With the Symantec Network Access Control (SNAC) product, what happens if an Enforcer appliance cannot communicate with the Symantec Endpoint Protection Manager (SEPM)?
If you plan to use Enforcers with Symantec Endpoint Protection, we recommend that you have redundant management servers. If the Symantec Endpoint Protection Manager (SEPM) is unavailable, the Enforcer blocks the traffic from the clients.
Redundant management servers are preferable. The Enforcer sends a UDP packet on port 1812 by using the RADIUS protocol to the SEPM to verify the GUID from the clients. If a firewall blocks this port or if a SEPM is unavailable, then the clients are blocked.
An option on the Enforcer allows client access to the network when the SEPM is unavailable. If this option is configured and the SEPM is unavailable, the GUID check and the profile checks are not performed. Only the Host Integrity check can be performed on the client when the SEPM is unavailable.
You can use the advanced local-auth command in the Enforcer CLI to enable or disable the Enforcer’s authentication of a client. With local-auth enabled the Enforcer will check only the Host Integrity status, without verifying the client GUID with SEPM.
The same option can be configured in advance from the SEPM side in the Enforcer Group properties:
- Enabling local authentication on the LAN Enforcer appliance
- Enabling local authentication on a Gateway Enforcer appliance
- Enabling local authentication on the Integrated Enforcer