Here is a question for all you that are deploying the Network Threat Protection component of SEP 11 with Location Based Policies.
We have the corporate desktops that are pretty static, but then there is the laptop community.
So what kind of firewall ruleset or policy do you use for your hundreds or thousands of laptops when they are not on the managed network?
I'm looking for ideas.
The optimal will provide the greatest amount of protection with the fewest amount of support calls to the helpdesk. (Yes, I know this could be quite a compromise)
Do you show the mobile user anything?
Do you give them any sort of control? (manual override when they are on the darkside of the moon)
Regulations require that the firewall is installed, active and end users can't change the settings. (Sound familiar)
But once they leave the managed network, if there are issues, who knows where they will be and what kind of connection they will have (if they have one)?
Do you allow all initiated from the laptop out, but nothing initiated from the outside in (rely on state)? And then hope IPS, AV and AS do the rest?
Maybe some combination that blocks the Microsoft ports going out and allows VPN?
Do you "ASK", and then face the support calls when the less savvy users don't know what the pop is or means?
How do you deal with the user at a home office with split tunneling?
There are all kinds of usage scenarios. What about wireless?
OK so I'm getting a little ahead of myself.
Lets start with a good base policy for a laptop that is now out on an unmanaged network (home, hotel, airport....)
And certainly if you have a pointer or reference that can help and fast track this process...Please post it.
Thank you!!!!
toko