Endpoint Protection

Hi all.  Have a bit of an issue and was wondering if anyone can help.

My laptop users have 2 locations at this time, home and mobile.
Home being when they are on the network and can contact the management server.  (This location is wide open for our programs and file shares.)
Mobile on the other hand is completely locked down, no visible footprint and no communications in.

I want to create a third, Laptop with VPN

This location is in affect when they launch a VPN client such as Cisco, and connect to the network. 
This location allows for network apps and sharing, but no visible footprint and no traffic in.

After all that, here is my problem.

When a user goes from home to mobile, they are locked down no problem, it is when the third location is used,
The laptop will switch to HOME always before using another location

So if they go from Mobile to a VPN connection, the laptop goes from the mobile location, back to the home location, then to the VPN location.
From what I can tell everytime they switch locations from home to another location then need to switch from one location to another that is not home, it always switches to home first.

so

Home ----> Mobile
No problem (leaving network going wild on internet)

Home ----> Laptop with VPN
When at office using VPN client

Laptop with VPN ---> Home ---> Mobile
Turning VPN client off (not on network)

Mobile ---->Home ----> Laptop with VPN
Turning VPN client on (Not on network)


As you can see this opens the system to the internet with all of our open ports when switching locations. 
I have done port scans and pings when the location switch, and you can see it respond over the internet to a telnet to a port on the local machine when switching, it also responds to pings at that time as well.

After all that, how do i stop it from going home first before it goes to mobile or VPN.

Thanks
Dan

Is Home Location set as your default Location ? If yes then you can change it to office..

Yes it is, I did not put in my message above, but no matter which one I make default it goes to Home (office) first.

or maybe the default should be lockdown (mobile) when switching

What is the logic you use to determine the difference between the locations?  It could be that conditions for the Home location are met when connecting to and disconnecting from your VPN.

Also, along with what Vikram said, if none of the specific conditions are met at any point, it would use your default location.

Another thought on this subject.  You say that your Home Location is wide open, does that mean that you do not have a Firewall policy for that location or do you have one that is wide open?  I ask because it requires a reboot for the policy to take effect if going from no policy to a policy and from a policy to no policy.  But if all the locations have the same type of policies and just the settings change, you should be fine.

Home (Default)
                   (Client can connect to management server)
                   (Client Ip is NOT VPN ip range)

Mobile      
                   (If client can NOT connect to the management server)

Laptop with VPN
                   (Client computer has VPN IP Range) and
                   (Client computer has IP range of DNS servers) or
                   (Client computer does DNS lookup on internal name successfully)

Hope this is clear.

thanks
Dan

home location has policies for firewall.
Just different settings.

Thanks tho
Dan

Your logic looks ok.  One thing that we do is make our "Mobile" policy so that it does not have any conditions and then move it to the bottom of the list so if no other Location apply, they will get the Mobile Location.  I cant remeber why we did it this way verses making the Mobile location the default but it seems to work for us.

Will try that and see what happens.

Thanks
Dan

Hot damn, that worked.
Thank you