The GUP role can be assigned to any SEP client. When assigned the GUP role, a SEP client will act as a caching HTTP proxy - storing both delta and full revisions of SEP content. Other SEP clients can be configured to utilize the GUP for definition and content updates via LiveUpdate policiy from the Symantec Endpoint Protection Manager (SEPM).
There are several considerations that need to be made before utilizing GUPs are part of the overall content updating scheme in an environment:
SEPM/SEP version considerations
Network considerations
The total number of clients
The total physical hard disk space available on the GUP
Other hardware limitations of the GUP
Determining Worst Case Scenarios for bandwidth and storage usage
SEPM/SEP version considerations:
There have been significant changes to both the GUP architecture and the content delta process over the development cycle of the SEP product. In order to take advantages of these changes, both the SEPM and the SEP clients will need to be running SEP 11.0 MR3 or newer. Because of these changes, it is highly recommended that both the SEPM and SEP clients are running the latest available version of SEPM/SEP.
Network considerations:
GUPs can be used to supplement or replace a SEPM for distributing content updates to SEP clients, but cannot be used to update policies or manage clients. This means that clients will still need network connectivity to a SEPM in order to perform the heartbeat process, which updates their policies, and informs them when new content is available to download from the GUP.
If the SEP clients you wish to update via a GUP are not able to connect to the SEPM of the HTTP port being used by the SEPM for client management, you will need to consider another method of updating clients. Depending on the version of SEPM used in your environment, the default client management port is either 80, or 8114 - This port is configurable within the product. The only method to update both content and policies on a client is through a SEPM.
Since the GUP is essentially a SEP client with the additional GUP role, it must also be able to access the SEPM via the client management port. In addition to this, the clients being served by the GUP must be able to connect to the HTTP port the GUP is listening on (2967 by default). It is recommended that a GUP be on the same network segment as all clients configured to update from the GUP.
The GUP will download definitions on-demand for itself and any clients configured to update through it. The GUP will cache all downloaded content according to the settings in its LiveUpdate policy. Clients that have been configured to use a GUP will download definitions directly from the GUP instead of SEPM. By this method, bandwidth is conserved. There must be sufficient bandwidth between the GUP and the SEPM to allow the GUP to download the full and delta definition packages being requested by SEP clients. The larger the spread of definition revisions used by the clients, the larger the bandwidth utilization between the SEPM and the GUP.
Though bandwidth usage can be significantly reduced by using GUPs strategically, it is still important to ensure that GUPs are positioned in the network to maximize their effectiveness. GUPs should only be configured to provide updates to for clients on their local network segment. The GUP must have sufficient bandwidth to deliver content packages of up to 45 MB to the clients it serves up to 3 times a day.
Total number of clients:
The current iteration of the GUP role can be configured to support up to 1000 clients. Previous to SEP MR3, the GUP was only capable of supporting up to 100 clients. To ensure that the GUP is capable of updating a large number of clients, you may need to configure the GUP to handle more than the default
Total physical hard disk space available on the GUP:
By default the GUP will automatically purge content from its cache under two conditions:
If the content on the GUP grows larger than the configured Maximum disk cache size for content updates setting. The GUP will purge the oldest content by last accessed time until there is room for any new content.
If any individiual content is older than the Delete content updates if unused setting, the GUP will remove that content
Other hardware/software limitations of the GUP:
Symantec has tested the GUP role on a variety of hardware and OS configurations and has found that the GUP role adds minimally to the CPU, memory and IO load on test systems. The load generated by the GUP role will increase based on the number of clients configured to update from the GUP, the amount of large delta or full content updates clients request, and the frequency at which definitions are updated in the environment.
Some basic guidelines for GUP hardware/software considrations are as follows:
Ensure that the machine being used to serve as the GUP has sufficient reserves of CPU/memory capacity to allow for its normal operations to continue while serving content to clients
By default, Windows is configured to allow a maximum of 5000 TCP connections simultaneously. With this configuration, the GUP is capable of serving 40 client connections per second.
Windows can be configured to allow a maximum of 65534 TCP connections simultaneously. With this configuration, the GUP is capable of serving approximately 180 client connections per second.