If the GUP does not have a definition it will reach out to its defined SEP Manager and download the correct update.On the next heartbeat interval the client will then download the definition from the GUP.The GUP technology in SEP allows administrators to designate client systems within the environment to distribute client definitions in a peer fashion.In an environment where a GUP is configured, clients designated to use GUPs will reach out on port 2967/TCP to see if there is a definition update available.
These updates occur roughly three times a day on average.
We found that the SEPM will practically accept 1000s of client check-in requests, and will send all clients updates at the maximum data rate possible.
We need some way of reducing the amount of bandwidth used by the SEPM to update clients natively, so that there is headroom on its network connection for management traffic (remote in, check the SEP console, etc).
My organization has a large deployment of Symantec Endpoint Protection (SEP) (~20k clients) with a single SEPM instance running in an ESX VM.
We do have many remote clients designated as Group Update Providers (GUPs) where possible.