hello,

I am currently deploying SEP client to DMZ from another network. There is a hardware firewall between DMZ and network of SEPM.

I read from Symantec Articles of the required port 8014 and 445 in firewall.However it does not work because the search client fail to find any computer.

Is it required to allow icmp in hardware firewall?

Thank you very much

check this

About firewalls and communication ports

Yes I have checked this.

In fact I have allowed port 445,137,138,139 in the hardware firewall but search client will fail to find any computer in remote push.

The SEPM cannot ping the clients so do I need to allow SEPM to ping clients in order to deploy?

Oh Yes, Wizard uses ping resoponse to determine if the client is Alive.

Enable ICMP during the push deployment .

Alternatively, You can copy the package and the client deployment wizard to any one server in DMZ

run the push deployment wizard from DMZ. Since you have already opened the port for communication once the installation is complete it will talk to SEPM 

https://www-secure.symantec.com/connect/articles/overview-push-deployment-wizard-symantec-endpoint-protection-121

See here:

Preparing Windows operating systems for remote deployment

HI, 

Regards

Ajin

Hi,

Best Practices: Configuring a Symantec Endpoint Protection environment in a DMZ

http://www.symantec.com/docs/TECH178325

How to allow Symantec Endpoint Protection clients in a remote location to be managed by a Symantec Endpoint Protection Manager that's behind a NAT device

http://www.symantec.com/docs/TECH93033 

Communication issues with SEP client installed in DMZ while the SEP Manager is outside DMZ

http://www.symantec.com/docs/TECH146736

Hi

I have disabled windows firewall on both SEPM and  clients in DMZ. So the problem is likely on the hardware firewall.

Chetan, I have allowed port 8014, 80, 7070, 445 and the communication is ok but the problem I had is in remote push, new deployment of SEP client. The search client will fail to find any computer in remote push.

SEP articles do not state icmp, is it compulsory to allow icmp in firewall for remote push?

Thank you all for your help

You should be able to ping them. 

Allow ping for few machines, if the scan finds it out , you can then Enable on the rest

if allowing ping requires approval then you can consider placing the depolyment wizard in the DMZ and start a push from DMZ as I explained earlier.

Hi

Please refer the link below

http://www.symantec.com/business/support/index?page=content&id=HOWTO81103&actp=search&viewlocale=en_US&searchid=1370852804788

Regards