Jim Waggoner Director Product Management, Symantec Endpoint Protection, Enterprise Security Group, Symantec
I am also looking for a firewall best practices document for UNMANAGED SEP11 clients. We have remote users/travelers that will very rarely connect directly to the corporate network. We want to give them guidance on how best to config so that applications will ask and the client will remember the answers, similiar to Zone Alarm, etc. These clients will depend on liveupdates via hotel type internet access. Thanks!
I also would like to know how to activate the Application-Control-Notifications in this software.Sygate Firewall Pro was one of the best application firewalls I have ever used, and I can't believe that Symantec butchered it as they did.From my understanding, you can enable it with SEPM for a managed client, but an un-managed client is unable to use this feature. Some people stated that all you need to do is install SEPM, but to my knoledge this does not work, since SEPM does not talk to un-managed clients, therefore you would have to deploy a managed client defeating the purpose of having an un-managed one, which I would prefer having in certain situations.Can we just get a final straight-forward answer on this topic for once? No more speculation please. I am currently evaluating this software, and if this feature cannot be enabled I am going somewhere else.Message Edited by Mr.Wizard on 12-27-2007 09:53 PM
Well as it would seem, I have a solution.To create an unmanaged client:Use SEPM to deploy clientSet group unmanaged (road warrior)Change Location Specific Settings to Client controlCreate new Liveupdate Content PolicyChange the update source to Symantec servers.If you want application control change the firewall rule for "Allow Applications" from "allow" to "ask".Then have the client to do one last update from your server and your good to go.I have not found any way of changing the "Allow Applications" rule from within an unmanaged cdrom install though. I am currently seeing if there is a setting in the xml files that can be changed or something.
UPDATE:Seems that you have to push the "Allow Applications" rule above the blue line, for it to migrate to a client before giving the client full control.Anything below the blue line gets overwritten on the client side.Will we see an updated Firewall:Rules UI for the client in future versions? Where we can add more detailed rules like the "Allow Applications=ask"??It would certainly make my day..
I agree - it seems like the basic use case of an unmanaged client (mobile road warrior) didn't include basic firewall configuration features. It shouldn't be too difficult to slip this into an MR release as the bones are all there. But I am disheartened that unmanaged clients were given short shrift rather than full access (with appropriate permission) to features found in managed clients.