Endpoint Protection

Q’s for Symantec

I have some confusion about what this product can do without the purchase of any Symantec appliances. I’ve read tons of guides and “how to’s” on this but…

 Overview-

We already have SEP 11.06 as part of SYMC PROTECTION SUITE ENTERPRISE EDITION 3.0 (with full S/A added) running but want to add the SNAC functionality. Clients are mix of XP Pro and 64bit Win 7 and we have IAS and radius on WIN2003SRV

We were planning on buying several Dell Power Connect 5448 switch’s to handle the 802.1x part

Goals are

• protect our LAN so that non-domain computers plugged into a jack anywhere on site are shunted to internet only use using a guest VLAN on the switch (non-corp network) by checking for Domain membership/creds via 802.1x in Dell switch
• If meets 802.1x, then must pass the host integrity check for AV service pack or critical MS patches etc before granted access to corp network- otherwise get shunted off to the guest VLAN access with generic notification of “failure to meet requirements” rather then adding the complexity of a remediation server(s)

1- can SNAC accomplish our goals without any additional appliances ?

2- the list of supported switch’s is quite small- is there a way to verify if this would work with a specific Dell switch like the Dell Power Connect 5448 or 5548?

3- I have installed and tested software based DHCP enforcer in a test domain and it works great, but I’m not sure if the LAN enforcer is an appliance or software. Which is it as the Symantec Glossary lists it as software but all the guides refer to an appliance?

4- is the SNAC now included free of cost with our current SEP 11 and 12 which we will be getting?

5- is there still such a thing called the Policy Manager, how can I tell if I have it installed and if not how does one install it?\

6- is there a redundant or failover setup? If the symantec server is unavailavble what happens to the client host integrety check process and will clients still have network access?

 

Thanks for any light you can shine on this 

I am not that well-versed with SNAC but my understanding is, the SNAC that is packaged with SPS is Starter Edition and does not support 802.1x. I'm hoping someone else with a lot more knowledge can chime in on this but that is my understanding.

Correction, NAC SE (Self-Enforcement). Not Starter Edition like I said previously.

This might help clear up some confusion. There is a matrix at the end that shows what you get with each variety of SNAC: http://eval.symantec.com/mktginfo/enterprise/fact_sheets/b-datasheet_network_access_control_se_12-2008_12836808-3.en-us.pdf 

It's self enforcement only with SPS Enterprise Edition.

What I'm not clear about is if you can use the self enforcement edition with MS NAP. If so you could leverage infrastructure based quarantine.

This begs the question of what SPS really comes with because I can only find Two SNAC products. I'm guessing this means there's only two SNAC sku's so does SPS really come with starter edition? I don't see any SNAC product sku's for self enforcement only.

I believe that is correct, just two versions of SNAC and it is the Starter Edition that is bundled with SPS.

I have similar questions.

We have SYMC PROTECTION SUITE ENTERPRISE EDITION 4.0.

I downloaded Symantec_Network_Access_Control_SE_12.1_Full_EN.exe from fileconnect and installed it over my existing SEPM 12.1 installation. I deployed one PC with the host integrity policy (SEP was already installed) and now the SEPM is complaining that I have one unlicensed Symantec Network Access Control client. I did not define any quarantine policy yet. I assumed that you shouldn't need to purchase any additonal SNAC licenses when self enforcement is used.

Q1: Do you need to purchase additional license for SNAC (self enforcement) for SEP 12.1 ?

Q2: Do you also need to purchase additional SNAC licenses when you want to use MS NAP (NPS)  instead of LAN/DHCP enforcer ?

Thanks.

Q1 - sounds like the expected result when you install SEPM from the SNAC DVD. Since you are deploying SNAC it will complain of a license violation now. You will want to import or re-import the SPS EE 4.0 license file into the SEPM. The SEPM will break that license up into two components: one for SEP and the other for SNAC. Doing the license import will pull in the SNAC license.

Q2 - I am not sure about the licensing of MS NAP. That might be something that is not covered in the Starter Edition.

I know we are working through an issue with our SPS license. When imported its recognized as being two separate licenses for SEP and SNAC but SNAC complains that the license is invalid

Were you able to install the SEPM using the SNAC Installer? That should do the trick for you. Installing the SPS license on SEPM installed from SEP DVD won't work as far as I know.

Seems I am not the only one confused. It looks like I got Q #4 answered as I have SPS enterprise, plus I see SNAC available on the file connect downloads available. and I'm not getting any licensing griping (but using 11 not 12)

Anyone have any advice or comment on the others Q’s, especially #3?

Thanks again 

Thanks SolarisMeastro,

Reimporting/reapplying license solved the SNAC licensing issue.

We resolved our issue by upgrading to SEP 12.1 RU1 using the SNAC installer as suggested above. This allowed us to activate our license for SNAC

I am very glad to hear that this worked for you!