Yes, I've read this:

http://www.symantec.com/business/support/index?page=content&id=TECH198640

and this:

http://www.symantec.com/business/support/index?page=content&id=TECH198702

and the conflicting answers in this thread:

https://www-secure.symantec.com/connect/forums/explicit-gup-and-groups

However, I need someone to help me understand what this means from a policy and policy assignment perspective.

Think of the following scenario:

-1 data center with one SEPM
-20 remote facilities, each with 3 subnets and 1 GUP.  Clients are NOT likely to be on the same subnet as the GUP (server subnet, wired workstation subnet, and wireless subnet at each location)
-All workstation clients are free to move between any facility at any time

Ultimately my questions:

1.  Can I create one universal Live Update policy where I use the Multiple Group Update Provider list to define all of my GUP servers and then configure the Explicit Group Update Providers list to define my subnets and their mapping?

2.  If I'm misunderstanding this, what's the best way to create and assign LU policies for clients so they always use the nearest GUP?  What does this mean to my SEPM client structure where I basically just have a Workstations and Servers group structure?  Trying to group ultra-mobile devices into static groups is not desirable.

All the Gups are made available to clients

Please go through these lines, apologies if you hav already checked this or linked earlier

==========

When you configure single or multiple Group Update Providers in policies, then Symantec Endpoint Protection Manager constructs a global list of all the providers that have checked in. By default, on 32-bit operating systems, this file is \Program Files\Symantec\Symantec Endpoint Protection Manager\data\outbox\agent\gup\globallist.xml. Symantec Endpoint Protection Manager provides this global list to any client that asks for it so that the client can determine which Group Update Provider it should use. Because of this process, clients that have policies with only multiple or explicit Group Update Providers configured can also use single Group Update Providers, if the single provider meets the explicit mapping criterion. This phenomenon can occur because single providers are a part of the global list of providers that the clients get from their Symantec Endpoint Protection Manager.

So, all of the Group Update Providers that are configured in any of the policies on a Symantec Endpoint Protection Manager are potentially available for clients' use. If you apply a policy that contains only an explicit Group Update Provider list to the clients in a group, all of the clients in the group attempt to use the Group Update Providers that are in the Symantec Endpoint Protection Manager global Group Update Provider list that meet the explicit mapping criteria.

If all types of Group Update Providers are configured in the policies on a Symantec Endpoint Protection Manager, then clients try to connect to Group Update Providers in the global list in the following order:

You can configure the following types of explicit mapping criteria:

Multiple mapping criteria can be used in an explicit Group Update Provider list in a single policy. Symantec recommends that you be very careful how you configure multiple mapping criteria to avoid unintended consequences. For example, you can strand your clients without a means of obtaining updates if you misconfigure an explicit mapping.

Consider a scenario with the following multiple explicit mapping criteria configured in a single policy:

With this explicit Group Update Provider policy, if a client is in subnet 10.1.2.0, the first four rules apply; the fifth rule does not. If the client is in a subnet for which no mapping is specified, such as 10.15.1.0, then none of the rules apply to that client. That client's policy says to use an explicit Group Update Provider list, but there is no mapping that the client can use based on these rules. If you also disabled that client's ability to download updates from Symantec Endpoint Protection Manager and the Symantec LiveUpdate server, then that client has no usable update method.

That's interesting but I don't think it helps me answer my question.  If anything, it just confuses me further.

If all types of Group Update Providers are configured in the policies on a Symantec Endpoint Protection Manager, then clients try to connect to Group Update Providers in the global list in the following order:

• Providers on the Multiple Group Update Providers list, in order

• Providers on the Explicit Group Update Providers list, in order

• The Provider that is configured as a Single Group Update Provider

The last thing in the world that I want is for clients to step through the MGUP list and not use "local" resources.  Since all of those GUPs in the MGUP list will be online 100% of the time does that mean they'll all want to use the first one alphabetically and NOT use the rules in the EGUP list?

Remember, NONE of my remote clients will be in the same subnet of ANY GUP.

I'm not a GUP guru by any means nor do I have a need for GUPs with roaming clients but I know what you mention in your #1 question will work. You can have 1 universal policy. My suggestion would be to send a PM to SMLatCST or just wait for him to respond here. He's quite the mad genius when it comes to GUPs.

Explicit gup will allow clients to use specific GUP's outside their subnet.t

What is the processing order of an Explicit GUP list within version 12.1.2 of Symantec Endpoint Protection?

http://www.symantec.com/business/support/index?page=content&id=TECH196741

I don't think I've ever been called a mad genius before (maybe I'll go change my profile name right now )

As you already have most of the information here already, I'm going to try to limit my post to just your main questions (but will probably fail):

1. Yup, it's perfectly possible to create a single policy to cover off the scenario you've described.  What I would do is create a single LU policy with the below settings:

• Multiple GUPs enabled -> List all the GUPs
• Explicit GUPs enabled -> List each of the subnets without a GUP, and associate it with the GUP in the building
• Single GUP disabled (as you've not mentioned any requirement for it)

That's pretty much it.  The policy assignment side of things depends upon which groups your intended GUPs actually reside in, as a GUP must receive a policy telling it to be a GUP (i.e. if the intended GUPs are in the Server group, then you can potentially assign this same policy to both the Server and Workstation groups).

As per the other thread you linked, the other SEP clients will work through the LU policy and use the first GUP that matches.  This means in terms of the policy I've just described the clients should behave in the below manner:

1. Look at Multiple GUP list, if I'm in the same subnet, then use it.  If not then,
2. Look at the Explicit GUP list, if I'm in a defined subnet, then use the associated GUP.  If not then.
3. Update from SEPM

As per the article pasted by Rafeeq (http://www.symantec.com/docs/HOWTO81148), the SEP Clients can go thorugh a list of GUPs, but it will only do so for those that match the same-subnet or explicitly-defined-subnet criteria.  This is only used in cases where you have more than one GUP that matches the criteria (e.g. when using Multiple GUPs, SEP clients cycle through the GUPs in ascending numerical order by IP address, lowest first).

I'm happy to clear any inconsistencies or conflicts, just ping them up.

Oh, you might find the below article handy too, as it describes a quicker (but unsupported) way of creating lots of Explicit GUP entries:

https://www-secure.symantec.com/connect/articles/how-save-time-entering-multiple-explicit-group-update-providers-gups

Thank you very much.  Symantec really should consider having you write use case documentation ;)