Endpoint Protection

 View Only
  • 1.  SEPM in DMZ deployment best practice

    Posted Jul 30, 2012 10:01 AM

    Hi All,

    Can anyone here share your configuration or best practice in how to enable the SEPM v12.1 as the DMZ SEPM server deployment which talks to the internal SEPM server in my internal LAN for the update ?

    This DMZ SEPM will do the update and management for all of my DMZ internet facing production web servers.

    Thanks.



  • 2.  RE: SEPM in DMZ deployment best practice
    Best Answer



  • 3.  RE: SEPM in DMZ deployment best practice

    Posted Jul 30, 2012 10:10 AM

    thanks for the reply,

    As per the best practice, the Database of this SEPM DMZ shall be just self contained right ?

    rather than opening port 1433 for the SQL server, and all of the updates will be replicated / pushed from the internal SEPM server.



  • 4.  RE: SEPM in DMZ deployment best practice

    Broadcom Employee
    Posted Jul 30, 2012 10:14 AM

    the DB if is SQL, then port needs to be opened for 1433 as sql listens on this port ( default).



  • 5.  RE: SEPM in DMZ deployment best practice

    Trusted Advisor
    Posted Jul 30, 2012 12:46 PM

    Hello,

    I agree, incase you are running the SQL database the port would be required to be opened.

    Please check this Thread: https://www-secure.symantec.com/connect/forums/server-dmz

    Articles: 

    Best Practices: Configuring a Symantec Endpoint Protection environment in a DMZ

    http://www.symantec.com/business/support/index?page=content&id=TECH178325

    Security recommendations regarding SEP client installed on server located in DMZ

    http://www.symantec.com/docs/TECH122858

    NOTE: The above Articles applies to both SEP 11.x and SEP 12.1

    Hope that helps!!



  • 6.  RE: SEPM in DMZ deployment best practice

    Posted Jul 31, 2012 01:20 PM

    Depends how many servers you have in DMZ....

    Option1: Install SEPM with Embedded DB and it will replication with Production SEPM.

    Option2: Let All Servers in DMZ take direct updates from Production SEPM.. Open IP :Port specific Firewall rules for the DMZ Segments

    Option3: From Production SEPm/DB install a new Failover/LB server in DMZ. Keep all DMZ servers in one group and apply MSL on that group only to communicate with that SEPM.



  • 7.  RE: SEPM in DMZ deployment best practice



  • 8.  RE: SEPM in DMZ deployment best practice

    Posted Jul 31, 2012 08:18 PM

    Hm...

    Option #3 is interesting, so SEPM load balancing the AV distribution, updates and policy enforcement as well ? 



  • 9.  RE: SEPM in DMZ deployment best practice

    Posted Aug 01, 2012 01:18 AM

    In SEPM you can manage all the policies (including how the clients should receive updates) through groups.



  • 10.  RE: SEPM in DMZ deployment best practice

    Posted Aug 01, 2012 12:57 PM

    Yup..that SEPM should be able to do everything as your production SEPM..