Endpoint Protection

 View Only

  • 1.  Internal Location Awarness Policy in SEPM

    Posted Feb 16, 2014 04:44 PM

    Hi Guys,

    Last week we had a major issue with our SPEM Servers.

    I won't get you into all the story, but i can tell that seems the current Internal location Awarness policy we had is not good enough.

    Today we are using with 1 condition that has two rules:

    1. Client can cmmunicate with SEPM Mangament Servers.

    2. DNS lookup for one of our addresses.

    I can tell that the problem was that main SEPM server got into freeze mode, and from some reason till we shut it down completely, the clients did not start communicate with the other SEPM server we have.

    The problem cause to clients get into external mode, since they tried to communicate with the main SEPM server, and did not get any response, therefore they got into external mode, which prevent from them to get into some share in the network, or even print.

     

    I would like to get from you guys, any ideas for the most secured Internal policy you are using.

    I do not want to use an IP address or an hostname case as far as I understand they can be spoofed.

    If you have any ideas- I will be gald to hear them.

     

    Thanks,

    Dor



  • 2.  RE: Internal Location Awarness Policy in SEPM

    Posted Feb 16, 2014 04:50 PM

    DId DNS fail for some reason? Can you be more specific on what happened? The clients just went "offline"

    Did something change recently or was this not always working?

    Have you went thru this?

    Best Practices for Symantec Endpoint Protection Location Awareness



  • 3.  RE: Internal Location Awarness Policy in SEPM

    Posted Feb 16, 2014 04:57 PM

    Hi Brian.

    Thanks for fast response.

    I will try to clarify,

    These rules have "and" between, which means that SEP clients needs to be able communicate with the SEPM servers and be able to perform DNS lookup.

     

    The problem is that because of the issue we had with the main SEPM server, clients went to offline mode.

    What is amazing, that once we shut down the main server, the clients came back to online mode, and started to communciate with the second server.

    I can't tell why they did not recognize the second server (when the main SEPM was in freeze mode), Symantec could not explain it either.

    The main point is, that I do not want to get into this issue once again, so I do not see any speical reason to keep using the rule of "communication with SEPM servers".

    The point is that i would like to get another ideas from other oraganizations for using internal policy.

    Thanks a lot,

    Dor



  • 4.  RE: Internal Location Awarness Policy in SEPM

    Posted Feb 16, 2014 05:08 PM

    Did you figure out what happened to the main SEPM?

    I use an IP range so for instance, clients that connect to the SEPM and fall into an ip range (ex. 192.168.1.0/24) will be identified as coming from a particular location.



  • 5.  RE: Internal Location Awarness Policy in SEPM

    Posted Feb 17, 2014 02:35 AM

    Have you tried using other conditions like DNS server address or DHCP server address - those will be different between your internal and external networks and should work much more reliably than then connection to SEPM condition.



  • 6.  RE: Internal Location Awarness Policy in SEPM

    Posted Feb 17, 2014 04:05 AM

    My personal preference has always been to use a DNS lookup of an internal hostname only.  It's obviously pretty accurate, and as reliable as your DNS (which is usually pretty reliable wink).

    I also recommend against using the "Management Server Connection" rule in general, as even a short network blip could potentially flip your clients into the "External" location.