To configure Symantec Endpoint Protection (SEP) client for use with Microsoft DirectAccess (DA):
- Ensure the Windows Firewall service is enabled:
- Use the steps in the following document: https://support.microsoft.com/en-us/help/4028544/windows-turn-windows-firewall-on-or-off
- Go to Control Panel > System and Security > Windows Firewall.
- If SEP is installed and the service is enabled you should see a notification that SEP is managing these settings:
- Once the Windows Firewall service is active, confirm that the "ConSecRuleRuleCategory" is managed by "Windows Firewall"
- Open a command prompt.
- Type the following:
netsh advfirewall show global
- Scroll to the bottom and look for ConSecRuleCategory or ConSecRuleRuleCategory (varies based on the version of Windows).
- Confirm its value is Windows Firewall.
- Configure the SEP client firewall integration and allow IPv6 traffic on the Symantec Endpoint Protection Manager (SEPM) to allow DA to function.
- The SEP client can be configured to allow or disable the Windows Firewall in the Firewall Policy on SEPM.
- In SEPM, click Policies > Firewall.
- Edit the Firewall policy applied to clients using DA. The suggested configuration for use with Microsoft's DA is:
Note: If the SEP Firewall policy option No Action or Restore if Disabled is chosen, the Microsoft Firewall is in charge of all four categories and SEP Firewall rules are not applied. You can verify if SEP is managing the first three firewall configuration categories by the command `netsh advfirewall show global`. If it is, then SEP firewall rules are applied as expected.
For more information, see:
- Ensure that the SEP Firewall is configured to allow all IPv6 traffic.
Note: In SEP 12.1.x, open the SEPM console, click Policies > Firewall, and change the SEP firewall rules for IPv6 traffic from Block to Allow.
To create an Allow rule for IPv6:
- Log on to the Endpoint Protection Manager (SEPM).
- Click Policies > Firewall, highlight the policy you want to edit, and then click Edit the Policy.
- Click Rules > Add Rule.
- Enter a rule name, and then click Next
- Select Allow connections, and then click Next.
- Select All Applications, and then click Next.
- Select Any computer or site, and then click Next.
- Select Only the communications selected below.
- Click Add, and then do the following:
- Set the Protocol to Ethernet.
- For Protocol Type, add Ipv6 (0x86dd).
- Click OK.
- Click Next.
- Choose your desired log setting.
- Click Finish, and then click OK.
- After the policy propagates to the client computers, DirectAccess should now function as expected.