Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Location specific policy not opening rules/ports when switching locations

Created: 25 Apr 2013 | 4 comments
Francis-T's picture

Hi,

 

SEP  11.0.5005.333 running on Win7 SP1 clients

We also have it running on XP SP3 clients and the SEPM is 2008 R2

Issue is with location specific firewall policies.

Our domain location is based on connectivity to the management servers, once there is no access to either management server, the offline location policy is a copy of the domain based one, with a few additional restrictions to block remote management tools, DNS resolution of the client, network neighbourhood browsing and sharing.

With an XP client, we can move between the locations and policies without issue.

With a Win7 client it can be started up on the network and gets the correct policy. Unplug the network cable and it correctly switches to the more restrictive offline policy. If you then reconnect to the network, it knows it is online as the location changes, but the more restrictive offline policy settings stay in place (if I try to ping by name, it won't resolve, which is correct for the offline policy, but should resolve and reply when on the domain).

If I then reboot the Win7 PC, it stays with the correct online policy, but the restrictions are now opened up as they should be on the domain.

So the Win7 client needs a reboot when going from offline to online policy, otherwise the offline policy restrictions stay in place

Win7 firewall service is running, but all 3 profiles are disabled.

I'm figuring this out as I go, so any pointers or info would be greatly appreciated.

 

Cheers,

Francis

Operating Systems:

Comments 4 CommentsJump to latest comment

SMLatCST's picture

I'd highly recommend you upgrade to a later version of SEP and try again.  SEP11RU5 was the first to officer support for Win7, so there are likely to have been lots of fixes since then.

Just to put it into content, RU5 was released in 2009-9-18

Also, you want at least RU7 for Windows7 SP1 support:

http://www.symantec.com/docs/TECH154768
http://www.symantec.com/docs/TECH94910

Not to mention SEP12.1 which provides better protection and all-round performance smiley

.Brian's picture

You can turn on WPP debug logging to show the AutoLocation switching information per this article

How to debug the Symantec Endpoint Protection client

Article:TECH102412  |  Created: 2007-01-06  |  Updated: 2013-03-27  |  Article URL http://www.symantec.com/docs/TECH102412

 

But as already mentioned, you should consider upgrading first to see if it resolves the issue.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Francis-T's picture

You're quite right, I skipped the basics and forgot to check OS compatibility for the different versions!

I'll have a look at the logging in the meantime in case it offers up anything else.

Thanks

Chetan Savade's picture

Hi,

There are few fix id's if we checked SEP 11 fix notes

Reference: http://www.symantec.com/business/support/index?pag...

SEP till date releases: http://bit.ly/m0vOJp

Auto-location switching does not work properly after upgrade to Symantec Endpoint Protection 11.0 RU6 MP2
Fix ID: 2317185
Symptom: After upgrade to Symantec Endpoint Protection 11.0 RU6 MP2 or later, auto-location switching does not work properly. The Symantec Endpoint Protection client does not switch to new locations as expected.
Solution: The Symantec Endpoint Protection client was modified to properly switch locations when the Wireless Zero Configuration Service (WZCSVC) service is stopped.

Symantec Endpoint Protection client location awareness changes location incorrectly
Fix ID: 2189866
Symptom: A Symantec Endpoint Protection client with location awareness enabled changes locations incorrectly.
Solution: If the TTL (time-to-live) on DNS responses is very short, Symantec Endpoint Protection may incorrectly detect a new location change. Symantec Endpoint Protection was modified to handle very short TTL on DNS responses.
 
Juniper SSL VPN connection is not detected correctly by location awareness
Fix ID: 2114448
Symptom: The client switches to an incorrect location when connected via Juniper SSL VPN.
Solution: Juniper SSL VPN is no longer treated as Ethernet. It is now correctly filtered by description.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<