SEP Location Issue on Terminal Servers

Symantec Endpoint Protection (SEP) allows additional locations to be defined per client-group.  The main purpose of these is usually to define LiveUpdate settings when the client is not on the network.  Although there are many rule variations to define when the client auto-switches to a secondary location, one common rule-setting is to switchover when the client simply cannot communicate with the management server.  Occasionally, you may have reason to define a second location for your server group(s).  If so, be careful not to have an additional location using the rule mentioned above for your terminal-server group (either explicitly or through inheritance).  Doing so can make your terminal-server SEP clients go 'partially offline' - meaning they show offline locally and do not seem to enforce some policy settings, but continue to apply definition updates and show online in the management console.  A symptom of this behavior that is easy to spot is the SEP icon not displaying in the system tray (assuming you don't have policies defined to intentionally hide it).  Rebooting the terminal server or restarting SMC will resolve the issue temporarily, but it will come back randomly.  This issue has been seen in a production environment using SEP 11.0.4-builds on Windows 2003 SP2 Terminal Services.

Networking Symantec Endpoint Protection