Managing locations for remote clients
| Article:HOWTO81171 | | | Created: 2012-10-24 | | | Updated: 2013-01-30 | | | Article URL http://www.symantec.com/docs/HOWTO81171 |
You add locations after you set up the groups that you need to manage. Each group can have different locations if your security strategy requires it. In the Symantec Endpoint Protection Manager console, you set up the conditions that trigger automatic policy switching based on location. Location awareness automatically applies the security policy that you specify to a client, based on the location conditions that the client meets.
Location conditions can be based on a number of different criteria. These criteria include IP addresses, type of network connection, whether the client computer can connect to the management server, and more. You can allow or block client connections based on the criteria that you specify.
A location applies to the group you created it for and to any subgroups that inherit from the group. A best practice is to create the locations that any client can use at the My Company group level. Then, create locations for a particular group at the subgroup level.
It is simpler to manage your security policies and settings if you create fewer groups and locations. The complexity of your network and its security requirements, however, may require more groups and locations. The number of different security settings, log-related settings, communications settings, and policies that you need determines how many groups and locations you create.
Some of the configuration options that you may want to customize for your remote clients are location-independent. These options are either inherited from the parent group or set independently. If you create a single group to contain all remote clients, then the location-independent settings are the same for the clients in the group.
The following settings are location-independent:
Custom intrusion prevention signatures
System Lockdown settings
Network application monitoring settings
LiveUpdate content policy settings
Client log settings
Client-server communications settings
General security-related settings, including location awareness and Tamper Protection
To customize any of these location-independent settings, such as how client logs are handled, you need to create separate groups.
Some settings are specific to locations.
As a best practice, you should not allow users to turn off the following protections:
Auto-Protect
SONAR
For legacy clients, TruScan proactive threat scans
Tamper Protection
The firewall rules that you have created
Table: Location awareness tasks that you can perform
Tasks | Description |
|---|---|
Plan locations | You should consider the different types of security policies that you need in your environment to determine the locations that you should use. You can then determine the criteria to use to define each location. It is a best practice to plan groups and locations at the same time. See Managing groups of clients. You may find the following examples helpful: |
Enable location awareness | To control the policies that are assigned to clients contingent on the location from which the clients connect, you can enable location awareness. |
Add locations | You can add locations to groups. |
Assign default locations | All groups must have a default location. When you install the console, there is only one location, called Default. When you create a new group, its default location is always Default. You can change the default location later after you add other locations. The default location is used if one of the following cases occurs:
|
Configure communications settings for locations | You can also configure the communication settings between a management server and the client on a location basis. |
See the knowledge base article Best Practices for Symantec Endpoint Protection Location Awareness.
|
|
Legacy ID
v8447354_v81626096
Article URL http://www.symantec.com/docs/HOWTO81171
Terms of use for this information are found in Legal Notices
Thank you.