Symantec Endpoint Protection (SEP) 12.1.2 introduced a new "Explicit Group Update Providers (GUPs) for Roaming Clients" feature.
It is important to understand that the "Roaming" referred to here pertains to the clients ability to roam to a GUP outside of their own subnet, rather than their ability to find a nearest GUP. In previous SEP versions, the clients would only connect to a GUP outside of their own subnet, if such a GUP was configured as "backup" GUP.
(There was an optional setting to "Specify the host name or IP address of a Group Update Provider on a different subnet to be used if Group Update Providers on the local subnet are unavailable"in Group Update Provider List settings)
Note: configuring an "Explicit Group Update Provider list" does not turn clients into Group Update Providers.
To turn clients into GUPs, first configure single or multiple Group Update Providers. A client will become a GUP when the data entered matches its own attributes. The Explicit Group Update Provider list will then be used to map the clients to their respective Explicit GUPs.
An example scenario when Explicit GUPs for Roaming Clients might be used is the following:
The environment consists of 3 Subnets divided by Computer Roles:
A Server Farm Subnet with Network Address 10.0.0.0
A Marketing Subnet with Network Address 220.127.116.11
An Engineering Subnet with Network Address 192.168.10.0
Note: in this example the Network Addresses are chosen for demonstration purposes only.
The client machines in the Marketing and Engineering subnets need to be configured to get updates from a GUP situated in the Server Farm network.
To create the Group Update Provider policy, the following steps have to be taken:
Identify the machines in the Server Farm Subnet that will become the GUPs
In this example the designated GUPs are the following:
A computer with IP address 10.10.10.1 and subnet mask 255.0.0.0
A computer with IP address 10.10.10.2 and subnet mask 255.0.0.0
Configure these two computers as Multiple Group Update Providers:
Configure the clients in the Marketing Subnet 18.104.22.168 to use one of the GUPs in the Server Farm Network
Configure the clients in the Engineering Subnet 192.168.10.0 to use one of the GUPs in the Server Farm Network
This can be done by either specifying the IP Address of an individual GUP in the Server Farm Network, or by specifying the Network Address of the Server Farm Network.
Note: You can calculate the value of the Client Subnet Network Address and the GUP Subnet Network Address by using one of the subnet calculators readily available on the Internet. This address is sometimes also referred to as the network prefix or network ID.
Configure the clients in the Marketing Subnet 22.214.171.124 to use a GUP with IP Address 10.10.10.1 in the Server Farm Network
Configure the clients in the Engineering Subnet 192.168.10.0 to use any GUP in the Server Farm Network by specifying its Network Address
The workflow could be summarized as follows:
You map "client subnet" to "GUP to use" in Endpoint Protection Manager (SEPM)
A SEP 12.1.2 (or later) Client parses the new policy and extracts relevant data from the GUP list to select the new GUP Type.
The Client then verifies:
"Am I in the subnet that is supposed to use the Explicit GUP?"
"Which subnet is the Explicit GUP in - is it in a different subnet than mine?"
"Who is the actual GUP?"
The Client will first try to use available local GUPs before using any of the Explicit GUPs
Note: If multiple GUPs are defined in either the client's local subnet or the Explicit GUP list, the client will use the GUP with the lowest IP Address.
The GUP itself need not be a 12.1.2 Client.
Imported Document ID: TECH198640
Subscribing will provide email updates when this Article is updated. Login is required.