Best Practices: Configuring a Symantec Endpoint Protection environment in a DMZ

Article:TECH178325  |  Created: 2012-01-05  |  Updated: 2012-01-05  |  Article URL
Article Type
Technical Solution


You are designing a Symantec Endpoint Protection architecture and want to know what the Best Practices are for installing either the the SEPM or SEP client inside a DMZ.



SEPM in the DMZ: Recommendations and considerations

DMZ's are accessible from the Internet, so it is possible for someone to attempt to access (hack) into the server system that is running the SEPM through other vulnerabilities in the OS or other software running on that server.  If successful, they might be able to access SEP database, which contains information about every computer in the company's organization that is defended by SEP.  This includes the IP address, computer name and SEP version they are running (some older releases of SEP have known vulnerabilities) or which SEP clients have AutoProtect disabled or which clients have no firewall enabled.

For these reasons, Symantec recommends hardening the operating system on the server where Symantec Endpoint Protection Manager will be installed. One way to accomplish this is to install Symantec Critical System Protection. For more information about Critical System Protection, please see


Firewall Configuration (bi-directional):


Mandatory Firewall Ports:

TCP 1433: Default SQL Port 


Optional Firewall Ports:

TCP 334: RDP

TCP 9090: SEPM Remote Management Console


Replication Considerations:

By default, the first SEPM in a site is responsible for responding to and processing replication events from other sites.  If there are multiple SEPMs in a site, you can change this setting by editing the Replication Management Server List in the Replication Partner Properties in the Admin > Servers view.

  • If the SEPM in the DMZ is the first of multiple SEPMs in a site, Symantec recommends modifying the Replication Management Server List and nominating a different SEPM to process the replication events.

  • If the SEPM in the DMZ is the only SEPM in the Site, then port 8443 will need to be opened on the firewall.


SEP Clients in the DMZ

In this configuration, the  Symantec Endpoint Protection Manager is behind the firewall, and the clients are in the DMZ.  Some customers prefer this configuration because it protects the SEPM behind the firewall.  It is also preferred in Single-Site configurations or in multiple Site environments where there is only one SEPM in this particular site and replication is enabled.  In this configuration only the SEP client communications ports need to be opened.


Firewall Configuration (bi-directional):

Refer to the Management Server List assigned to the client group to determine the communications port the SEP clients will use to communicate to the SEPM.  Default values are:


TCP 80 (MR2 and earlier)

TCP 8014 (MR3 and later)

TCP 443 (secure communications) 

NOTE: You may consider using non-standard ports for communication as another layer of protection.  This communications port is configurable in the Management Server List assigned to the client group.


 Group Update Provider in the DMZ

If you place a Group Update Provider (GUP) in the DMZ you will also need to open port TCP 2967, inbound and outbound.

Legacy ID


Article URL

Terms of use for this information are found in Legal Notices