Endpoint Protection

New server with 2008 Std  SP2 as a domain installed. 2 X NIC one for local lan and one for internet
Firewall On
all clients access interent no problem

then

Installed SEP 11 .05 MC  and client with firewall no problem
SEP switched off 2008 firewall

clients all access internet

Turn 2008 firewall on all clients access blocked
Switched off 2008 firewall ckients still blocked

Rebooted server clients access interent again.

with this in mind my question is what is the best practice here? MSoft  SEP as firewall.
keeping in mind that I need to block / controll web sites that clients can go to.
block USB and CDR/DVDR writing

at this point I am leaning towards SEP  to control this.
Advice welcome

Use only SEP firewall

For configuring website control refer below doc..

How to block all website and allow only certain websites using Network Threat Protection Firewall rule.

http://service1.symantec.com/support/ent-security.nsf/docid/2009072816443448?Open&seg=ent

 

Run SEP all the way, kill the Windoze firewall.
SEP's firewall is much more configurable, keeps good logs, and you can control device access as fine or course as you wish.
I run full SEP on everything. Of course, on servers, the proactive threat protection doesn't run (unless that's been changed) but all else works great, including the firewall.

For more about firewall policies refer the following doc

Symantec Endpoint Protection Manager - Firewall - Policies explained

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008032011023248

 

I agree to ShadowPapa SEP firewall is far more better than the Windows Firewall.
SEP firewall can be easily configured and administered for mass.

Few days back my Personal Computer was infected a Malware and the most interesting thing i noticed was it automatically created exclusion for itself in Windows Firewall.I can assure atleast threats can't play that much with SEP firewall.

Wow, Vikram, that's a scary thought. Self-excluding threats. No problem, we get in, kill the alarm system, knock out the guards and party all night.
(forgetting about the SEP doberman lurking down the hall)

find 2008 FW a bit clumsey and too much to configure. what with domain, private and public FW one can get a bit lost and not see the wood because of all the leaves.
fine if you want to control internet access but then have to double with group policies for the other controls.

noted proactive threat did not install on serve X64 version so guess that SEP "saw" this and left it out but did on clients X32

will be back if I hit hassles

PTP will not work with server os and 64 bit os

ref: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007091713544248

 

sep firewall gives more flexibility then windows firewall.

Created a new goup.
Put test users in
All ok

Modified firewall to block all sites and to allow just *.intel.com

at client clicked to up date policy and now lost communication with management server.

Followed instratuions as per KB but not making much sense.
Client key matches MC
MC shows my test icon user with green dot
client has red dot
Proactive threat con is error , waiting for updates
network threat now missing off client
What gives

followed instructions from
http://service1.symantec.com/support/ent-security.nsf/docid/2009072816443448?Open&seg=ent

client can browse everything !!!
 

 in the exception also try adding servername:8014/*

Disable network threat protection on the client then update the policy.

Vikram

Thought of that and added as DNShost "servername" and specified the IP as well.

The fact that FW is missing off client asumes that policy should be able to update ?

on client side the help/ troubleshooting reports all OK w.r.t management server / group etc

Is therea way to export form the SEPM and import? However clicking on the client import policy reports cannot import as client is part of mangement system.

another point to note is there are no logs on client side or error messages saying there is a problem updating a policy.

And I have not even had time to start implemting other policies to stop USB and CD writing as yet.

Thinking now of uninstalling client then to re-install back into my test group and see if the policy is picked up.
Thoughts on this ?

Go to add/remove programs.Select SEP click on change…It will open one wizard .Here you can temove NTP and try is it possible to get new policy….

 

Stil no firewall !!

Set up another test machine.
Pushed standard setting to it... No firewall on client

checked rules in default firewall policy on SEPM and see that my 2 entries are there.
Rule 1 at top allow *.symantec.com and others etc
Rule 2 next block all
Rule 3 down as per defaults

checked a few other clients, firewall option missing off all of the clients now and cannot get it back.

not impressed, maybe should have stuck with MS firewall after all.

 If you have re-installed SEP..then you need to reboot to get the NTP enabled ( showin in SEP GUI )

to check if client is getting the policy update
open SEP -View Logs - Client Management - System Log

You can Export the policy and then Import it.

Export it from an working client and Import it

Rebooted client and server no change FWP still missing from clients, cannot get it back at all!

Acretian, at this stage I have no clients working that has a FW policy showing.

All my clients not my first TEST client has updated automatically and as stated above for some reason the policy  I edited and and assigned to my test group has been implemeted over the whole company as default.
This would be OK except that it is no FWP applied to the clients.

Exported the FW policy from SEPM Clent > which is XML file but client will only accept a DAT file.

Now at a loss and not sure if I should remove SEPM >> Change all clients to unmanaged and start again.
Just with 22 PC's a lot of work

U need to export it from a working client thats the easy thing to do.
Make one client work and then export the policy from it and import it on others

FROM server ran the deployment wizard, created a new group and pushed clients into the new group.As they had no firewall worked fine. 


I have 3 groups now

1 All interent access etc basic install no mods inherit stad policies
2 limited group stopping face book twitter and similar sites else access.( stil not working)
3 Severely limited group stops all interent access except dedicated company sites block USB etc (also not working)

On site 2 + 3 not inheriting policies
created 2 more firewall policies each assigned to respective groups but still not working.

All clients no matter what group they are in can still access ful internet.
Where can I tell which FW policy the client is using ?

but this ability to import and export defeats the purpose of security.

Assuming they were what is to stop a user with full access, exporting his policy saving it to a mutal share on a server and for another user to import it ?