Managing locations for remote clients
You add locations after you set up the groups that you need to manage. Each group can have different locations if your security strategy requires it. In the
Symantec Endpoint Protection Managerconsole, you set up the conditions that trigger automatic policy switching based on location. Location awareness automatically applies the security policy that you specify to a client, based on the location conditions that the client meets.
Location conditions can be based on a number of different criteria. These criteria include IP addresses, type of network connection, whether the client computer can connect to the management server, and more. You can allow or block client connections based on the criteria that you specify.
A location applies to the group you created it for and to any subgroups that inherit from the group. A best practice is to create the locations that any client can use at the My Company group level. Then, create locations for a particular group at the subgroup level.
It is simpler to manage your security policies and settings if you create fewer groups and locations. The complexity of your network and its security requirements, however, may require more groups and locations. The number of different security settings, log-related settings, communications settings, and policies that you need determines how many groups and locations you create.
Some of the configuration options that you may want to customize for your remote clients are location-independent. These options are either inherited from the parent group or set independently. If you create a single group to contain all remote clients, then the location-independent settings are the same for the clients in the group.
The following settings are location-independent:
- Custom intrusion prevention signatures
- System Lockdown settings
- Network application monitoring settings
- LiveUpdate content policy settings
- Client log settings
- Client-server communications settings
- General security-related settings, including location awareness and Tamper Protection
To customize any of these location-independent settings, such as how client logs are handled, you need to create separate groups.
Some settings are specific to locations.
As a best practice, you should not allow users to turn off the following protections:
- Tamper Protection
- The firewall rules that you have created
You should consider the different types of security policies that you need in your environment to determine the locations that you should use. You can then determine the criteria to use to define each location. It is a best practice to plan groups and locations at the same time.
You may find the following examples helpful:
Enable location awareness
To control the policies that are assigned to clients contingent on the location from which the clients connect, you can enable location awareness.
You can add locations to groups.
Assign default locations
All groups must have a default location. When you install the console, there is only one location, called Default. When you create a new group, its default location is always Default. You can change the default location later after you add other locations.
The default location is used if one of the following cases occurs:
Configure communications settings for locations
You can also configure the communication settings between a management server and the client on a location basis.
See the article Best Practices for
Symantec Endpoint ProtectionLocation Awareness.