Endpoint Protection: Understanding and Identifying the different Group Update Provider (GUP) Options
search cancel

Endpoint Protection: Understanding and Identifying the different Group Update Provider (GUP) Options

book

Article ID: 152744

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You are using the enhanced GUP features in Symantec Endpoint Protection (SEP), but some of the behavior you are seeing may either not be as expected, or, you would like to have more information on the different options. 

Some unexpected behavior is documented in "Clients May Use Different Group Update Provider (GUP) Than Configured: Symantec Endpoint Protection 11.0 RU5 Single GUP acts as Multiple GUP".
The available GUP options are:
  • Single Group Update Provider
  • Multiple Group Update Provider and, optionally:
  • "Backup" Group Update Provider on a different subnet (if Group Update Providers on the local subnet are unavailable).

 For details please refer to "New features and functionality in Symantec Endpoint Protection Release Update 5 (SEP RU 5) Group Update Provider (GUP)"

Resolution

In SEP, any client that identifies itself to SEPM as a GUP will be added to the globallist.xml, regardless of whether they were initially configured as Single or Multiple GUP.
 
This "globallist" or "GUP List" will be presented to clients that are configured to use a GUP when the SEPM has informed them that new content updates are available. The list is applied in ascending order by the client, so if the IP Addresses are in the same subnet as the requesting client, it will use the GUP with the lowest IP Address on that list.
 
In this design, clients will only attempt to contact GUPs in their own local subnet. These GUPs will never cross a router or a gateway, so if there is a router or a gateway in between the two networks then clients will only use the local GUP.
 
However, there are two situations where a GUP in a different subnet may be contacted:
  • If you have configured a "Backup" Group Update Provider on a different subnet (if Group Update Providers on the local subnet are unavailable). 
  • If you have configured a GUP from a different Subnet as a Single Group Update Provider.
 

Identifying the GUP Types on the Local SEP Client

To verify if the SEP client is configured to use a GUP or not, you can check the following Registry Key:

 [HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\LiveUpdate

 

 

 

"UseMasterClient"=dword:00000001

 

 

 

A dword value of 00000001 indicates that at least one GUP is configured.

 

To identify the GUP type there is an additional key: 

  • For a Single GUP:

 

 

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\LiveUpdate
"UseMasterClient"=dword:00000001
"MasterClientHost"="10.130.6.101"

 

 

 

An IP address or computer name indicates that a "Single GUP" was configured.

This is the equivalent of the following configuration settings in SEPM:

 

 

  • For Multiple Group Update Providers:

 

 

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\LiveUpdate
"UseMasterClient"=dword:00000001
"MasterClientHost"= <null>

 

 

 

If the "MasterClientHost" has an empty value, then "Multiple Group Update Providers" was configured without the optional "Group Update Provider on a different subnet" setting.

This is the equivalent of the following configuration settings in SEPM:

 

  • Group Update Provider on a different subnet

It is a little bit more difficult to determine if "Backup" Group Update Provider on a different subnet is configured. The Registry settings are almost identical to the Single GUP configuration:

[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\LiveUpdate

 

 

 

"UseMasterClient"=dword:00000001
"MasterClientHost"="172.10.10.1"

 

 

 

An IP address or computer name indicates that a GUP was configured. The difference with the Single GUP entry is that the IP address should belong to a computer that is in a different subnet than this SEP Client computer. 

This is the equivalent of the following configuration settings in SEPM:

From a local client configuration perspective the only difference between "GUP from a different subnet configured as a Single GUP" and the "Backup Group Update Provider on a different subnet" is that the Single GUP in this case would be the only GUP available to the client, whereas the "Backup" GUP is exactly that: just a backup. The client should have Multiple local GUPs available.

 

Understanding GUP Bypass options
 
If you configured the option that lets clients bypass a Group Update Provider if they try and fail to connect to the Group Update Provider - the "Maximum time that clients try to download updates from a Group Update Provider before trying the default management server" option - then the following will occur:
 
  • If the client has a GUP in its local subnet that is temporarily unavailable and a Group Update Provider on a different subnet is configured and available, the client will contact that GUP in the different subnet almost immediately.
 
  • If the client is not configured with a GUP in its local network but only one that is located in a different subnet, then the client will wait until the Maximum time specified in the bypass options before trying to contact the GUP in the different subnet. This behavior may change in a later release.

 

 

 

 

 

 

 

 

 

 

 

 

 

Powered by Wolken Software