Setting the endpoint location
The endpoint location is used to define how
Symantec Data Loss Prevention
determines whether or not the endpoint is connected to the corporate network. You can specify if you want the Endpoint Server to automatically detect if the endpoint is on the corporate network. You can also enter domain names or IP addresses to use to manually determine if the endpoint is connected to the network. Symantec Data Loss Prevention
supports the endpoint location feature on Windows and macOS endpoints only.Using the automatic method to determine endpoint location,
Symantec Data Loss Prevention
identifies the computer as on or off the corporate network based on the DLP Agent connection to the Endpoint Server. The automatic endpoint location method is explained in the following list:
- On the corporate network:If the DLP Agent is connected to the Endpoint Server,Symantec Data Loss Preventionidentifies the agent as on the corporate network. The DLP Agent connection to the Endpoint Server is transient, which means that the agent disconnects from the Endpoint Server after a prescribed period of time. During the transient connection period,Symantec Data Loss Preventionconsiders the agent as on the corporate network.
- Off the corporate network:This status means that the DLP Agent is disconnected from the Endpoint Server. The DLP agent may become disconnected ungracefully from the Endpoint Server. For example, an ungraceful disconnection occurs when the network interface that connects the agent to the Endpoint Server becomes disconnected. If the DLP Agent is disconnected ungracefully,Symantec Data Loss Preventionidentifies the endpoint as off the corporate network.
Using the manual method to determine endpoint location means that you must first input a range of domain names or IP addresses.
Symantec Data Loss Prevention
then uses this information to determine if the endpoint is connected to the corporate network. If a range of domain names is configured, the DLP Agent performs a reverse DNS lookup on the host IP address. It then matches the retrieved DNS host names with the configured domain names in the list. If a range of IP addresses is configured, the DLP Agent matches the host IP address against the list of configured IP addresses. Each individual host IP address must be on the corporate network for the endpoint to be considered connected to the corporate network.Domain names must not contain wildcard characters and should be simple suffixes; for example, symantec.com.
IP addresses may contain wildcard characters in place of a single block. For example,
192.168.*.*
.- To set the Endpoint Location setting
- Go toSystem > Agents > Endpoint Location. The current endpoint location settings are displayed. By default, the endpoint location determination is set toAutomatic.
- ClickConfigure.
- Select an item to configure how the Enforce Server determines endpoint location.
- SelectAutomaticallyto let the Endpoint Server determine whether an agent is on or off the corporate network.You must use automatic endpoint location to identify Mac endpoint locations. Manual endpoint location is not supported for DLP Agents running on Mac endpoints.
- SelectManuallyand enter a list of domain names or IP addresses in the correct field. Enter only one domain name or IP address per line.The Enforce Server administration console does not accept IPv6 addresses as input.
- ClickSave.The changes take effect after the agent reconnects to the Endpoint Server.