The Enforcer appliance stays connected to the Symantec Endpoint Protection Manager. At regular intervals (the heartbeat), the Enforcer appliance retrieves settings from the management server. Those settings controls how the Enforcer appliance operates. When you make any changes on the management server that affect the Enforcer appliance, the Enforcer appliance receives the update during the next heartbeat. The Enforcer appliance transmits its status information to the management server. It can log the events that it forwards to the management server. The information then appears in the logs on the management server.
The Symantec Endpoint Protection Manager maintains a list of management servers with replicated database information. It downloads the management server list to connected Enforcers and managed clients and guest clients. If the Enforcer appliance loses communication with one management server, it can connect to another management server that is included in the management server list. If the Enforcer appliance is restarted, it uses the management server list to reestablish a connection to a management server.
When a client tries to connect to the network through the Enforcer appliance, the Enforcer appliance authenticates the client's Globally Unique Identifier (GUID). The Enforcer appliance sends the GUID to the management server and receives an accept response or a reject response.
If an Enforcer appliance is configured to authenticate the GUID, it can retrieve information from the management server. The Enforcer appliance can then determine if the client profile has been updated with the latest security policies. If the client information changes on the management server, the management server can send the information to the Enforcer appliance. The Enforcer appliance can again perform host authentication on the client.