Endpoint Protection

We're about to migrate to SEP12 from SEP11 and one of my task is to research location awareness and see how can it help us.

At first, i thought location awareness is:

if a condition is met, the client will switch to another location. Like, if Computer-A (originally from Location A) changed to IP address of Location-B, it will jump to Location B.

However, it seems that it doesnt work that way. 

Can anyone confirm this?

Yes, that is one condition you can set up for it. See these KBAs for further detail

More about Location Awareness in Symantec Endpoint Protection (SEP)

Best Practices for Symantec Endpoint Protection Location Awareness

hello,

You can check the location awareness examples here:

http://www.symantec.com/business/support/index?pag...

check this discussion , More examples for location awareness

https://www-secure.symantec.com/connect/forums/sep-location-awareness-examples

Thanks Brian and Manish. Im trying to follow the 2 KBs but I dont think Im getting it right. Maybe you can help with some details.

I created the following test location so it wont interfere with my default group:

My Defaul Group

             TestLocMain

                        Loc1

                        Loc2

TestLocMain, Loc1 and Loc2 has location awareness enabled and parent inheritance are disabled. I want to create a condition that with IP range 10.10.10.5 to 10.10.10..15, the client1 from testLocMain will go to Loc1.

Should I place condition on Loc1? - i tried it but client1 still in testlocmain after 3 restarts

Or I should place it at Testlocmain? if so, how can I direct it to switch to loc1?

You need to enable inheritance on for both Loc1 and Loc2 so they can inherit from TestLocMain.

You need to Break inheritance on TestLocMain so it is no inheriting from any other group.

Than you can Add Location for both Loc1 and Loc2 giving each the IP Range you want to use.

Then repeat for Loc2

From the way you describe it, it actually sounds like you've created 3 groups rather than one group with two locations within in.  Is that the case?  Do you see three folders (named TestLocMain, Loc1 and Loc2) within your SEPM?

If this is the case, then the next steps would be to delete the Loc1 and Loc2 groups.  Highlight the TestLocMain group, click on the Policies Tab on the right hand pane, then under the group tree structure click on the option to "Manage Locations".

It is in this "Manage Locations" window that you want to create the Loc1 and Loc2 locations.  Adding conditions and changing the priorities as you see fit.

When this is complete and you hit OK, then the Policies tab for this group will display the various locations you just created, and the policies assigned to them.

The client machines should be placed in the TestLocMain group, and should then download information about the Loc1 and Loc2 locations within this group.

Hope this helps

Brian, your illustration is perfect. That's what I wanted to do. 

SMLatCST -  Your assumtion is correct, I created a group Testlocmain and subgroups Loc1 and Loc2. I see your point. So I created 2 location under TestLocMain instead, just like what Brian showed.

I have 2 followup question to that:

1. lets say Client1 meets condition of Loc1, How would I know if client1 went to Loc1? In SEPM or on client1?

2. Does Client1 needs to restart for the switching to take effect or on the next heartbeat?

1. You can either one. on SEP client go to Help >> Troubleshooting. Look under Location, it will show what location it is in

On SEPM go to Monitors >> Logs. Set log type to System, set log content to Client Activity

2. No, it will switch automatically once it gets the new policy.

My two pence worth 

1. You can view this by opening the client and going to Help -> Troubleshooting.  There's also log info in the CLient's System Log and the option to enable a systray notification on lcoation change from the SEPM (in the "Manage Locations" window you saw before, right at the bottom)
2. By default, a client will check its location against teh location criteria every 4 seconds, and does not require a reboot to switch

Thanks Brian and SMLaTCST. Youve been very helpful. I have other questions but I guess I'll just log a separate discussion for them. 

Sounds good. Please don't forget to mark the post that helped the most as Solved.

HI,

When the Symantec Endpoint Protection Manager is initially installed, only one location, called Default, exists. At that time, every group's default location is Default. Every group must have a default location. When you create a new group, the Symantec Endpoint Protection Manager console automatically makes its default location Default.

You can specify another location to be the default location for a group after you add other locations. You may prefer to designate a location like Home or Road as the default location.

A group's default location is used if one of the following cases occurs:

·         One of the multiple locations meets location criteria and the last location does not meet location criteria.

·         You use location awareness and no locations meet the criteria.

·         The location is renamed or changed in the policy. The client reverts to the default location when it receives the new policy.

To change a default location

1.    In the console, click Clients.

2.    On the Clients page, under Clients, click the group to which you want to assign a different default location.

3.    On the Policies tab, uncheck Inherit policies and settings from parent group "group name".

4.    Under Tasks, click Manage Locations.

5.    In the Manage Locations dialog box, under Locations, select the location that you want to be the default location.

6.    Under Description, check Set this location as the default location in case of conflict.

The Default location is always the default location until you assign another one to the group.

7.    Click OK.

Manage Locations

You can manage the locations and network connection types client computers can use to connect to the internal network. To manage these, use the following location-specific settings in the Manage Locations dialog box.

Table: Manage Locations

Regards

Ajin