Content
- Places and location awareness
- location planning
- default locations
- Location Specific Conditions
- General client configuration
- Automatic policy assignment
- Add locations to groups with a guide
- Firewall locations and policies
Places and location awareness
Users often need to connect to the network from different locations, including home, office, or remote locations when traveling.You can assign a separate security policy for each location or type of network connection (wireless, Ethernet, or VPN).Weed out criminals exposing your organization to hackers while automating the process.
To protect your network, you must configure the conditions to trigger this automatic change or location awareness by applying the best security policy on a client or server.The best security policy generally depends on the location from which a user is connecting.
You can assign a set of conditions to each group location, which automatically selects the correct security policy for a user's environment.Conditions include information such as the network configuration of the computer that initiated the network access request.An IP address, a MAC address or the address of a directory server can also act as a condition.
If you change the security policy in the console, the management server updates the policy on the client, or the client downloads the policy.If the current location is invalid after the update, the client either switches to another valid location, or the client uses the default location.
Use:Symantec recommends no more than seven (7) locations per group when using location awareness.Exceeding this number can adversely affect the runtime of the time it takes for the Endpoint Protection client to process and ultimately connect to a valid location when all conditions are met.
location planning
Before adding locations to a group, consider what types of security policies you need in your environment.Also consider the following, which defines each location:
- From which locations are users connecting?
- Consider which locations to create and how to label each one.For example, users can connect at the office, from home, from a customer location, or from another remote location, such as a hotel, while traveling.Additional qualifying locations may be required.in a big place.
- Should location awareness be set for each location?
- How will you identify the location if you use location awareness?
- Identify the location based on IP addresses, WINS, DHCP, or DNS server addresses, network connections, and other criteria.
- Identify location by network connection, what type of connection is it?For example, the network connection could be a connection to Endpoint Protection Manager, a dial-up network, or a specific brand of VPN servers.
- Should clients connecting at this location use a specific type of control, such as server control, mixed control, or client control?
- Should host integrity checks be performed at each location?Alternatively, should the policy skip checks at some point, eg when not connected to Endpoint Protection Manager?
- What apps and services should you allow in each location?
- Should the location use the same communication settings as other locations in the group, or use different settings?Note: You can use a unique set of communication settings for each location.
default locations
Endpoint Protection Manager uses the default location for a group if one of the following occurs:
- One of the locations meets the location criteria, and the last location does not meet the location criteria.
- You are using location awareness and nowhere meets the criteria.
- If you change the location name or make changes to the location in the policy, the client returns to the default location when it receives the new policy.
When you install Symantec Endpoint Protection Manager (SEPM) for the first time, only the default location called "Default" is set.At that time, the default location of each group is "Default".You can then change it to the correct location after you've added others.locations.Also, each group must have a default location.You may prefer to set a location such as "Home" or "Travel" as your default location.
Location Specific Conditions
You can specify a series of conditions to determine when to allow a client computer to change to another location before allowing the client to connect to your network.The change allows a different set of security policies to be applied when a client computer connects to the network from a more vulnerable location.
If the conditions match, the client computer automatically switches to the designated pool location with its associated policy, and the computer can connect to your network.
Conditions can be positive or negative, for example:
- Positive: A client computer matches because it uses an IP address that is within a specific IP address range or has a specific registry key that can be specified.
- Negative: A computer will match if it is not using a specific wireless SSID that you specified.You can add, edit or delete these mode settings.
Table: Endpoint Protection 14 available placement criteria
Possibility | Description |
| The computer's IP address | This criterion has the following options:
|
| gateway address | This criterion has the following options:
You can specify the following types of criteria: IP address, IP range, subnet address and subnet mask, or a MAC address and its values. |
| WINS-serveradresse | This criterion has the following options:
You can specify the following types of criteria: IP address, IP range, or subnet address and subnet mask) and their values. |
| DNS server address | This criterion has the following options:
You can specify the following types of criteria: IP address, IP range or subnet address, and subnet mask and their values. |
| DHCP server address | This criterion has the following options:
|
| Network connection type | This criterion has the following options:
You can specify the following network connection types from Endpoint Protection 14:
|
| Connection to Administration Server | This criterion has the following options:
Note: Symantec does not recommend using Management Server Connection unless a separate set of management servers is used for the location.A server outage or connection problem will cause clients to change locations. |
| Trusted Platform Module | This criterion has the following options:
|
| dns storage | This criterion has the following options:
|
| Register key | This criterion allows checking the following conditions:
|
| Wireless SSID | This criterion has the following options:
|
| network card description | This criterion has the following options:
|
| DHCP Connection DNS Suffix | This criterion has the following options:
|
| Solicitud ICMP (ping) | This criterion has the following options:
|
General client configuration
Use this dialog to configure general location awareness and client reboot settings.These settings apply to each client in the selected group.
Table: General settings for the client
| Possibility | Description |
| Location settings: remember last location | On first login, Endpoint Protection uses the last used location.
|
| Enable location awareness | Automatically selects the correct location to place clients.The location determines which policy takes effect.Reboots the client to the last used location before the user turned off the client computer.
|
Table: Reboot Options
Reboot Options specify the method by which the client computer is rebooted after client installation or when the client computer is shut down.
You can configure the following restart options:
| Opportunities | Description |
| Prompt the user to restart the computer. | Displays a message on the client to ask the citizen to reboot the client's computer.The user can click No to delay when the client should be restarted. |
| Message | Additional text that you can add to the message. |
| Maximum number of repeat options | The number of times the user can delay restarting the computer before the computer automatically restarts. |
| Maximum time between naps (seconds) | The amount of time between when the user delays restarting the computer and when the message appears again.
|
| Force restart the computer | The computer automatically restarts and the user does not have the option to postpone the restart. |
Automatic policy assignment
Control over the policies assigned to clients depends on the location from which a client connects, so you must enable location awareness.
To enable automatic policy assignment for a client
- Click on the consoleCustomers.
- On the Clients page, under Show Clients, select the group to implement automatic location change.
- Uncheck from the Policies tabInherit policies and settings from parent group "group name".
Edit the client location-independent settings for those groups that have not inherited these policies and settings from a parent group. - Under Location, click Standalone Policies and Settings.General configuration.
- In the General Settings dialog box, on the General Settings tab, check Location SettingsRemember the last position..
By default, this option is enabled.The client is initially assigned to the policy associated with the location from which the client last connected to the network.- AndRemember the last position.esreviewedWhen a client computer connects to the network, the client is initially assigned a policy.This policy is associated with the last used location.If location awareness is enabled, the client automatically switches to the appropriate policy after a few seconds.The policy associated with a particular location determines a client's network connectivity.If location awareness is disabled, the client can manually switch between any of the locations even when under control of the server.If a quarantine location is enabled, the client can switch to the quarantine policy after a few seconds..
- AndRemember the last position.esWithout checkingWhen a client connects to the network, the client is initially assigned the policy associated with the default location.The client cannot connect to the last used location.If location awareness is enabled, the client automatically switches to the appropriate policy after a few seconds.The policy associated with a particular location determines a client's network connectivity.If location awareness is disabled, the user can manually switch between any of the locations, even when the client is under control of the server.If a quarantine location is enabled, the client can switch to the quarantine policy after a few seconds.
- ControlEnable location awareness.
By default, location awareness is enabled.The client is automatically assigned the policy associated with the location from which the user tries to connect to the network. - ClickBueno.
Add locations to groups with a guide
You can add locations to a group using a wizard, and each location can have its own set of policies and settings.When the criteria (conditions) are met, the policy can cause clients to switch to a new location with different security settings.
The best security policies generally depend on where the client is when it connects to the network.Enabling location awareness ensures that the strictest security policy is assigned to a client when they need it.
To add a location with a guide
- Click on the consoleCustomers.
- On the Customers page, under View customers, select the group to which you want to add one or more locations.
- Uncheck from the Policies tabInherit policies and settings from parent group "group name".
Only add locations to groups that don't inherit policies from the parent group. - Click TasksAdd Address.
- On the Add Location Wizard welcome panel, clickNext.
- Enter a name and description for the new location in the Specify Location Name panel, and clickNext.
- In the Specify a state panel, select one of the following conditions under which a customer changes from one location to another:
- No specific condition:Select this option to allow the customer to select this location if multiple locations are available.
- IP address range:Select this option to allow the client to select this location if its IP address is included in the specified range.Specify both the starting IP address and the ending IP address.
- Internet address and subnet mask:Select this option to allow the client to select this location if its subnet mask and subnet address are specified.
- Servidor DNS:Select this option to allow the client to select this location if connecting to the specified DNS server.
- The client can determine the hostname:Select this option to allow the client to select this location if connecting to the specified domain name and DNS resolver address.
- The client can connect to the management server:Select this option to allow the client to select this location if connecting to the specified management server.
- Network connection type:Select this option to allow the client to select this location if connecting to the specified network connection type.
- ClickNext.
- In the Add Location Wizard panel, click CompletedSalida.
Firewall locations and policies
Endpoint Protection Manager includes a standard firewall policy with firewall rules and firewall settings for the office environment.The office environment is usually protected by corporate firewalls, boundary packet filters, or antivirus servers.Therefore, it is generally more secure than most home environments where limits are limited.Protection is available.
When the console is first installed, it automatically adds a default firewall policy to each group.Every time you add a new location, the console automatically copies a firewall policy to the default location.
If the default protection is not adequate, you can customize it using the Firewall policy for each location, eg for a home or customer site.If the default firewall policy is not what you need, you can edit or replace the policy with another shared policy.
Firewall Political Element
| firewall rules | Firewall rules are policy components that control how the firewall protects computers against incoming malicious traffic and programs.The firewall automatically checks all incoming and outgoing packets against these rules and allows or blocks the packets based on the information specified in the rules. |
| Smart traffic filters | It allows specific types of traffic required on most networks, such as DHCP, DNS, and WINS traffic. YeahBuilt-in Firewall Policy Rules - Intelligent Traffic Filtering |
| Traffic and stealth settings | Detects and blocks traffic from specific drivers, protocols, and other sources. YeahFirewall Policy: Protection and Stealth Settings |
| Peer to Peer Authentication Configuration | Prevents a remote computer from connecting to a client computer until the client computer has authenticated this remote computer. YeahFirewall Policy: Block a remote computer by configuring peer-to-peer authentication |
A location can be set for client control or mixed control, allowing the user to customize the Firewall policy.
- YeahConfiguring firewall settings for mixed control
You can edit or create firewall policies similar to other types of policies.Additionally, you can assign, revoke, replace, copy, export, import, or delete firewall policies.
Typically, you can assign a policy to multiple groups in the safety net.Create a site-specific, non-sharing policy if there are specific requirements for a particular location.
Symantec recommends that you become familiar with the basics of configuring policies when working with policies.
- YeahSymantec Endpoint Protection: Policies