Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

SEP's network location awareness query

Created: 14 May 2013 • Updated: 14 May 2013 | 11 comments

 

We're about to migrate to SEP12 from SEP11 and one of my task is to research location awareness and see how can it help us.

At first, i thought location awareness is:

if a condition is met, the client will switch to another location. Like, if Computer-A (originally from Location A) changed to IP address of Location-B, it will jump to Location B.

However, it seems that it doesnt work that way. 

Can anyone confirm this?

Operating Systems:

Comments 11 CommentsJump to latest comment

.Brian's picture

Yes, that is one condition you can set up for it. See these KBAs for further detail

More about Location Awareness in Symantec Endpoint Protection (SEP)

Article:TECH97369  |  Created: 2009-01-11  |  Updated: 2013-01-21  |  Article URL http://www.symantec.com/docs/TECH97369

 

Best Practices for Symantec Endpoint Protection Location Awareness

Article:TECH98211  |  Created: 2009-01-20  |  Updated: 2012-06-07  |  Article URL http://www.symantec.com/docs/TECH98211

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

W007's picture

hello,

You can check the location awareness examples here:

http://www.symantec.com/business/support/index?pag...

check this discussion , More examples for location awareness

https://www-secure.symantec.com/connect/forums/sep-location-awareness-examples

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Pzycho010's picture

 

Thanks Brian and Manish. Im trying to follow the 2 KBs but I dont think Im getting it right. Maybe you can help with some details.

 

I created the following test location so it wont interfere with my default group:

My Defaul Group

             TestLocMain

                        Loc1

                        Loc2

TestLocMain, Loc1 and Loc2 has location awareness enabled and parent inheritance are disabled. I want to create a condition that with IP range 10.10.10.5 to 10.10.10..15, the client1 from testLocMain will go to Loc1.

 

Should I place condition on Loc1? - i tried it but client1 still in testlocmain after 3 restarts

Or I should place it at Testlocmain? if so, how can I direct it to switch to loc1?

.Brian's picture

You need to enable inheritance on for both Loc1 and Loc2 so they can inherit from TestLocMain.

You need to Break inheritance on TestLocMain so it is no inheriting from any other group.

Than you can Add Location for both Loc1 and Loc2 giving each the IP Range you want to use.

untitled_16.JPG

 

Then repeat for Loc2

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SMLatCST's picture

From the way you describe it, it actually sounds like you've created 3 groups rather than one group with two locations within in.  Is that the case?  Do you see three folders (named TestLocMain, Loc1 and Loc2) within your SEPM?

If this is the case, then the next steps would be to delete the Loc1 and Loc2 groups.  Highlight the TestLocMain group, click on the Policies Tab on the right hand pane, then under the group tree structure click on the option to "Manage Locations".

It is in this "Manage Locations" window that you want to create the Loc1 and Loc2 locations.  Adding conditions and changing the priorities as you see fit.

When this is complete and you hit OK, then the Policies tab for this group will display the various locations you just created, and the policies assigned to them.

The client machines should be placed in the TestLocMain group, and should then download information about the Loc1 and Loc2 locations within this group.

Hope this helps

Pzycho010's picture

Brian, your illustration is perfect. That's what I wanted to do. 

SMLatCST -  Your assumtion is correct, I created a group Testlocmain and subgroups Loc1 and Loc2. I see your point. So I created 2 location under TestLocMain instead, just like what Brian showed.

I have 2 followup question to that:

1. lets say Client1 meets condition of Loc1, How would I know if client1 went to Loc1? In SEPM or on client1?

2. Does Client1 needs to restart for the switching to take effect or on the next heartbeat?

.Brian's picture

1. You can either one. on SEP client go to Help >> Troubleshooting. Look under Location, it will show what location it is in

On SEPM go to Monitors >> Logs. Set log type to System, set log content to Client Activity

 

2. No, it will switch automatically once it gets the new policy.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SMLatCST's picture

My two pence worth smiley

  1. You can view this by opening the client and going to Help -> Troubleshooting.  There's also log info in the CLient's System Log and the option to enable a systray notification on lcoation change from the SEPM (in the "Manage Locations" window you saw before, right at the bottom)
  2. By default, a client will check its location against teh location criteria every 4 seconds, and does not require a reboot to switch
Pzycho010's picture

Thanks Brian and SMLaTCST. Youve been very helpful. I have other questions but I guess I'll just log a separate discussion for them. 

.Brian's picture

Sounds good. Please don't forget to mark the post that helped the most as Solved.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

AjinBabu's picture

HI,

When the Symantec Endpoint Protection Manager is initially installed, only one location, called Default, exists. At that time, every group's default location is Default. Every group must have a default location. When you create a new group, the Symantec Endpoint Protection Manager console automatically makes its default location Default.

You can specify another location to be the default location for a group after you add other locations. You may prefer to designate a location like Home or Road as the default location.

A group's default location is used if one of the following cases occurs:

·         One of the multiple locations meets location criteria and the last location does not meet location criteria.

·         You use location awareness and no locations meet the criteria.

·         The location is renamed or changed in the policy. The client reverts to the default location when it receives the new policy.

To change a default location

1.    In the console, click Clients.

2.    On the Clients page, under Clients, click the group to which you want to assign a different default location.

3.    On the Policies tab, uncheck Inherit policies and settings from parent group "group name".

4.    Under Tasks, click Manage Locations.

5.    In the Manage Locations dialog box, under Locations, select the location that you want to be the default location.

6.    Under Description, check Set this location as the default location in case of conflict.

The Default location is always the default location until you assign another one to the group.

7.    Click OK.

Manage Locations

You can manage the locations and network connection types client computers can use to connect to the internal network. To manage these, use the following location-specific settings in the Manage Locations dialog box.

Table: Manage Locations

Field

Description

Locations

Contains a list of locations that have been added for a group. You can:

·         Click Add to add more locations.

·         Click Delete to delete the selected location.

·         Click Move Up or Move Down to change the order of the locations. The client checks the locations in the list in order. It selects one that is valid for the client's location and that has a policy with the security settings appropriate for that location.

Location name

The name of new location.

Description

The description of the new location.

Enable this location

When this option is checked, it causes the location to be immediately enabled.

Set this location as the default location in case of conflict

When this option is checked, it makes this location the default location.

Switch to this location when

Contains a list of conditions that must be met before the client can switch to another location. You can:

·         Click Add to add more conditions.

·         Click Edit to modify a selected condition in the list.

·         Click Delete to remove a selected condition in the list.

·         Click Move Up or Move Down to change the order of conditions. The client checks the conditions in the list until it finds one that meets the criteria for switching to a new location.

DNS Query Loop in

When this option is checked and the number of seconds specified, queries the DNS server at the specified interval.

ICMP Request Loop in

When this option is checked and the number of seconds specified, checks for ICMP ping requests at the specified interval.

The location will be checked every

The time interval after which the location is checked.

Enable location change notification

When this option is checked, it enables an email notification when a location change occurs.

Notification message

Type any additional text for the email notification.

Note:

The last three options appear if you lick Manage Locations under Tasks on the Policies tab of the Clients page.

Regards

Ajin