Managing locations for remote clients

Article:HOWTO81171  |  Created: 2012-10-24  |  Updated: 2014-09-21  |  Article URL
Article Type
How To


Managing locations for remote clients

You add locations after you set up the groups that you need to manage. Each group can have different locations if your security strategy requires it. In the Symantec Endpoint Protection Manager console, you set up the conditions that trigger automatic policy switching based on location. Location awareness automatically applies the security policy that you specify to a client, based on the location conditions that the client meets.

Location conditions can be based on a number of different criteria. These criteria include IP addresses, type of network connection, whether the client computer can connect to the management server, and more. You can allow or block client connections based on the criteria that you specify.

A location applies to the group you created it for and to any subgroups that inherit from the group. A best practice is to create the locations that any client can use at the My Company group level. Then, create locations for a particular group at the subgroup level.

It is simpler to manage your security policies and settings if you create fewer groups and locations. The complexity of your network and its security requirements, however, may require more groups and locations. The number of different security settings, log-related settings, communications settings, and policies that you need determines how many groups and locations you create.

Some of the configuration options that you may want to customize for your remote clients are location-independent. These options are either inherited from the parent group or set independently. If you create a single group to contain all remote clients, then the location-independent settings are the same for the clients in the group.

The following settings are location-independent:

  • Custom intrusion prevention signatures

  • System Lockdown settings

  • Network application monitoring settings

  • LiveUpdate content policy settings

  • Client log settings

  • Client-server communications settings

  • General security-related settings, including location awareness and Tamper Protection

To customize any of these location-independent settings, such as how client logs are handled, you need to create separate groups.

Some settings are specific to locations.

As a best practice, you should not allow users to turn off the following protections:

  • Auto-Protect


  • For 11.0 clients, TruScan proactive threat scans

  • Tamper Protection

  • The firewall rules that you have created

Table: Location awareness tasks that you can perform



Plan locations

You should consider the different types of security policies that you need in your environment to determine the locations that you should use. You can then determine the criteria to use to define each location. It is a best practice to plan groups and locations at the same time.

See Managing groups of clients.

You may find the following examples helpful:

See Setting up Scenario One location awareness conditions.

See Setting up Scenario Two location awareness conditions.

Enable location awareness

To control the policies that are assigned to clients contingent on the location from which the clients connect, you can enable location awareness.

See Enabling location awareness for a client.

Add locations

You can add locations to groups.

See Adding a location to a group.

Assign default locations

All groups must have a default location. When you install the console, there is only one location, called Default. When you create a new group, its default location is always Default. You can change the default location later after you add other locations.

The default location is used if one of the following cases occurs:

  • One of the multiple locations meets location criteria and the last location does not meet location criteria.

  • You use location awareness and no locations meet the criteria.

  • The location is renamed or changed in the policy. The client reverts to the default location when it receives the new policy.

See Changing a default location.

Configure communications settings for locations

You can also configure the communication settings between a management server and the client on a location basis.

See Configuring communication settings for a location.

See the knowledge base article Best Practices for Symantec Endpoint Protection Location Awareness.

See Configuring communication settings for a location.

See Managing remote clients.

Legacy ID


Article URL

Terms of use for this information are found in Legal Notices