Best Practices for Symantec Endpoint Protection Location Awareness

Article:TECH98211  |  Created: 2009-01-20  |  Updated: 2012-06-07  |  Article URL
Article Type
Technical Solution


What is the total number of locations that can be used per Symantec Endpoint Protection (SEP) group including other considerations when deciding to use Location Awareness.



Symantec does not recommend more than seven (7) locations per group when using Location Awareness as this can affect the execution time on how long it takes the SEP client to process and ultimately connect to a valid location where all conditions have been met.

From the Symantec Endpoint Protection Manager (SEPM) side, having more than seven locations per group can also degrade SEPM and database performance as the number of policies to track increases (by a minimum of five) per each location.

Use caution when defining firewall policies that change based on location.  A common initial mistake that is made when configuring the firewall to be hardened while off the network and open when on the network is that the wrong condition could be selected for determining the location.
For example, consider using only the criteria connected to management server to determine locations. If the management server went down, all clients would switch to the remote location because there was no connection to the server. This would cause the clients to go to the hardened stance even though they were connected to the corporate network. This may not be the desired outcome.

It is critical to thoroughly test the firewall settings including Location Awareness together.

About planning locations
Before you add locations to a group, you must consider the types of security policies that you need in your environment. You also must determine the criteria that defines each location. You should consider the following questions:

  • From which locations are users connecting? Consider which locations need to be created and how to label each one. For example, users may connect at the office, from home, from a customer site, or from another remote site such as a hotel during travel. Additional qualified locations may be required at a larger site.
  • Should location awareness be set up for each location?
  • How do you want to identify the location if using location awareness? You can identify the location based on IP addresses, WINS, DHCP, or DNS server addresses, network connections, and other criteria.
  • If you identify the location by network connection, what type of connection is it? For example, the network connection may be a connection to the Symantec Endpoint Protection Manager, dial-up networking, or a particular brand of VPN server.
  • Do you want clients connecting in this location to use a specific type of control, such as server control, mixed control, or client control?
  • Do you want to do Host Integrity checks at each location? Or do you want to skip it at any time such as when not connected to the Symantec Endpoint Protection Manager?
  • What applications and services should be allowed at each location?
  • Do you want the location to use the same communication settings as the other locations in the group or to use different ones? You can set unique communication settings for one location.


Legacy ID


Article URL

Terms of use for this information are found in Legal Notices