Endpoint Protection

 View Only
  • 1.  deploying SEP client in remote DMZ area ?

    Posted Aug 29, 2012 08:15 PM

    Hi,

    What port that I need to open to b e able to successfully push install SEP client to all of my DMZ client ?

    installing 100+ SEP client by remote desktoping into server one by one is not what my manager wants :-|



  • 2.  RE: deploying SEP client in remote DMZ area ?

    Posted Aug 29, 2012 08:51 PM

    as i know, you should open 139/445 inbound on clients side and 139/445 outbound on server side.



  • 3.  RE: deploying SEP client in remote DMZ area ?

    Posted Aug 29, 2012 08:52 PM

    Firewall Configuration (bi-directional):

     Mandatory Firewall Ports:

    TCP 1433: Default SQL Port 

     Optional Firewall Ports:

    TCP 334: RDP

    TCP 9090: SEPM Remote Management Console

    Firewall Configuration (bi-directional):

    Refer to the Management Server List assigned to the client group to determine the communications port the SEP clients will use to communicate to the SEPM.  Default values are:

     TCP 80 (MR2 and earlier)

    TCP 8014 (MR3 and later)

    TCP 443 (secure communications) 

    NOTE: You may consider using non-standard ports for communication as another layer of protection.  This communications port is configurable in the Management Server List assigned to the client group.

    Push deployment port that needs to be open

    TCP 139 and 445 on management servers and clients

    UDP 137 and 138 on management servers and clients

    TCP ephemeral ports on management servers and clients

    Overview of Push Deployment Wizard in Symantec Endpoint Protection 12.1

    https://www-secure.symantec.com/connect/articles/overview-push-deployment-wizard-symantec-endpoint-protection-121

    Symantec Endpoint Protection 12.1: Installing the Manager for the first time and deploying clients

    http://www.symantec.com/business/support/index?page=content&id=TECH163580

     Edit...

    Check this artical.

    http://www.symantec.com/business/support/index?page=content&id=TECH92051&locale=en_US

     

     Best Practices: Configuring a Symantec Endpoint Protection environment in a DMZ

    http://www.symantec.com/docs/TECH178325 

     

    http://www.symantec.com/connect/articles/sep-121-best-practice-license-other-articles



  • 4.  RE: deploying SEP client in remote DMZ area ?

    Posted Aug 29, 2012 09:16 PM

    ok, so it means that it uses SAMBA as the communiation port.

    However, since we have deployed already several hundred server, inthe DMZ, opening SAMBA port into the internal network is not an option, so is there any other way to open it up ?



  • 5.  RE: deploying SEP client in remote DMZ area ?
    Best Answer

    Trusted Advisor
    Posted Aug 30, 2012 02:59 AM

    Hello,

    Please check this Thread: https://www-secure.symantec.com/connect/forums/server-dmz

    and check these Articles:

    Best Practices: Configuring a Symantec Endpoint Protection environment in a DMZ

    http://www.symantec.com/business/support/index?page=content&id=TECH178325

    Security recommendations regarding SEP client installed on server located in DMZ

    http://www.symantec.com/docs/TECH122858

    Communication issues with SEP client installed in DMZ while the SEP Manager is outside DMZ

    http://www.symantec.com/docs/TECH146736

    Updating downloads in an internal LiveUpdate Administrator 2.x Server using the downloads from an external LiveUpdate Server

    http://www.symantec.com/docs/TECH106254

    NOTE: The above Articles applies to both SEP 11.x and SEP 12.1

    Hope that helps!!



  • 6.  RE: deploying SEP client in remote DMZ area ?

    Posted Aug 30, 2012 12:49 PM

    why? is it hard for you to configure firewall to open the ports? your SEPM is in the internal network and your other servers are in the DMZ, between them is a firewall, you just need to open the ports from internal netwok outbound to DMZ. and will it cause any security issue to your internal network? i don't think so.

    or your servers in DMZ have build-in firewall already configured to forbid 139/445 inbound, and if you want to open the ports, you have to configure the servers one by one?



  • 7.  RE: deploying SEP client in remote DMZ area ?

    Posted Aug 30, 2012 09:57 PM

    Leo,

    as per the security best practice yes you are right, the Internal SEPM should not be accessed by the client in the DMZ. Now I understand that within the DMZ server VLAN, the DMZ SEPM should be able to push it to the DMZ client with port 445 :-)

    the only problem is that the local administrator is all different for each servers :-(



  • 8.  RE: deploying SEP client in remote DMZ area ?

    Posted Aug 30, 2012 10:11 PM

    It will be much better than use remote destop to install these servers one by one , won't it ? :-)



  • 9.  RE: deploying SEP client in remote DMZ area ?

    Posted Aug 31, 2012 04:42 AM

    I was also wondering if having a separate SEPM on the DMZ for the DMZ servers assuming that there are quite a lot to manage and have that SEPM load balance to the SEPM server in the intranet.



  • 10.  RE: deploying SEP client in remote DMZ area ?

    Posted Sep 05, 2012 01:49 AM

    Thanks Mithun for the links :-)