We use locations to change our firewall policy depending on whether you are on our corporate network, off it, off it but connected via vpn, etc.
We started by configuring it like this: if you can detect the Management Server, you're on the corporate network. If you can't, you're off it. That worked great - except - people seemed to change locations a lot when they shouldn't have. Even though our management server was up, for some reason a user would briefly be unable to reach it and then they are in the "off the network" location for a little while. Plus, Symantec support tells us that a computer will only know if it can reach the management server once for every heartbeat - so if you have an infrequent heartbeat, the computer could remain in the wrong location for quite awhile. Symantec support suggested we not rely on the management server, but to check for our DNS servers instead. The problem is that doesn't really confirm that you are on OUR network. Another network could very well use the same IP for a DNS server. (And it would be super-easy to spoof if one wanted to).
So, we are now looking for a better way to tell that you are on a specific network. Any recommendations? How are you addressing this?
TIA - Paul