Critical System Protection

Hi,

We are planning to install CSP agent on our client machines which is in outsdie of office network..

Our CSP server is setup inside our office network

So we would like to configure the clients to communicate with CSP server (Private Ip) over the internet.

Is there any best practice to configure CSP with natting device to manage the clients in the remote location?

Regards,

Sankara

Hi,

Just to share one more detail here

I found the below SEP document

How to allow Symantec Endpoint Protection clients in a remote location to be managed by a Symantec Endpoint Protection Manager that's behind a NAT device

http://www.symantec.com/docs/TECH93033

I am looking for the above similar document for CSP....Please advice if is there any best practice...

Thanks in advance.

Things I can think of:

1) Put a SCSP Manger in your DMZ that has internet facing 443

2) NAT the traffic to your SCSP manager by getting a static IP address and have the device forward 443/SSL traffic to your SCSP manager

3) Use a VPN concentrator to make a tunnel to get the CSP agent into the internal network and able to talk with the manager

That's the only thing that sprang to my mind too.  AFAIK, there is no similar article for CSP.

Perhaps log a support case with Symantec to investigate this further?

Thanks for the info shared.

One more thing to know is.. Do we need to add the external IP address of the NAT device in to CSP server?

if yes, can you help me on that?

Thanks

You should not need to, as long as the NAT device is intelligent enough to keep the sessions sorted out.

Thank you Chuck. I thought we have to do some configuration on CSP server, as we do it in Management server list on SEPM. so thats y i raised this question.

So its good to know that there is no change required on CSP server.

It's worth noting that the SCSP Server uses 1.0.0 OpenSSL so is not vulnerable to Heartbleed.  All the more relevant for OP as SCSP server will be in DMZ.

Thank you Alex,

One more thing..Do you have any document explains about OpenSSL 1.0.0 and how to use that with CSP?

Followers of this thread may be interested in attending Symantec's webcast on Tuesday the 29th.  The following blog post has all the details and a link to the registration page

The Heartbleed Bug: How to Protect Your Business
https://www-secure.symantec.com/connect/blogs/heartbleed-bug-how-protect-your-business

With thanks and best regards,

Mick

No no. All I did was find the openssl executable inside the csp directory, navigate a cmd shell to that directory and run the openssl -version command.