Thank you for the comment about the Class C subnet. For a variety of reasons, we use an IP address scheme and subnetting so that any subnet has the potential to communicate with any other subnet. Any restriction to that is handled through the hardware firewall at each LAN. So using multiple definied GUPs in one policy would not work to force a client to use a particular GUP, because the client would most likely be able to communicate with the GUP in any other subnet. I need to structure my SEPM groups and policies without the need to make any hardware firewall changes for the LAN's.
Now using location awareness as you suggest, using the default gateway as criteria.... that is interesting. What comes to mind is how many "Locations" can be configured for a single group. Do you know if there is a limit on the number of locations one can configure on a single group?
I have 15 to 20 subnets at any given time and all of them together comprise my corporate WAN. To use your location awareness suggestion in combination with the default gateway as criteria, would require in my envirionment the creation of 15 to 20 separate locations per group, wouldn't it? . I think this is accurate, because to define a GUP and require a default gateway for a particular GUP to be used, would necessitate creating a separate location for each subnet that has a GUP. Right? That is how it seems to me anyway. Does this seem right to you in concept?
Something more for you. I recently restructured my SEPM groups in order to use location awareness for three reasons: Use a GUP in each subnet - secondarily to block wireless communications when a laptop is in the WAN - and thirdly to use a different SEP firewall policy when the laptop is not in the corporate WAN. So, I restructured groups to have three levels: State Name as level 1. City name as level 2 and Desktop and Laptop groups as level 3. The city name, or level 2, is the unique subnet level. To make a GUP function in this scenario I had to allow level 3 to inherit Level 2 policies and place the GUP at level 2. I found that putting the GUP at level 2 was required after looking at my testing results. However, now that I have run into the problem of just how do I force a client to use a GUP in the LAN is it in, well.... this presented new challenges. And that is why I posted here.
I wonder if it's better to restruction my groups into something different that I currently have, in order to obtain the functionality I need as described here.
Any further thoughts?
-IT Monkey Boy