Group Update Provider (GUP) best practices

book

Article ID: 177667

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Learn how to use a Group Update Provider (GUP) to keep Symantec Endpoint Protection (SEP) clients up-to-date.

Resolution

The GUP role can be assigned to any SEP client. When a SEP client is assigned the GUP role, it acts as a caching HTTP proxy, storing both delta and full revisions of SEP content.

Other SEP clients can be configured to use the GUP for definition and content updates using LiveUpdate policies from the Symantec Endpoint Protection Manager (SEPM).

SEP clients working as GUP should be installed with the same version as the SEPM.

Consider the following before using GUPs as part of the overall content updating scheme in an environment:

Network considerations

GUPs can be used to supplement or replace a SEPM for distributing content updates to SEP clients, but cannot be used to update policies or manage clients. Clients still need network connectivity to a SEPM to perform the heartbeat process, which updates their policies and informs them when new content is available from the GUP.

If the SEP clients you need to update using a GUP are not able to connect to the HTTP port used by the SEPM for client management, consider another method of updating clients. Depending on the version of SEPM used in your environment, the default client management port is either 80 or 8014. This port is configurable within the product. The only method to update both content and policies on a client is through a SEPM.

Since the GUP is essentially a SEP client with the additional GUP role, it must also be able to access the SEPM through the client management port. In addition, the clients which the GUP serves must connect to the HTTP port the GUP listens on (2967 by default). Symantec recommends that a GUP be on the same network segment as all clients which you configure to update from the GUP.

The GUP downloads definitions on-demand for itself and any clients which you configure to update through it. The GUP caches all downloaded content according to the settings in its LiveUpdate policy. Clients which you configure to use a GUP download definitions directly from the GUP instead of SEPM. By this method, bandwidth is conserved. There must be sufficient bandwidth between the GUP and the SEPM to allow the GUP to download the full and delta definition packages that the SEP client requests. The larger the spread of definition revisions that the clients use, the larger the bandwidth utilization between the SEPM and the GUP.

Though bandwidth usage can be significantly reduced by using GUPs strategically, it is important to position GUPs in the network to maximize their effectiveness. GUPs should only be configured to provide updates to for clients on their local network segment. Each GUP must have sufficient bandwidth to deliver content packages of up to 600 MB to the clients it serves, up to 3 times a day.

Total number of clients

The current iteration of the GUP role can be configured to support up to 10,000 clients. To ensure that the GUP is capable of updating a large number of clients, you may need to configure the GUP to handle more than the default.

Total physical hard disk space available on the GUP

By default, the GUP automatically purges content from its cache under two conditions:

  • If the content on the GUP grows larger than the size configured for the Maximum disk cache size for content updates setting. In this instance, the GUP purges the oldest content by last accessed time, until there is room for any new content.

    Set Maximum disk cache size for content updates to at least 2000 MB. This setting ensures enough room for a full set of both 32-bit and 64-bit content.
     
  • If any individual content is older than the Delete content updates if unused setting. In this instance, the GUP removes the older content.

Other hardware and software limitations of the GUP

Symantec has tested the GUP role on a variety of hardware and OS configurations. Through this testing, we found that the GUP role adds minimally to the CPU, memory, and IO load on test systems.

The load that the GUP role generates increases based on:

  • The number of clients which you configure to update from the GUP
  • The amount of large delta or full content updates clients request
  • The frequency at which definitions are updated in the environment

Basic considerations for GUP hardware and software are as follows:

  • Ensure that the computer being used to serve as the GUP has sufficient reserves of CPU and memory capacity. This allows normal operations to continue when it serves that content to SEP clients
  • By default, Windows is configured to allow a maximum of 5000 TCP connections simultaneously. With this configuration, the GUP is capable of serving 40 client connections per second.
  • Windows can be configured to allow a maximum of 65534 TCP connections simultaneously. With this configuration, the GUP is capable of serving approximately 180 client connections per second.

GUP availability

If SEP clients are configured to get updates from only a single GUP, and it is a requirement that clients be able to download content updates 24/7, ensure that the GUP computer is not turned off regularly. In this situation, it may not be appropriate to have a user's workstationwhich may be turned off nightly or over the weekendfunction as a GUP. Instead, a server that is on constantly is more appropriate.

Furthermore, if the GUP's download speed from the SEPM is throttled or limited, the importance of using a computer which is rarely turned off increases. In environments with very slow or severely throttled connections between the GUPs and SEPM, it may take many hours for a GUP to download full content packages from the SEPM. A computer which is turned off after only a few hours may not have sufficient time to download full definitions packages.