Endpoint Protection

 View Only

  • 1.  SEP Location Awareness issue on bootup (blocking network)

    Posted Aug 08, 2010 08:35 PM

    Hi
    I have two locations in our SEP environment.
    Office - When the laptop is in office
    Outside - When laptop is out of office (has hardened firewall policies)

    To keep it simple, i am testing with management server connection criteria only.
    Hence "Office" location's criteria is if it connects to the management server, and "Outside" location criteria is if it cannot connect to the management server. 

    The problem is at the bootup of the laptop. On my test laptop, during the startup, it is blocking network traffic (it is on "Outside" location). Because the traffic is being blocked, it is slowing the bootup process, and roaming profile fails. When the laptop eventually gets to the desktop, the location switches to "Office", and the network starts to flow again. It seems there is some kind of timing issue. Its as if when the SEP service starts and starts the location awareness process, there is no network connectivity and cannot talk to the management server, hence uses the "Outside" location, and blocks traffic.

    We are on version 11.0.5002.333 and using XP clients.

    I have played around with other criteria. What seems to work is, if i use IP range. So it seems IP is assigned to laptop, before SEP does its location awareness check.
    Has anyone else have this issue?

    This is the summary of my location criteria testing:

    OFFICE (Default)   OUTSIDE                Result Location
    --------------------------------------------------------------------------
    no condition          no condition                Office
    no condition         NO mgt server             Outside
    YES mgt server    no condition                Outside
    YES mgt server    NO mgt server            Outside
    YES mgt server    NOT in IP range          Office
    IN IP range            no condition                Office
    IN IP range            NOT in IP range         Office
    IN IP range            NO mgt server            Office


    Thanks, DM.



  • 2.  RE: SEP Location Awareness issue on bootup (blocking network)

    Posted Aug 08, 2010 10:03 PM
    You could add the SEPM manager to the allowed list of the firewall policy for the 'Outside' location.
    Specify the IP address or hostname and the port open and used by the management port.


  • 3.  RE: SEP Location Awareness issue on bootup (blocking network)

    Posted Aug 09, 2010 07:08 AM
    Check this Location Awareness video. It would definitely help.

    https://www-secure.symantec.com/connect/videos/location-awareness




  • 4.  RE: SEP Location Awareness issue on bootup (blocking network)
    Best Answer

    Posted Aug 10, 2010 10:06 PM
    Ok, this is resolved now.
    There were few issues with our setup.
    Firstly with the firewall policy... it was modified to a point where it was basically blocking most of the traffic at bootup. Hence, SEP would always put the machine into OUTSIDE location.
    To get around this, we could have tried to figure out all the ports that needed to be opened so that machines bootup and talk to the required DC's and network properly.
    Alternatively, instead of checking for the management point as the location criteria, we can do a local check.. such as IP range or DNS server check.

    DM