Hi All,

Just started as the SEP administrator with my company and one of the first tasks I need to accomplish is fixing Location Awareness on our virtual machines. Our current Location Awareness has 2 locations, OFF network and ON network. ON network has no rules assigned to it and OFF network (default location) looks to verify the DNS server is not one in a set list of DNS servers. So with the current setting the VMs (in NAT mode) will always stay in the OFF Network location because the DNS is always the host system.

The problem:

We have been test several different detection / condition methods but we have encountered the same issue with each and every method. The location will not change on the VM until the next heartbeat or if we force a check in to the SEPM (ie hit the Policy update button). So as an example, a laptop with a VM running it, if we disconnect the network cable, SEP on the host will drop to OFF network, but SEP on the VM will stay ON network. If I then connect the laptop to a hotspot (off network), the host laptop will stay on the OFF Network location, but the VM is still on the ON Network location. If I let it sit until the next heartbeat or force a check in attempt it will then update it's location to OFF network.  As mentioned above, this behavior is consistent no matter what we set the Location Awareness conditions too. It's seems there is some type of trigger that is not getting activated that forces the Location Awareness test on a VM in NAT mode.

Any suggestions or guidance would be greatly appreciated!

SEPM: 12.1.5 RU5
Client: 12.1.4013.4013

I would suggest you to create more rule for on network, say for example if the machines uses the follwing IP or doesn't use these IP.

I personally prefer the "DNS Lookup" location awareness rule myself.

With this, it should work for both the physical laptops and their guests, plus you can choose the frequency the SEP client does the DNS Lookup.

Also, I'd suggest swapping the lcoations around too, to the below:

1. INSIDE - match this location if DNS Lookup successfully resolves HOSTNAME to INTERNAL IP ADDRESS
2. OUTSIDE (Default Location) - No rules

When you go into the group where the location awareness rules are and click on manage locations on the left what is you location check time set to? By default this is set to every 4 seconds so it should be picking it up without the need to force policy update. 

looks like there is a known isuse in location switching which got fixed in 12.1 RU5 so I would suggest you to upgrade the client to SEP 12.1 RU5 or above and then check it.

Client takes longer to switch locations on Windows 7

Fix ID: 3256174

Symptom: The Symantec Endpoint Protection client takes longer to switch locations on the Windows 7 operating system.

Solution: Optimized the performance of location switching by using a different Windows API.

New features and fixes in Endpoint Protection 12.1.5 (RU5)

SMLatCST and Praveen,

Thanks for the recommendations on condition sets, but unfortuntly this is not the issue. I intend on changin these rules conpletly, but can't get too that point yet since this issue exists. DNS Look up is one of the rules I would like to use, but I experienced the same issue with that condition set.

I'll have to try the RU5 client to see if ti does address this issue. We are looking to take our environment to RU 6 MP1 in about a month or two.

GeoGeo,

It's currently set to 5 seconds, but it does't seem to  be running the full LA test at thoes intervals.

Another item to mention is that if we make the netowrk change on the VM and not the host (ie disable the VM network adapter or force the network adapter to a local hots/client private network) the rules work perfectly. It something about the network changing on the host side that SEP is not seeing thus not applying the location aweness test/conditions.

Sounds a little odd to me.  Got a couple of questions for you...

1. You state that the guest normally stick to the OFF network location because theor DNS Servers never match those on the list.  In which case, are you manually setting them to ON network to demonstrate this issue?
2. Does the issue persist if you bridge the guest network connection, instead of NAT'ing it?

Finally, have you reviewd the below article on Location Awareness scoring?

http://www.symantec.com/docs/TECH97097

SMLatCST,

1. No, I was describing how our current PROD environment is set up. We use no ON-Network conditions, for our OFF-Network or only condifition is that the DNS is not part of a provded list. So with these current conditions our VMs (in NAT mode) will alwas stay in the OFF-Network lacation becuase the DNS server never changes from the local host.

This is the behavior I am attempting to eliminate by changing the condition sets for both locations. I am testing this via a TEST container with seperate location conditions outside of the PROD contitions. So the current PROD conditions play no part.

2. In Bridge mode the conditions work as designed and there is no delay in the location switching.

Praveen,

You nailed it. I upgraded 2 Virtual Machines to RU5 today and Location Awareness works perfectly now.

Thanks for the input!

Issue resolved. Looks like this is a known issue with the version (RU4) that we are on. Upgrading the test VMs to RU5 fixed the location switching delay.

Hi Jeff_NC,

I am happy that your issue is resolved.