Learn how to use a Group Update Provider (GUP) to keep Symantec Endpoint Protection (SEP) clients up-to-date.
The GUP role can be assigned to any SEP client. When a SEP client is assigned the GUP role, it acts as a caching HTTP proxy, storing both delta and full revisions of SEP content.
Other SEP clients can be configured to use the GUP for definition and content updates using LiveUpdate policies from the Symantec Endpoint Protection Manager (SEPM).
SEP clients working as GUP should be installed with the same version as the SEPM.
Consider the following before using GUPs as part of the overall content updating scheme in an environment:
GUPs can be used to supplement or replace a SEPM for distributing content updates to SEP clients, but cannot be used to update policies or manage clients. Clients still need network connectivity to a SEPM to perform the heartbeat process, which updates their policies and informs them when new content is available from the GUP.
If the SEP clients you need to update using a GUP are not able to connect to the HTTP port used by the SEPM for client management, consider another method of updating clients. Depending on the version of SEPM used in your environment, the default client management port is either 80 or 8014. This port is configurable within the product. The only method to update both content and policies on a client is through a SEPM.
Since the GUP is essentially a SEP client with the additional GUP role, it must also be able to access the SEPM through the client management port. In addition, the clients which the GUP serves must connect to the HTTP port the GUP listens on (2967 by default). Symantec recommends that a GUP be on the same network segment as all clients which you configure to update from the GUP.
The GUP downloads definitions on-demand for itself and any clients which you configure to update through it. The GUP caches all downloaded content according to the settings in its LiveUpdate policy. Clients which you configure to use a GUP download definitions directly from the GUP instead of SEPM. By this method, bandwidth is conserved. There must be sufficient bandwidth between the GUP and the SEPM to allow the GUP to download the full and delta definition packages that the SEP client requests. The larger the spread of definition revisions that the clients use, the larger the bandwidth utilization between the SEPM and the GUP.
Though bandwidth usage can be significantly reduced by using GUPs strategically, it is important to position GUPs in the network to maximize their effectiveness. GUPs should only be configured to provide updates to for clients on their local network segment. Each GUP must have sufficient bandwidth to deliver content packages of up to 600 MB to the clients it serves, up to 3 times a day.
The current iteration of the GUP role can be configured to support up to 10,000 clients. To ensure that the GUP is capable of updating a large number of clients, you may need to configure the GUP to handle more than the default.
By default, the GUP automatically purges content from its cache under two conditions:
Symantec has tested the GUP role on a variety of hardware and OS configurations. Through this testing, we found that the GUP role adds minimally to the CPU, memory, and IO load on test systems.
The load that the GUP role generates increases based on:
Basic considerations for GUP hardware and software are as follows:
If SEP clients are configured to get updates from only a single GUP, and it is a requirement that clients be able to download content updates 24/7, ensure that the GUP computer is not turned off regularly. In this situation, it may not be appropriate to have a user's workstation—which may be turned off nightly or over the weekend—function as a GUP. Instead, a server that is on constantly is more appropriate.
Furthermore, if the GUP's download speed from the SEPM is throttled or limited, the importance of using a computer which is rarely turned off increases. In environments with very slow or severely throttled connections between the GUPs and SEPM, it may take many hours for a GUP to download full content packages from the SEPM. A computer which is turned off after only a few hours may not have sufficient time to download full definitions packages.