Learn more about location awareness in Symantec Endpoint Protection (SEP), and best practices for configuring and managing client locations and policies.
Users frequently need to connect to the network from various locations, including from home, the office, or remote locations when traveling. You can assign a separate security policy for each location or type of network connection (wireless, ethernet, or VPN). Symantec eliminates rogues that expose your organization to hackers while automating the process.
To protect the network, you must set up the conditions to trigger this automatic switching or location awareness by applying the best security policy to a client or server. The best security policy is typically contingent upon the location from where a user connects.
You can assign a set of conditions to each group's location that automatically selects the correct security policy for a user's environment. Conditions include information such as the network settings of the computer that initiated the network access request. An IP address, MAC address, or the address of a directory server can also function as a condition.
If you change the security policy in the console, either the management server updates the policy on the client, or the client downloads the policy. If the current location is not valid after the update, then the client switches to another valid location, or the client uses the default location.
Note: Symantec does not recommend more than seven (7) locations per group when using Location Awareness. Exceeding this number can negatively affect the execution time on how long it takes the Endpoint Protection client to process and ultimately connect to a valid location when it meets all conditions. SEP client parses through all configured locations and selects the best location based on matched parameters (with respect to defined conditions) . Every matched parameter adds weightage and accordingly SEP clients select location for the maximum weightage location.
Before adding locations to a group, consider the types of security policies that you need in your environment. Also consider the following, which define each location:
Endpoint Protection Manager uses the default location for a group if one of the following occurs:
When you initially install Symantec Endpoint Protection Manager (SEPM), only the default location, named "Default," is set up. At that time, every group's default location is "Default." You can later change this to the correct location after you add other locations. In addition, every group must have a default location. You may prefer to designate a location like "Home" or "Travel" as the default location.
You can specify a number of conditions to determine when to allow a client computer to switch to another location, before you allow the client to connect to your network. Switching locations allows a different set of security policies to apply when a client computer is connecting to the network from a more vulnerable location.
If the conditions match, the client computer automatically switches to the designated group's location with its associated policy, and the computer can connect to your network.
The conditions may be positive or negative. For example:
Option
|
Description
|
Computer IP Address |
This criterion has the following options:
|
Gateway Address |
This criterion has the following options:
You can specify the following criterion types: IP Address, IP Range, Subnet Address and Subnet Mask, or a MAC Address and their values. |
WINS Server Address |
This criterion has the following options:
You can specify the following criterion types: IP Address, IP Range, or Subnet Address and Subnet Mask) and their values. |
DNS Server Address |
This criterion has the following options:
You can specify the following criterion types: IP Address, IP Range, or Subnet Address and Subnet Mask and their values. |
DHCP Server Address |
This criterion has the following options:
|
Network Connection Type |
This criterion has the following options:
You can specify the following network connection types as of Endpoint Protection 14:
|
Management Server Connection |
This criterion has the following options:
Note: Symantec does not recommend usage of Management Server Connection unless a distinct set of management servers is being used for the location. A server outage or connection issue will result in clients switching locations. |
Trusted Platform Module |
This criterion has the following options:
|
DNS Lookup |
This criterion has the following options:
|
Registry Key |
This criterion allows for checking against the following conditions:
|
Wireless SSID |
This criterion has the following options:
Note : SEP will refer the Wireless SSID provided by the OS. For a Wireless connection that is in a network bridge, SEP will refer the Network bridge SSID which is provided by OS and not the SSID of the Wireless connection that is a part of the Bridge (or masked by Network bridge). |
NIC Description |
This criterion has the following options:
|
DHCP Connection DNS Suffix |
This criterion has the following options:
|
ICMP Request (Ping) |
This criterion has the following options:
|
Use this dialog to configure the general location awareness and client restart settings. These settings are applied to each client within the selected group.
Option | Description |
Location Settings: Remember the last location |
At initial logon, Endpoint Protection uses the last-used location.
|
Enable Location Awareness |
Automatically selects the correct location in which to place the clients. The location determines which policy takes effect. Restarts the client in the last-used location before the user turned off the client computer.
|
Restart options specifies the method by which the client computer restarts after client installation, or when the client computer shuts down.
You can configure the following restart options:
Options | Description |
Prompt the user to restart the computer |
Displays a notification on the client to prompt the user to restart the client computer. The user can click No to postpone when to restart the client. |
Message |
The additional text that you can add to the notification. |
Maximum number of snooze opportunities |
The number of times that the user can postpone the computer restart before the computer automatically restarts. |
Maximum time between snoozes (seconds) |
The time period between when the user postpones the computer restart and when the notification appears again.
|
Force the computer to restart |
The computer automatically restarts. The user does not have an opportunity to postpone the restart. |
Control of the policies that are assigned to clients is contingent on the location from which a client connects. Therefore, you should enable location awareness.
To enable a client's automatic assignment of policies
You can add locations to a group by using a wizard, and each location can have its own set of policies and settings. When the criteria (conditions) are met, the policy can trigger the clients to switch to a new location with different security settings.
The best security policies typically depend on where the client is located when it connects to the network. When you enable location awareness, it ensures that the strictest security policy is assigned to a client when you need it.
To add a location with a wizard
The Endpoint Protection Manager includes a default Firewall Policy with firewall rules and firewall settings for the office environment. The office environment is normally under the protection of corporate firewalls, boundary packet filters, or antivirus servers. Therefore, it is normally more secure than most home environments where limited boundary protection is available.
When the console is installed for the first time, it automatically adds a default Firewall Policy to each group. Every time you add a new location, the console automatically copies a Firewall Policy to the default location.
If the default protection is not appropriate, you can customize it using the Firewall Policy for each location, such as for a home site or customer site. If the default Firewall Policy is not what you need, you can edit or replace the policy with another shared policy.
Firewall rules | Firewall rules are policy components that control how the firewall protects computers from malicious incoming traffic and applications. The firewall automatically checks all incoming and outgoing packets against these rules, and allows or blocks the packets based on information specified in rules. |
Smart traffic filters | Allows the specific types of traffic that are required on most networks such as DHCP, DNS, and WINS traffic. See Firewall Policy Built-in Rules - Smart traffic filtering |
Traffic and stealth settings | Detects and blocks traffic that comes from certain drivers, protocols, and other sources. See Firewall Policy - Protection and Stealth Settings |
Peer-to-peer authentication settings | Blocks a remote computer from connecting to a client computer until the client computer has authenticated that remote computer. See Firewall Policy - Blocking a remote computer by configuring peer-to-peer authentication |
A location can be set to client control or mixed control so that the user can customize the Firewall Policy.
You can edit or create firewall policies similar to other types of policies. In addition, you can assign, withdraw, replace, copy, export, import, or delete firewall policies.
Typically, you can assign a policy to multiple groups in the security network. Create a non-shared, location-specific policy if there are specific requirements for a particular location.
Symantec recommends that you become familiar with the basics of policy configuration when working with policies.