Video Screencast Help
Search Video Help Close Back
to help
Not able to make it to Vision this year? Get a sampling in the Best of Vision on Demand group.

Location awareness: what can I control?

Updated: 08 Sep 2010 | 5 comments
Frosty's picture
Frosty
0 0 Votes
Login to vote

I have just conducted my first little exploration into "location awareness" and have successfully set up the following scenario:

-- renamed the default SEP location to: Connected to <COMPANY> network
---- set "Switch to this location when: client computer connects to management server"

-- set up a new location called:    Disconnected from <COMPANY> network
---- set "Switch to this location when: client computer cannot connect to management server"
---- set a non-shared Live Update policy for this location that will download updates from Symantec's public servers

 I set SEP so that when a change of location is detected (checking every 60 seconds), it displays:

    Symantec Endpoint Protection has detected a change of status/location:
    FROM: [OLD_LOCATION]
    TO:      [NEW_LOCATION]

Seems to be working just fine.  If I unplug the network cable on my laptop, it says:

    Symantec Endpoint Protection has detected a change of status/location:
    FROM: Connected to <COMPANY> network
    TO:      Disconnected from <COMPANY> network

and vice-versa when I plug the network cable back in.  So far so good. 

What I would really like to be able to do is enforce Windows Firewall to be turned ON when the computer is Disconnected From <COMPANY> Network.  We don't currently use SEP's firewall here.  I'm assuming that controlling Windows Firewall is not possible in this scenario.  Wondering whether anyone else has suggestions for how I might achieve this?

Discussion Filed Under:
,

Comments

Aniket Amdekar's picture
04
Mar
2010
0 Votes 0
Login to vote
Aniket Amdekar

Hi, I would recommend you to

Hi,

I would recommend you to keep the windows firewall running [ with necessary exceptions  ].

As SEP is not a part of Windows OS, it can not control the behaviour of Windows Components.

Aniket

Frosty's picture
04
Mar
2010
0 Votes 0
Login to vote
Frosty

Maybe GPOs are the answer

I might need to do this via Group Policy, but unfortunately it is complicated by the fact that there are a number of PCs which special configurations/software that require them to operate with Firewall OFF.  I can probably configure exceptions, or maybe put those computers into their own OU and block the enforcing of Windows Firewall ON, but will need to investigate my options there.  I guess it just would have been "cleaner" (or "easier") if I could enforce this via some kind of option in the Symantec settings.

AravindKM's picture
04
Mar
2010
0 Votes 0
Login to vote
AravindKM

I think running SEP firewall

I think running SEP firewall with different rule sets for office and out of office locations will be ideal for you. 

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

KG-China's picture
05
Mar
2010
0 Votes 0
Login to vote
KG-China

by regedit to accomplish it

I think it's can be achieved by to modify regedit
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\
Parameters\FirewallPolicy\StandardProfile]  
"EnableFirewall"=dword:00000000
if you want to be able to Firewall , please modify the "dword value" with 1and vice-versa

you can use "Modify regedit value" in the Action  in HI policy on SEPM control to accomplish it

must log off and then log on to apply this

Aniket Amdekar's picture
07
Mar
2010
0 Votes 0
Login to vote
Aniket Amdekar

That would add to the

That would add to the complexity of the solution by adding another policy that needs to be checked.

Please refer to the instructions below to disable the Windows firewall with the help of group policy:

  1. Create a new Group Policy object, and give the object a descriptive name (for example, ITS-Turn off Windows Firewall).
  2. Select the newly created group policy.
  3. Right-click on the newly created policy and select Edit.
  4. Expand the Computer Configuration folder, then the Administrative Templates folder.
  5. Expand the Network folder, then the Network Connections folder, then the Windows Firewall folder.
  6. Select the Standard Profile folder.
  7. Double-click the Windows Firewall: Protect all network connections option.
  8. Select Disabled, then click OK.
  9. Select the Domain Profile folder.
  10. Double-click the Windows Firewall: Protect all network connections option.
  11. Select Disabled, then click OK.
  12. Close the Group Policy dialog box.
  13. In the Security Filter section, click Add.
  14. Search for the objects that this group policy will be applied to, then click OK.
  15. Close the Group Policy editor.

http://www.utexas.edu/its/support/topics/disable-w...

Aniket

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
270,017