Endpoint Protection

We have several SEP clients in a DMZ zone - public facing - our firewall group have given us the notification that our internal SEPM cannot communicate with the clients int he external DMZ.  We have 2 firewalls   internal | DMZ1 | DMZ2  to get through.

They want to see a "relay" (I'm thinking group update provider??) in DMZ1 to distribute updates via our internal SEPM.  Does the GUP provide the status of the clients it manages to the internal SEPM or is it for ONLY providing content updates?

Thank you

The GUP can only provide content updates, nothing else at this time.

For additional reading, have you seen the articles for SEP in a DMZ?

Best Practices: Configuring a Symantec Endpoint Protection environment in a DMZ

Security recommendations regarding SEP client installed on server located in DMZ

Communication issues with SEP client installed in DMZ while the SEP Manager is outside DMZ

Only Content updates . Nothing else.

Thank you for the info.

I have read those articles, however our policy states that any server in the external DMZ is not allowed to pass through both firewalls, there must be some type of "relay"

Does SEPM 12 offer anything that will do this?  I really don't want to have a bunch of unmanaged clients out on our DMZ and no way of knowing if they are out of date, compromised etc.

You would need to put a SEPM in the DMZ to manage those clients.

How about this scenario....I move our current SEPM server to DMZ1  (in between internal and DMZ2) - this would act as a relay for both internal and external.

It would be on a completely different network, so I assume I would need to update the sylink on all current managed clients?

That can be done.

Helpful thread/advice with similar scenario and what to do:

http://www.symantec.com/connect/forums/change-ip-address-sepm-server

Hello,

Please check this Thread: https://www-secure.symantec.com/connect/forums/server-dmz

and check this Article:

Updating downloads in an internal LiveUpdate Administrator 2.x Server using the downloads from an external LiveUpdate Server

http://www.symantec.com/docs/TECH106254

NOTE: The above Article applies to both SEP 11.x and SEP 12.1

Hope that helps!!

Here's what I am planning to do, please correct me if I'm wrong. 

I have obtained an IP for DMZ1 and added that IP to the SML.  All clients now have the updated SML.

My question is, is it ok for me to have added that IP under the same Priority as the current server/ip? Or should i have made another priority then added a server?

I do not plan to spin up another SEPM, rather just change IP / Domain on the current SEPM to the one I specified in the SML

Thank you 

Hello,

Please refer to the following article: http://www.symantec.com/docs/TECH104389

Add MACHINE_1 under Priority 2 and add MACHINE_2 under Priority 1, and assign this New Management Server List to all the groups.