Endpoint Protection

Hi,

we are currently testing the location awareness feature. This works quite well.
We use for the detection of the locations the Network Connection Type "Cisco VPN".

This works when we connect with the Cisco VPN client, but it does not work when we connect with the Cisco AnyConnect client.

Is there a way to edit the Network Connection Type CiscoVPN or creating a new one?

Thanks in advance,

Thomas

Hello,

What version of SEP 12.1 are you running?

What OS is running on the client machine?

Did you try ading more location conditions on the SEPM?

Could you make sure you are running the Latest versison of SEP 12.1 RU1 MP1.

Check this Article:

Cisco AnyConnect tries to acquire an IP address when smc -stop command is issued

http://www.symantec.com/docs/TECH173546

Also, Check these Articles: 

Best Practices for Symantec Endpoint Protection Location Awareness

http://www.symantec.com/docs/TECH98211

Location Awareness Logic 

http://www.symantec.com/docs/TECH97097

More about Location Awareness in Symantec Endpoint Protection (SEP)

http://www.symantec.com/docs/TECH97369

and 

Use Case of Location Awareness and Network Threat Protection with SEP (11/12)

Hope that helps!!

Hi,

Check for split tunneling. We faced the same issue.

Give more details, if that is the case, i may be able to help you out.

Hi,

What version of SEP 12.1 are you running?

12.1.1101.401 RU1 MP1

What OS is running on the client machine?

Windows XP and Windows 7

Did you try adding more location conditions on the SEPM?

I added 3 locations (LAN, VPN, Unknown)

Could you make sure you are running the Latest versison of SEP 12.1 RU1 MP1?

The client is also running 12.1.1101.401

I checked for split tunneling. Same settings on both VPN clients (allow local LAN access is enabled).

Please see the attached screenshots for detailed location information.

The traffic should be able to pass thru both the adapters when you have split tunnelling.

Unfortunately i am unable to see the screenshots except for the unknown one.

If possible, can you tell us what is the exact point of failure?

Hmm... I can see both, but i will add them again.

My problem is that the client is not swtiching to the VPN location when we try to connect with the Cisco AnyConnect VPN Client.

For VPN conditions.

Add an or under condition 1 for below 2 under NICs to be used.

Cisco AnyConnect VPN Virtual Miniport Adapter for Windows
Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows

Hi,

I added this 2 NICs and I got the same result....

Please see the screenshots attached.

I understand it stays in ethernet even after connecting to VPN. What happens when you try to connect to VPN from default? does it still go to ethernet?

Try to add a third condition to ethernet "computer uses ethenet adapter"

Hi Thomas,

   I think what you are trying to do is to move the client to the location VPN when connected via Cisco Anyconnect? Right?

Our predetermined conditions like Cisco VPN connection may not work with specific VPNs as they check for known registry keys (for example) that may have been updated with the VPN software.

What you can do however and that should work fine is use the NIC description in the condition instead of the Cisco VPN condition.

For example, if the NIC description is "Virtual Cisco Anyconnect VPN adapter", create a condition based on this.

I hope I was clear enough!

Let me know.

J

Hi NRaj,

I am always in the default location (its called unknown in our environment).

Thats the way I am testing it:

1. unplug the computer from the corporate lan
2. sep switches to the location unknown
3. sign in to the guest wifi
4. login to vpn
5. sep swtiches to the location apa-lan

I added Ethernet and Wireless to the condition apa-lan. Same result.

Can I check somewhere if the client receives the location changes ?

Hi Jeremy,

I tried that already and added the following adapters:

• Cisco AnyConnect VPN Virtual Miniport Adapter for Windows
• CiscCisco AnyConnect VPN Virtual Miniport Adapter for Windows x64
• Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows

It is also not working at the moment. And I really don't understand why.

Thanks,

Thomas

Just to be sure make sure you have the right policy #.

The below tool will give you detailed information about the location switching.

ALS debug Log

Sylink debugging must be enabled for Auto-Location Switching (ALS) debugging to work.

Enable ALS debugging:

Enable debugging for location-related entries by creating the following DWORD registry value, and setting it to 1 :

HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\Trident\AutoLocationDump

Cycle SMC once more after modifying the registry in step 2, to fully enable the ALS debugging. 

Start, Run, type in 'smc -stop', click OK

Wait for the system tray shield icon to disappear

Start, Run, type in 'smc -start', click OK

Enabling this will create a file called "debug.log" in the Symantec Endpoint Protection program installation directory.

Sylink debugging must be enabled for Auto-Location Switching (ALS) debugging to work.

As far as I know the Cisco Any Connect also support SSL VPN.

If you are using this SSL VPN Method normally the adapter is transparent to SEP, what will never appear to be be an adapter and therefore will not match the criteria for the Location.

So to make it usable by locations you most likely would need to change the approach in checking for specific network characteristics when you are connected via Cisco AnyConnect like a dedicated DNS Server that you are using or dedicated DHCP that you are using...

Hope this helps, even its not the anwser that you would expect

Cheers, toby

Sorry I forgot to mention, when you then apply Firewall Rules, you would need to specify your Cisco Adapter as otherwise the Ethernet and Wireless is letting the traffic pass, but the Cisco AnyConnect might block it as it will be caught by the Block rule...

I had experienced this when my SSL VPN was dropped because of this rule (missing interface). Furthermore when there is a session keep alive from your RAS infrastucture set, dont forget this to be allowed as well, otherwise the session crashed after the timeout returns.

Cheers, toby

I also added now the "Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64".

It's ok now ;-)

Thank you very much.