Endpoint Protection

I have a SEP 11 group on the console targeting several computers with the same set of policies and policy enheritance is turned off.  There is no SEP Firewall policy in this group.  All the 32 bit computers are using the Windows Firewall.  All the 64 bit computers display a message that the firewall settings are being controlled by SEP11.  ("These settings are being managed by vendor application Symantec Endpoint Protection".)  At present my only 64 bit computers are "Windows 7" and "Windows Server 2008 R2 Web Edition".

The Windows 7 workstation is running SEP 11.0.5002.333 and the Windows Server 2008 R2 Web Edition is running SEP 11.0.6005.562.

Is there an additional setting I need to use on the console to disable the SEP firewall on 64 bit computers and let the computer use the Windows Firewall?

Thanks!

Its not the SEP firewall that is controlling Windows Firewall it is the program itself..
However still you can manage the windows Firewall normally using Group Policy or by Control Panel-Windows Firewall.
Also make sure the Windows Firewall Service is turned ON in Services Console.

Thank you,

In each case the Windows Firewall Service is running and the settings are being controlled by Group Policy.

If I still have complete control over the Windows Firewall via GPO, then why do I get the message that "These settings are being managed by vendor application Symantec Endpoint Protection?"  On my 32 bit computers I see that message only when SEP 11 firewall settings are in place.  My 32 bit counterparts in the same SEP group display a message that the Windows Firewall is being controled by Group Policy.

Here is an article that will explain this behavior

Title: 'Advanced Settings for Windows 7 Firewall indicate that it is on, even when Symantec Endpoint Protection (SEP) 11.0 Network Threat Protection (NTP) is installed.'
Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2010030706451148?Open&seg=ent

I may need to get to a Windows 7 machine to see this, but on my Windows Server 2008 R2 the Action Center does not show the firewall settings.  I see UAC and NAP.  UAC is on and NAP is off.

When I look at the Advanced Firewall settings I have a link to a help file that indicates "Learn how you can enable Windows Firewall in your computer."  Below that I see that the Domain Network is "connected" and the Home/Private and Public networks are not connected.

I would assume this means that the Windows firewall is not in force at the moment.

On a Windows 7 machine in the same SEP group (There is no SEP firewall policy in this group) the Action Center shows two "Installed firewall programs, "Symantec Endpoint Protection" and "Windows Firewall".  Currently the Windows Firewall is OFF and the SEP firewall is ON.

The problem I see is that there is no SEP firewall for this managed group.  This group was set up specifically to turn off the SEP firewall so we could continue to use the Windows Firewall.  Without any SEP firewall policy, I hate to think what ports are actually open!

Everything looks like SEP is controlling the firewall settings; but I have NO SEP Firewall settings on this computer's group!  Policy inheritance is OFF, under Settings for Location I have only the following policies:
Antivirus/Anti Spyware
Intrusion Prevention
Live Update
Centralized Exceptions

<<<Note there is NO Firewall Policy!>>>

How do I ensure I am able to use the Windows Firewall even though SEP is installed to the local machine?

What are the SEP components you see installed on the win7 machines
Antivirus and Antispyware , Proactive Threat Protection or Network Threat Protection aswell ?

The Windows 7 machines show a 'full install' so we have Antivirus and Antispyware, Proactive Threat Protection and Network Threat Protection installed.

The plan was to perform a full install on all machines and then use different SEP groups to control the policy, most computers will use a managed SEP firewall, but some will continue to use an Active Directory GPO managed firewall policy.  To this end we have different SEP groups, some with the firewall controled via SEP and other SEP groups that have no firewall policy so that the Windows Firewall continues to manage the firewall via Active Directory group policy.  This has been working on our 32 bit Windows XP machines.

We first noticed an issue with our first Windows Server 2008 R2, a 64 bit machine which is allowing access via ports that should be blocked by the Windows Firewall.  On both of my test machines, Windows Server 2008 R2 and Windows 7 when I launch SEP11 and select 'change settings' the Network Threat Protection "configure settings" button is grayed out so I cannot make any changes to the current NTP policy.

Here again there is Policy and Component

The Firewall is installed on Client even though you have applied no policy on it..
Firewall is still installed and Present on your Clients and As the Firewall was Installed it took over Windows Firewall.

The desire is to install the full SEP package, firewall component included, and control the behavior of the components from the management server's groups.

Is this not possible?

Your answer sounds as though i would have to withhold the firewall component in order to use the Windows Firewall, which means I would then _never_ be able to utilize the SEP firewall policy.

With SEP firewall installed..It would say SEP is managign your Windows Firewall however you will be able to make changes in the firewall.

as you said earlier
Below that I see that the Domain Network is "connected" and the Home/Private and Public networks are not connected.

This has nothing to do with Firewall settings..
Go to Services.msc and make sure Windows Firewall/Internet Connection Sharing service is set to automatic and is in started state.

Our on campus guru explained how to utilize the SEP console to change firewall applications via the SEP console:

Assign install packages to a group with a specified feature set of components so that all of my "no sep firewall" SEP groups install a client with a custom feature set each time a computer is moved from one SEP group to another. 

1. On the console ADMIN section I designed two Client Install Feature Sets, one for SEP Firewall and one NO SEP Firewall. 
2. Then on the console at CLIENTS I Added Client Install Package and UNCHECKED the "maintain existing client features when upgrading" and assigned the NO SEP Firewall Feature Set to the No SEP Firewall client group.
3. On the console at CLIENTS I added Client Install Package and UNCHECKED the "maintain existing client features when upgrading" and assigned the SEP Firewall Feature Set to the SEP Firewall client group.

Now I can move client machines from one SEP group to another and the firewall will install the Firewall (Network Threat Protection) component will be installed or uninstalled at the next client update.  Once the NTP component is uninstalled, the workstation automatically reverts to the Windows Firewall settings from local or Group Policy.

This seems to solve the issue, if there is any reason NOT to use this method, please let me know!!!  Thanks to everyone for helping!

Yes this will work..as it comes back to my point of Component vs Policy.
If component is installed SEP will monitor firewall..So it has to go..

The process you are following is the best and the easiest one..you can ALSO export a Install Package for this group without NTP..and deploy on the clients you want..

that the Firewall component was part of the overall NTP portion of SEP 11.x as well as device and application control.
I was also under the impression, that these components were not yet functionning/supported/developped for x64 systems and I had not read in any release notes that this had changed.
Also, the "roadmap" for implementation said Q4 2010 or possibly later....

Other than these everything works on 64 bit
http://service1.symantec.com/support/ent-security.nsf/docid/2007022310384648

Hehehe.
Thanks Vikram.

Document modified 14 days ago.  

I had been out of the office and on vacation for 3 weeks... 
I just can't remember what was there before...  Oh well.  Thanks!

Q: What is the level of compatibility for Mail Scanning on 64-bit platforms?
A: Lotus Notes (Domino), Microsoft Exchange and POP3/SMTP scanning plugins are not supported on 64-bit platforms. 

This was certainly not there..However I can guarantee nothing has been removed from that list.