Granting or blocking access to remote
Symantec Endpoint Protection Manager
consoles

By default, all consoles are granted access. Administrators can log on to the main console locally or remotely from any computer on the network.
You can secure a management console from remote connections by denying access to certain computers.
You may want to grant or deny access from the following types of users or computers:
  • You should deny access to anyone on the Internet. Otherwise, the console is exposed to Internet attacks.
  • You should deny access to limited administrators who use consoles on a different network than the network they manage.
  • You should grant access to system administrators and IT administrators.
  • You should grant access to lab computers, such as a computer that is used for testing.
In addition to globally granting or denying access, you can specify exceptions by IP address. If you grant access to all remote consoles, the management server denies access to the exceptions. Conversely, if you deny access to all remote consoles, you automatically grant access to the exceptions. When you create an exception, the computer that you specified must have a static IP address. You can also create an exception for a group of computers by specifying a subnet mask. For example, you may want to grant access in all areas that you manage. However, you may want to deny access to a console that is located in a public area.
  1. To grant or deny access to a remote console
  2. In the console, click
    Admin
    , and then click
    Servers
    .
  3. Under
    Servers
    , select the server for which you want to change the remote console access permission.
  4. Under
    Tasks
    , click
    Edit the server properties
    .
  5. On the
    General
    tab, click
    Granted Access
    or
    Denied Access
    .
  6. If you want to specify IP addresses of the computers that are exempt from this console access permission, click
    Add
    .
    Computers that you add become exceptions. If you click
    Granted Access
    , the computers that you specify are denied access. If you click
    Denied Access
    , the computers that you specify are granted access. You can create an exception for a single computer or a group of computers.
  7. In the
    Deny Console Access
    dialog box, click one of the following options:
    • Single Computer
      For one computer, type the IP address.
    • Group of Computers
      For several computers, type both the IP address and the subnet mask for the group.
  8. Click
    OK
    .
    The computers now appear in the exceptions list. For each IP address and mask, its permission status appears.
    If you change
    Granted Access
    to
    Denied Access
    or vice versa, all exceptions change as well. If you have created exceptions to deny access, they now have access.
  9. Click
    Edit All
    to change the IP addresses or host names of those computers that appear on the exceptions list.
    The
    IP Address Editor
    appears. The
    IP Address Editor
    is a text editor that lets you edit IP addresses and subnet masks.
  10. Click
    OK
    .
  11. When you finish adding exceptions to the list or editing the list, click
    OK
    .