Video Screencast Help

Cloud Enabled Management, DMZ and Patch Management

Created: 06 Jan 2014 • Updated: 08 Jan 2014 | 4 comments
lko's picture
This issue has been solved. See solution.

I'm having a hard time getting a straight answer from Symantec Support so I wanted to see if anyone here has setup SMP Patch Management in their internal network and is patching clients in a DMZ?  And if so, what method did you choose to set this up?

I am on 7.5 and was told that I would need to configure Cloud Enabled Management, but I am unsure of what type of servers I will need in the DMZ to host this and if I need a Site Server in the DMZ also.  And I'm having troubles wrapping my head around what servers and how they will communicate with my NS internally and how the clients in the DMZ will get the patch information and data.

Operating Systems:

Comments 4 CommentsJump to latest comment

lko's picture

Thanks Anton, I actually have read both of these and I am still just as confused.  I don't want to configure Patch Management without Internet, I want to configure it with Internet.  And I am still reading through the CEM white paper, but I can't seem to wrap my head around what I want and what is available and how to do it.

Anton_Nejolov's picture

You don't need something special to work in CEM network.

but I am unsure of what type of servers I will need in the DMZ:

Windows Server 2008 R2 SP1 64bit. .NET3.5 SP1

if I need a Site Server in the DMZ also

No you don't, Internet site is automatically created in ITMS 7.5.

For more info about how to configure and how CEM is working, please try this webcast video ITMS 7.5 Webcast - Learn About Cloud Enabled Management

 

SOLUTION
HighTower's picture

You don't need CEM to patch systems in your DMZ so long as the required ports and protocols are allowed in your ACLs.

Check this document for the Ports and Protocols required by 7.x:

http://www.symantec.com/business/support/index?page=content&id=HOWTO83503

However, CEM would allow you to create simpler firewall rules and you'd only need to configure enough for your Internet Gateway to communicate to your NS, and for your DMZ clients to communicate to the world.  Basically your DMZ clients would talk to the Internet, and the traffic makes a U-turn right back into the IG.