How to allow Symantec Endpoint Protection clients in a remote location to be managed by a Symantec Endpoint Protection Manager that's behind a NAT device

Article:TECH93033  |  Created: 2009-01-23  |  Updated: 2009-01-24  |  Article URL http://www.symantec.com/docs/TECH93033
Article Type
Technical Solution


Issue



You have a handful of Symantec Endpoint Protection (SEP) clients in a remote location that is separated from your Symantec Endpoint Protection Manager (SEPM) by a network device (router or firewall) with Network Address Translation. You want those computers to be managed by SEPM.


Solution






Establishing a site-to-site VPN tunnel is the best option. It allows the SEP clients to be managed like any other clients on the internal network. However, site-to-site VPN tunnel may not always be possible and sometimes, the risk of passing SEP traffic through external network may be acceptable. This document explains how to achieve this without a site-to-site VPN tunnel.

1. Add a client group for the clients in the remote location.
2. Add a management server list with the external IP address of the NAT device, the port SEPM uses for client communication (default TCP/8014 for MR3 or later versions)
3. Assign the management server list to the client group. Change communication mode to pull mode and set heartbeat interval appropriately.
4. Configure the NAT device to redirect traffic arriving on its external IP address and the port specified in task 2 to SEPM's internal IP address and the same port.
5. Copy sylink.xml of the client group to existing clients or export client install package for the group, deploy it to the computers.

Task 1: Add a client group for the clients in the remote location
    1. In the SEPM console, click Clients.
    2. Under View Clients, select the group to which you want to add a new subgroup.
    3. On the Clients tab, under Tasks, click Add Group.
    4. In the Add Group for group name dialog box, type the group name and a description.
    5. Click OK.
Task 2: Add a management server list
    1. In the console, click Policies.
    2. In the Policies page, under View Policies, click Policy Components > Management Server Lists.
    3. Under Tasks, click Add a Management Server List.
    4. In the Management Server Lists dialog box, in the Name text field, type a name for the management server list and an optional description.
    5. To specify which communication protocol to use between the management servers and the clients, select one of the following options:
      • Use HTTP protocol
      • Use HTTPS protocol. Use this option if you want management servers to communicate by using HTTPS and if the server is running Secure Sockets Layer (SSL).
    6. If you require verification of a certificate with a trusted third-party certificate authority, check Verify certificate when using HTTPS protocol.
    7. To add a server, click Add > New Server.
    8. In the Add Management Server dialog box, in the Server address text field, type the external IP address of the NAT device.
    9. If you are using a non-default port number for either the HTTP or HTTPS protocol for this server, do one of the following tasks:
      • Check Customize HTTP port number and enter a new port number. The default port number for the HTTP protocol is 8014 for MR3 and later.
      • Check Customize HTTPS port number and enter a new port number. The default port number for the HTTPS protocol is 443.
    10. Click OK.
Task 3: Assign the management server list to the group
    1. In the console, click Policies.
    2. In the Policies page, under View Policies, click Policy Components > Management Server Lists.
    3. In the Management Server Lists pane, select the management server list you created in task 2.
    4. Under Tasks, click Assign the List.
    5. In the Apply Management Server List dialog box, check the group you created in task 1.
    6. Click Assign.
    7. When you are prompted, click Yes.
Task 4: Configure the NAT device to redirect traffic
    Please consult your NAT device manual on how to perform this task.

Task 5: Copy sylink.xml
    1. In the Console, click Clients.
    2. In the View Clients column, select the group you created in task 1.
    3. Right-click the selected group, then click Export Communication Settings at the bottom of the drop-down menu.
    4. In Export Communication Settings, in the group name dialog box, click Browse. The default selection is My Documents.
    5. In the Select Export File dialog, locate the folder to which you want to export the sylink.xml file, and click OK.
    6. In the Export Group Registration Setting for group name dialog box, select one of the following options:
      1. To apply the policies from the group from which the computer is a member, click Computer Mode.
      2. To apply the policies from the group from which the user is a member, click User Mode.
    7. Click Export.
      If the file name already exists, click OK to overwrite it, or Cancel to save the file with a new file name.
    8. Copy the file to the desktop of the computers in the remote location.
    9. Open the client interface on the computers in remote location.
    10. Click on Help and Support and select Troubleshooting.
    11. Click Import, browse to the .xml file exported from the Manager, and click OK.






Legacy ID



2009032408115648


Article URL http://www.symantec.com/docs/TECH93033


Terms of use for this information are found in Legal Notices