Endpoint Protection

 View Only
Expand all | Collapse all

location criteria

Migration User

Migration UserMar 28, 2011 09:42 AM

  • 1.  location criteria

    Posted Mar 10, 2011 11:53 AM

    I am trying to create a couple of locations. One for "in the office", and one for "out of the office (may or may not be connected to a network)". Seems like the best criteria for this is DNS lookup. If a computer can resolve an internal name, it's "in the office". 

    1. is this the best criteria for my situation?

    2. will the DNS lookup criteria make all computers query the DNS server every 4 seconds (default time), creating a lot of extra network traffic?



  • 2.  RE: location criteria

    Posted Mar 10, 2011 12:13 PM

    the successful location criteria i have seen so far is with DNS 



  • 3.  RE: location criteria

    Trusted Advisor
    Posted Mar 10, 2011 12:18 PM

    Hello,

    Symantec does not recommend more than seven locations per group when using Location Awareness as this can affect the execution time on how long it takes the Symantec Endpoint Protection client to process and ultimately connect to a valid location where all conditions have been met. From the Symantec Endpoint Protection Manager (SEPM) side, having more than seven locations per group can also degrade SEPM and database performance as the number of policies to track increases (by a minimum of five) per each location.

    Be careful when defining firewall policies that change based on location. A common initial mistake that is made when configuring the firewall to be hardened while off the network and open when on the network is that the wrong condition could be selected for determining the location. For example, consider using only the criteria connected to management server to determine locations. If the management server went down, all clients would switch to the remote location because there was no connection to the server. This would cause the clients to go to the hardened stance even though they were connected to the corporate network. This may not be the desired outcome. So remember to thoroughly test the firewall settings including location awareness together.

    About planning locations
    Before you add locations to a group, you must consider the types of security policies that you need in your environment. You also must determine the criteria that defines each location. You should consider the following questions:

    • From which locations are users connecting? Consider which locations need to be created and how to label each one. For example, users may connect at the office, from home, from a customer site, or from another remote site such as a hotel during travel. Additional qualified locations may be required at a larger site.
    • Should location awareness be set up for each location?
    • How do you want to identify the location if using location awareness? You can identify the location based on IP addresses, WINS, DHCP, or DNS server addresses, network connections, and other criteria.
    • If you identify the location by network connection, what type of connection is it? For example, the network connection may be a connection to the Symantec Endpoint Protection Manager, dial-up networking, or a particular brand of VPN server.
    • Do you want clients connecting in this location to use a specific type of control, such as server control, mixed control, or client control?
    • Do you want to do Host Integrity checks at each location? Or do you want to skip it at any time such as when not connected to the Symantec Endpoint Protection Manager?
    • What applications and services should be allowed at each location?
    • Do you want the location to use the same communication settings as the other locations in the group or to use different ones? You can set unique communication settings for one location.

     

    Check the Following Symantec Knowledgebase Article:


    How to set up a location to trigger when a SEP client does not have an IP address.

    http://www.symantec.com/business/support/index?page=content&id=TECH123910&actp=search&viewlocale=en_US&searchid=1299777250725

    How to configure mobile computers to automatically download virus definitions when disconnected from the Symantec Endpoint Protection Management console

    http://www.symantec.com/business/support/index?page=content&id=TECH104571&locale=en_US



  • 4.  RE: location criteria

    Posted Mar 11, 2011 11:08 AM

    i have 120+ clients and i don't want all of them querying DNS every 4 seconds, is that what happens?



  • 5.  RE: location criteria

    Posted Mar 11, 2011 11:18 AM

    I think you can select the condition as not able to connect to management server...



  • 6.  RE: location criteria

    Posted Mar 11, 2011 11:36 AM

    that works for now, but in the future, my SEPM will be accessible from the outside as well. also. this also has the unwanted side effect of changing locations when/if the SEPM goes ofline or reboots.



  • 7.  RE: location criteria

    Posted Mar 16, 2011 03:44 PM

    does anyone knowif the DNS lookup criteria adds a significant amount of network traffic?



  • 8.  RE: location criteria

    Posted Mar 16, 2011 06:38 PM

    ... but how does this have anything to do with the original poster's question?



  • 9.  RE: location criteria

    Posted Mar 16, 2011 06:41 PM

    The query is made to the current DNS settings, not the actual DNS server... It's the same as doing an IPCONFIG and noting the DNS server is x.x.x.x... there is no network traffic required. You could set a static DNS (to an address that doesn't have a DNS server) and it will still be able to query the setting and compare to the Location rules.



  • 10.  RE: location criteria

    Posted Mar 17, 2011 09:15 AM

    It sounds like you are talking about the "DNS Server Address" criteria, which would make sense that "it's like doing an IPCONFIG".

    I'm talking about the "DNS Lookup" criteria. It asks "If the client can resolve the specified host name". Leading me to believe that it tries to resolve said host name every 4 seconds.



  • 11.  RE: location criteria

    Posted Mar 28, 2011 09:42 AM

    can anyone confirm this?



  • 12.  RE: location criteria

    Posted Mar 28, 2011 04:00 PM

    Hi.

    Ryan_Dasso is correct. It is the same as doing an IPCONFIG and checking what the current DNS server records currently are. In newer versions of SEP there even is a fix to ensure this only gets done on the active connection.

     

    Now I gues you want some proof of that.

    The RU6 MP3 release notes mention Fix ID 2077809 for DHCP suffix matching that mentions location changes on the active link. I can't seem to find the other comments in the forums right now about DNS info being the same as doing IPCONFIG.
     



  • 13.  RE: location criteria

    Posted Mar 28, 2011 04:29 PM

    maybe i misunderstood the criteria. it sounds like what you are saying is the client will only check it's local DNS cache to see if a particular hostname matches a particular IP address.

    if that's true, this criteria will not work for me, because computers not currently in the office will still have addresses cached



  • 14.  RE: location criteria

    Posted Apr 19, 2011 06:08 PM

    Just to clarify.

    You have DNSserver1 for LAN_A and you have DNSserver2 for WLAN_B.

    If you change from one connection to the other, your DNS server configuration will change. This means, the servers that will be used for a DNS lookup changes. This configuration is stored on the local PC. This is what it would look like:

    PC connected to LAN_A with a IPCONFIG /ALL will return
    DNS Servers . . . . . . . . . . . : DNSserver1
    
    PC connected to WLAN_B with IPCONFIG /ALL will return
    DNS Servers . . . . . . . . . . . : DNSserver2

    SEPM queries this definition. It does not go across the wire & contact either DNSserver1 or DNSserver2.

     

    I hope that clarifies the issue.