Install all the clients with NTP and device control ,Create a allow all rule for Firewall. For this
Do as follows
create a new custom Client Install Feature Set
Open the Symantec Endpoint Protection Manager console.
On the Admin tab, under Tasks, click Install Packages.
The current default client installation packages appear on the right.
Under View Install Packages, click Client Install Feature Sets.
Under Tasks, click Add Client Install Feature Sets.
Specify the name you would like the Client Install Feature Set to have.
Give the Client Install Feature Set a description.
Select the components you want to include in the install package from the following list:
AntiVirus and AntiSpyware Protection
AntiVirus Email Protection
Microsoft Outlook Scanner
Lotus Notes Scanner
POP3/SMTP Scanner
Proactive Threat Protection
Application and Device Control
Network Threat Protection
Network Threat Protection
Assign the package to groups
Click Admin > Install Packages.
In the lower-left pane, under Tasks, click Upgrade Groups with Package.
In the Welcome to the Upgrade Groups Wizard panel, click Next.
In the Select Client Install Package panel, all existing client packages are listed in the drop down box. Select one of the following:
Symantec Endpoint Protection <appropriate version>.
Click Next.
In the Specify Groups panel, check one or more groups that contain the client computers to be migrated, then click Next.
In the Package Upgrade Settings panel, check Download client from the management server.
Click Upgrade Settings.
In the Add Client Install Package dialog box, on the General tab, specify not to keep existing client features , then configure a schedule for when to migrate the client computers. Under the Notification tab, specify a message to display to users during the migration.
If the clients in the group run a version of Symantec Endpoint Protection previous to MR2, turn off scheduling. Scheduling is on by default when a new client install package is added to a group. If scheduling is turned on, the upgrade fails. To turn off scheduling, in the Add Client Install Package dialog box, uncheck Upgrade Schedule.
For details about settings on these tabs, click Help.
Click OK.
In the Upgrade Groups Wizard dialog box, click Next.
In the Upgrade Groups Wizard Complete panel, click Finish.
-------------------------------------------------------------------------------------------------
Create a allow all rule in firewall and keep it as the first rule
Note:After checking in a test seup you can remove it and can add req. rule so that u can enjoy the advantage of NTP also.
For more info refer
How to add a rule using the"Add Firewall Rule Wizard"
Keep the groups in server control mode .You can do this in Clients----> <Prefered group> -->policies ----->Location specific settings---->Client user interface control settings