Video Screencast Help

Location specific policy not opening rules/ports when switching locations

Created: 25 Apr 2013 | 4 comments
Francis-T's picture


SEP  11.0.5005.333 running on Win7 SP1 clients

We also have it running on XP SP3 clients and the SEPM is 2008 R2

Issue is with location specific firewall policies.

Our domain location is based on connectivity to the management servers, once there is no access to either management server, the offline location policy is a copy of the domain based one, with a few additional restrictions to block remote management tools, DNS resolution of the client, network neighbourhood browsing and sharing.

With an XP client, we can move between the locations and policies without issue.

With a Win7 client it can be started up on the network and gets the correct policy. Unplug the network cable and it correctly switches to the more restrictive offline policy. If you then reconnect to the network, it knows it is online as the location changes, but the more restrictive offline policy settings stay in place (if I try to ping by name, it won't resolve, which is correct for the offline policy, but should resolve and reply when on the domain).

If I then reboot the Win7 PC, it stays with the correct online policy, but the restrictions are now opened up as they should be on the domain.

So the Win7 client needs a reboot when going from offline to online policy, otherwise the offline policy restrictions stay in place

Win7 firewall service is running, but all 3 profiles are disabled.

I'm figuring this out as I go, so any pointers or info would be greatly appreciated.



Operating Systems:

Comments 4 CommentsJump to latest comment

SMLatCST's picture

I'd highly recommend you upgrade to a later version of SEP and try again.  SEP11RU5 was the first to officer support for Win7, so there are likely to have been lots of fixes since then.

Just to put it into content, RU5 was released in 2009-9-18

Also, you want at least RU7 for Windows7 SP1 support:

Not to mention SEP12.1 which provides better protection and all-round performance smiley

ᗺrian's picture

You can turn on WPP debug logging to show the AutoLocation switching information per this article

How to debug the Symantec Endpoint Protection client

padding: 1px;padding-bottom: 3px ;font: 12px Arial; text-align: left;">Article:TECH102412 padding: 1px;font: 12px Arial; text-align: left;"> |  padding: 0px;font: 12px Arial; text-align: left;">Created: 2007-01-06 padding: 1px;font: 12px Arial; text-align: left;"> |  padding: 1px;font: 12px Arial; text-align: left;">Updated: 2013-03-27 padding: 1px;font: 12px Arial; text-align: left;"> |  padding: 1px;font: 12px Arial; text-align: left;">Article URL

But as already mentioned, you should consider upgrading first to see if it resolves the issue.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Francis-T's picture

You're quite right, I skipped the basics and forgot to check OS compatibility for the different versions!

I'll have a look at the logging in the meantime in case it offers up anything else.


Chetan Savade's picture


There are few fix id's if we checked SEP 11 fix notes


SEP till date releases:

Auto-location switching does not work properly after upgrade to Symantec Endpoint Protection 11.0 RU6 MP2
Fix ID: 2317185
Symptom: After upgrade to Symantec Endpoint Protection 11.0 RU6 MP2 or later, auto-location switching does not work properly. The Symantec Endpoint Protection client does not switch to new locations as expected.
Solution: The Symantec Endpoint Protection client was modified to properly switch locations when the Wireless Zero Configuration Service (WZCSVC) service is stopped.

Symantec Endpoint Protection client location awareness changes location incorrectly
Fix ID: 2189866
Symptom: A Symantec Endpoint Protection client with location awareness enabled changes locations incorrectly.
Solution: If the TTL (time-to-live) on DNS responses is very short, Symantec Endpoint Protection may incorrectly detect a new location change. Symantec Endpoint Protection was modified to handle very short TTL on DNS responses.
Juniper SSL VPN connection is not detected correctly by location awareness
Fix ID: 2114448
Symptom: The client switches to an incorrect location when connected via Juniper SSL VPN.
Solution: Juniper SSL VPN is no longer treated as Ethernet. It is now correctly filtered by description.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<