Endpoint Protection

Hi

We have top level groups for machine types: Desktops, Laptops, VDI's, Servers each broken down by major offices giving us a total of around 60 groups. Because of varying requirements for each group of machines inheritance is switched off.

We now need to create firewall policies for machines connecting through a VPN. We believe the best way to do this is through Managed Locations.

When we setup a location it appears to be group specific implying the we would need to maintain the location independantly for each group?

This doesnt seem like a manageable solution. Is there is centralised place to manage and share location based settings? 

You can either uncheck inheritance and manage like you are doing or do it at the top level (My Company)

These are the only options that I'm aware of. I'm in the same boat and yes, managing multiple policies is a handful.

Check the following articles

Title: 'Best Practices for Symantec Endpoint Protection Location Awareness'
Web URL: http://www.symantec.com/business/support/index?page=content&id=TECH98211&locale=en_US

Title: 'How To Optimize Endpoint Protection for Branch Offices using GUPs, Load Balancing, and Location Awareness'
Web URL: http://www.symantec.com/business/support/index?page=content&id=TECH94122&locale=en_US

Ouch.... This is going to hurt then.

We had to disable inheritance because of we need to assign GUPs to each office's group. The Multiple GUPs feature was ruled out beacuse our servers (GUPS) sit on different subnets to our clients.

Hi Mudit

Thanks for the link - Very Userful!

The article mentions "GUPs should only be configured to provide updates to for clients on their local network segment." but gives no references as to how to configure this.

As with many large organsisations our desktops/laptops and server estates are managed seperately and exist on different subnets. 

Does anyone know how we can assign multiple GUP's to Branch Offcie groups where the GUP and client PC's are on different subnets?

I think I have come across somewhere, that the optimal limit of locations is 7. I can see managing policies becoming a pain for sure.

I have 40+ location setup at the My Company level for GUP reasons

And will have the same amount for my server group shortly (inheritance unchecked for the Server group)

Is this not optimal?

Not to mention we have offices with multiple subnets yet all clients, regardless of subnet, are pointed to a gup at that location. So not all clients are on the same subnet as the GUP.

Here is the bookmark from my list:

http://www.symantec.com/business/support/index?page=content&id=TECH98211&locale=en_US

I am guessing that Symantec is sayng seven locations, because of the overhead of managing the policies. If you can handle the workload and it's working now, no reason to change it, imho.

Mike

I'm leaving it for now. Eventually we are breaking AD sync and I set it up that way so even when we break AD sync and clients will go to the Default Group, they will still check in to their respective GUP. Then I can configure so there are only 3 locations (On network, Off network, and GUP)

Either way, when breaking inheritance on many groups, policy administration is rough.

And I could live with for the most part except when dealing with the Settings area under the Policies tab. if you break inheritance on multiple groups and decide later you want to change the heartbeat, you have to do it for each individual group...it needs to be similar to the actual policies settings where you can change one policy but the others don't change, even though inheritance is unchecked.

See if the following article helps

Title: 'Configuring the Group Update Provider (GUP) in Symantec Endpoint Protection 11.0 RU5'
Web URL: http://www.symantec.com/business/support/index?page=content&id=TECH96419&locale=en_US

Thanks again, but no I think there is a big design limitation with GUPS.
The "Multiple GUP" scenario is ruled out because of the subnet limitation so we are left with assigning Single GUP's to groups via live update policies. This creates two big disavantages:

1. Group inheritance has to be switched off to allow the live update policy to be changed for each group having a GUP assigned - This makes administration of all other policies an absolute nightmare.

2. If the GUP serving a group fails there is no option for failover to another GUP.

I would have thought the logical solution would have been to use something similar to the Management Server Lists but for GUP's and to have allowed these to be assigned to groups regardless of inheritance. It would have been much more scalable IMHO.

Feature Request Maybe?

@pacman

There is an idea section where you can post this:

https://www-secure.symantec.com/connect/security/ideas

Hi.

Have you implemented this yet? How successful is this set up?

My solution is posted here & uses locations: https://www-secure.symantec.com/connect/forums/sep-gup-behavior#comment-4860361