Endpoint Protection

I have a few branch offices that do not have site to site VPN back to HQ.  I have a VPN client installed on the machines at these locations to allow them to connect when needed, which allows SEP clients to update as well. 

I would like to allow the client machine at the remote locations to connect to my Endpoint Protection Manager over the internet.  By this, I mean connect over the public internet to my specific domain server, not to connect and download updates from Live Update.  I want the clients to connect directly to my company server. 

From what I understand, I would simply need to create a firewall rule to route to my server, then point the remote offices to that address.  Example, create a firewall entry to point traffic from symantec.mycompany.com to the private IP address of my management server.  I would then need to point the clients to symantec.mycompany.com instead of the FQDN of the local server.

My question is, are there some sort of security peices in place to prevent non-SEP traffic from using port 8014?  I know that I can just open the port on the internet firewall, but if someone sniffs or injects on that port, is there a way that non-Symantec traffic will be rejected...

I known where we deploy a new install, the management server builds an install package.  I am wondering if there is a security control within the package creation where it inserts a certificate or alpha-numeric string that is passed from client to server while the TCP connection is negotiated.  Even if its using an HTTPS connection from client to server over the public internet, what safeguards are available to verify only valid traffic between a SEP client and manager are allowed through?

You need to look at putting a SEPM in the DMZ:

Best Practices: Configuring a Symantec Endpoint Protection environment in a DMZ

Security recommendations regarding SEP client installed on server located in DMZ

You do have the option to use a cert/configure HTTPS.

Aside from that there isn't anything else in place that I know of.

Is no possble use a Dns record insted a FQDN at least for a SEPM my recomendation is use NAT(recently I sufered a similar issue)

https://support.symantec.com/en_US/article.tECH93033.html

about comunication with clients

https://support.symantec.com/en_US/article.TECH210852.html

Hope this will be usefull.

Regards

Sooo, as you're aware, there's the option of using HTTPS comms, but in addition to this each group's General Settings -> Security Settings, has the "Enable secure communications between management server and clients by using digital certificates for authentication" option enabled by default.

It's this option that allows a SEPM to determine whether or not the client connecting is one of its own.

While this setting (along with enabling HTTPS comms) is all well and good, I'd normally recommend enabling System Lockdown (or even installing DCS:SA!) on the SEPM if it's going to be exposed to the interwebs as a means to increase security.  No telling if new exploits are going to be discovered in apache.

Hi,

Symantec Endpoint Protection Manager uses an Apache web server to communicate with clients and provide reporting services. The web server uses HTTP for all communications. HTTP is an unencrypted protocol and does not provide for the confidentiality or integrity of the communications over it. You can configure the Symantec Endpoint Protection Manager Apache web server to use a Secure Sockets Layer (SSL) certificate to sign and encrypt data using an HTTPS connection.

Setting up SSL communications between a Symantec Endpoint Protection Manager and the clients

http://www.symantec.com/docs/HOWTO81056