the proxy address or hostname is the proxy and will load the micro web server.
    • The computer that is designated as the GUP will create a directory if it does not already exist at the following location:
      C:\Program Files\Symantec\Symantec Endpoint Protection\SharedUpdates

      The "SharedUpdates" folder will cache all proxied files. For the first round of implementation this will only be managed LU content. No other communication or content will be proxied. Getting index files and profiles, posting state and logs, etc. will be done directly with server.


    • The "SharedUpdates" directory will be populated when the GUP receives a request to see if the requested files are present in the local cache. If the file is present, it responds to the request with the file. If it is not present then the GUP holds the pending request, and re-issues the same "GetLUFile SyLink" request to the server. When that file arrives, it is added to the GUP cache.
    • The GUP code can only get content updates from Symantec Endpoint Protection Manager. As far as the GUP is concerned, it does not know about the client it resides on. Even if the client were to be updated through alternative means such as: Intelligent Updater or Symantec Internal Liveupdate, the GUP would not be able to use those updates to proxy for other clients. The release build will show the following warning:


GUP_No_SEPM.jpg

GUP_No_SEPM1.jpg

GUP_config_No_SEPM_Error.jpg




Files and Registry

    • The dll extension to SMC, the "GUP proxy" is contained within C:\Program Files\Symantec\Symantec Endpoint Protection\GUProxy.plg
    • The related Registry entries:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\LiveUpdate
        • "UseMasterClient"=dword:00000001
        • "MasterClientHost"="yavixp11-2"
        • "MasterClientPort"="2967"


GUP and Firewall Rules
There is no need to create specific Firewall Rules on the Symantec Endpoint Protection 11.0 clients, but Firewall Rules will be necessary for 3rd party Firewalls.


References
This document is available in the following languages:




Legacy ID



2007092720522748


Article URL http://www.symantec.com/docs/TECH102541


Terms of use for this information are found in Legal Notices