I'm currently running my SEPM's on Windows server 2008 with SEP 12.1.4013.4013. We do an Active Directory Sync. Since we upgraded to this we've seen traffic from some machines do the following.
I have a Live Update policy setup that contains multiple GUP's in the Group Update Provider list. We have several locations around the world which totals over 5,000 clients so we've tried to setup a GUP at each location. All looks good as far as the machines turning into a GUP in the manager and in the logs on the GUP server. We then use the Group Update Provider policy configured in one of our location specific settings for each OU. We've been using this for years without any issues.
Since the upgrade we've seen some clients take an odd path to try and get updates. It is random and may not happen to the same client every time. Rather then the traffic going directly to the GUP at their site it is going to our proxy server which is located at a central datacenter (same place where the SEPM's are located) and then back to their local GUP to check for updates. If one is available it pulls it from the GUP, back to the proxy server and then to the client. When this happens things seem to get hung up between the client, proxy, and GUP and will saturate the line to the site. So far our only resolution has been to do a packet capture to see what machines are generating this traffic and restart Symantec on the client. The traffic then stops. They then appear to start talking to their local GUP properly again.
I've had Symantec Critical support review our systems and we do not have the proxy server defined anywhere so SEP should not know anything about the proxy. The client does have the proxy setup in their browser.
Symantec support recommended the following
- Upgrade one of the GUP servers at a site where we see this issue happen to RU5. I did this and thought we were ok but several days later it occurred again.
- Upgrade clients at the site to RU5 as well. This part is in the works.
We have clients that travel to different sites and they appear to start pulling from the local GUP server when they connect to that network and get a DHCP address from their network range since the GUP is also in that range and subnet.
Symantec's next suggestion is to setup Explicit Group Update providers but for some reason won't show me how it should be setup or actually works. I'm having a hard time reading through articles to get it straight in my mind.
I understand that I need to keep my Group Update Provider list in order to make a machine a GUP.
What I don't get is if I have several class C networks or larger how to set it up.
Let's say when adding an explicit group update provider by IP address for a 10.1.200.0 class C network
would it be
- client subnet network address = 10.1.200.0
- Type = IP address
- IP Address = ??? Would this be the address of the local GUP server ???
- Port = 2967 which is the standard port that we use
So then, if I have a client from that network go to another location is it still going to pick up that locations GUP server?
The thing to remember is that we are doing an Active Directory import so the client machine account would be located in the 10.1.200.0 OU so I'm hoping that it will work like before and use the local GUP at that site even though it is in a different OU.
