Endpoint Protection

Hello,

We have two sites, linked via a site-to-site VPN.

Each site has it's own SEPM Server, and replication between these servers is operating. Both servers are on version 12.1.4104.4130 .

I've read all the tech notes, forums posts and instructions I can find, but I can't seem to get Location Awareness to work for me.
We have client PCs that move between the two sites. I'd like clients that log in at SiteA to switch to the Group called SiteAGroup, and clients that log in at SiteB to switch to the Group called SiteBGroup.

This is how I have it set up:

- My Company
    |
    |-- Default Group
    |-- SiteAGroup
    |-- SiteBGroup

    
I have disabled inheritance being passed on from "My Company" to the last 2 groups shown above.

I have added a location called "SiteA" to SiteAGroup. I have added one entry here - to switch to this location if Gateway address matches 10.1.0.254.
I have added a location called "SiteB" to SiteBGroup. I have added one entry here - to switch to this location if Gateway address matches 10.0.0.254.

Now, say if a managed SEP client is in SiteAGroup, and it's default gateway is 10.0.0.254, it isn't switching over to SiteBGroup.

Obviously I'm either misunderstanding how it works, misconfiguring something, or I am missing some steps.

Can someone please help me with getting this working? Would be greatly appreciated.

Nev

The client isn't going to switch to the other group, it will switch locations only. Basically, using location awareness allows you to assign different policies for different location. For example you can have one group, say GroupB and within group B are two locations, one for on network and the other for off network. You can assign a different policy for each location if you choose

Using location awareness with groups

Setting up Scenario Two location awareness conditions

Ahh, thanks for leading me in the right direction..!

So within the same group you can apply different policies based on these locations.

So, in that case, the concept I'm trying to get my head around .. if you can apply different policies within the same group, then why even have groups? I thought groups were what was meant to be used to delineate policies?

You can apply a different policy for each location within the same group. Each group can have multiple locations (no more than 7 per Symantec best practice).

The easiest way to do it is you have your group:

GroupA

within GroupA you have two different locations: Off Network and On Network

Now you can apply a separate policy for each if you wish.

Maybe for On Network you want to apply a less strict firewall policy when those clients are connected to your internal network while when they go off network you want to apply a more strict firewall policy.

Same goes for any of the other policies.

Basically, it's just a good way to apply different policies for each location based on certain conditions.

Brian,

Thanks for your help .. I was able to get location awareness working properly. Maybe it is my fault, but the guides etc. didn't seem to make clear that location awareness operates within a single group.

After properly implementing the locations, I initially couldn't point each location to separate Management Server Lists. Whenever I would make the change, even under "Location Specific Settings", it would change it in all locations. After reading the excellent post linked below, I found the trick was, under each Location Specific Settings section, click on "Tasks" that is alongside "Communications Settings", and untick "use Group Communications Settings".

https://www-secure.symantec.com/connect/articles/location-awareness-using-multiple-management-server-lists

The only annoyance now is that there is no quick and simple way to see within the console which Location a PC is currently assigned to. The only way I have found is to view the Client Activity Log, which displays all location changes. Not ideal, but OK.

Main thing is, I'm glad to get loc. awareness working.

Thanks again!