What you can do with Symantec Enforcer appliances

Article:HOWTO55701  |  Created: 2011-06-29  |  Updated: 2011-11-17  |  Article URL http://www.symantec.com/docs/HOWTO55701
Article Type
How To


Subject


What you can do with Symantec Enforcer appliances

The Enforcer appliance is installed at network endpoints for external clients or internal clients.

For example, you can install an Enforcer appliance between the network and a VPN server. You can also set up enforcement on the client computers that connect to the network with an 802.1x-aware switch or a wireless access point.

An Enforcer appliance performs host authentication rather than user-level authentication. It ensures that the client computers that try to connect to an enterprise network comply with the security policy of that enterprise. You can configure specific security policies on the Symantec Endpoint Protection Manager.

If the client does not comply with the security policies, the Enforcer appliance can take the following actions:

  • Block access to the network.

  • Allow access to limited resources only.

  • Allow access when the client is non-compliant, and log that action.

The Enforcer appliance can redirect the client to a quarantine area with a remediation server. The client can then obtain the required software, applications, signature files, or patches from the remediation server.

For example, part of a network may already be configured for the clients that connect to the local area network (LAN) through 802.1x-aware switches. If that is the case, you can use a LAN Enforcer appliance for these clients.

You can also use a LAN Enforcer appliance for the clients that connect through a wireless access point that is 802.1x-enabled.

See How the LAN Enforcer appliance works.

See Planning for the installation of a LAN Enforcer appliance.

If you have employees who work remotely and connect through a VPN, you can use the Gateway Enforcer appliance for those clients.

You can also use the Gateway Enforcer appliance if a wireless access point is not 802.1x-enabled.

See How the Gateway Enforcer appliance works.

See Installation planning for a Gateway Enforcer appliance.

If high availability is required, you can install two or more Gateway or LAN Enforcer appliances at the same location to provide failover.

See Failover planning for Gateway Enforcer appliances.

See Failover planning for LAN Enforcer appliances.

If you want to implement high availability for LAN Enforcer appliances, you must install multiple LAN Enforcer appliances and an 802.1x-aware switch. High availability is accomplished through the addition of an 802.1x-aware switch. If you only install multiple LAN Enforcer appliances without an 802.1x-aware switch, then high availability fails. You can configure an 802.1x-aware switch for high availability.

For information about the configuration of an 802.1x-aware switch for high availability, see the accompanying documentation for the 802.1x-aware switch.

In some network configurations, a client may connect to a network through more than one Enforcer appliance. After the first Enforcer appliance provides authentication to the client, the remaining Enforcer appliances authenticate the client before the client can connect to the network.


Legacy ID



v15706324_v60734173


Article URL http://www.symantec.com/docs/HOWTO55701


Terms of use for this information are found in Legal Notices