Endpoint Protection

Hi All,

In order to reduce my confusion, can I actually create one single SYLINK.XML for all of my server with the below settings:

Internal Servers SEP Client reporting and managed by Internal SEPM server
DMZ Servers SEP Client reporting and managed by DMZ SEPM server

so irrespective whichever the server is deployed and installed with the SEP client, it can automatically report to the correct DMZ or internal SEPM respecitvely. 

Hi, As per my knowledge, Your Internal SEPM server and DMZ SEPM server has differnt IP,so you have to create two sylink because sylink contain IP address and client will communicate with that IP Address which is in sylink.XML Regards, Zafar

HI,

Are your SEPM AD integrate?

 

if no may be you can create sylink.xml all sep client showing that particular group

i do not think it can be done. the SEPM's have to be replicating. then ylink can be used. However again, the Management Server List needs to be set so that client report to the priorites defined in that. so it will be different sylink.

Yes the SEPM in the internal is of course AD integrated as can be evidence from the account that I'm logged in to, it is using my AD account password.

 

but the DMZ servers andthe SEPM in the DMZ is not AD integrated.

Many thanks for the response Zafar,

I don't know who set it up before me (my predecessors), I see that in one of the Sylink. XML it has multiple SEPM and has a priority 1 2 and 3 in the XML element ?

are they rotated in round robin style ?

Thank you for your clarification Pete, so in this case it is not possible to create one Sylink.XML which contains all SEPM servers in all different domain ?

 

you have all the SEPM's certificate in one sylink file if they are replicating or in load balance.however as per your requirement you want to have client connects to respective location SEPM. if thats the case, the sylink has to be different withe the priorites defined. do you have SNAC?

Hi Pete,

Replication: Yes I have set both SEPM to replicate each other between Internal and DMZ

SNAC: not yet implemented, but soon to be for the Internal only, not DMZ

I've seen that the SYLINK.XML in my DMZ servers got

Priority 1: connect to SEPM Internal FQDN

Priority 2: connect to SEPM DMZ IP address

Priority 3: connect to SEPM Internal IP address 

 

Hello John,

It may possible if failover/loadbalancing or replication is configured between SEPM's.

Check the MSL configuration at both the SEPM's.

Or else need to create two Sylink.xml files.

 

you may need to edit/add MSL accordingly and appky to the clients so that they know which SEPM to communicate. Also when exporting new package you use the policy from the said group so that client know which group to communicate and policy to be taken. Hope this helps.

Hi John,

So irrespective whichever the server is deployed and installed with the SEP client, it can automatically report to the correct DMZ or internal SEPM respecitvely --> Yes it's correct with given info above.

You can change the MSL if required.

Hi, Agreed with pete, could you please tell me architecture of ur environment? If you have installed SEPM with AD integration,the client will automatically move to respective OU.

Hi Zafar,

Yes the AD integration is just for the Login authentication, once the SEP client reports in, I have to manually MOVE it by right clicking into the correct group.

Pete,

May I know how and where can I edit the MSL list ?

if the default MSL, you cannot edit it.

 

check this link for configuring MSL

http://www.symantec.com/docs/HOWTO81154

 

Many thanks for the clarification Pete,

Now I know that MSL is the way to priorituze / load balance the SEP client connecting with the SEPM in the same subnet without any firewall in place.

But in my case both SEPM servers are in the different subnet and there is a firewall in between the Intenral and the DMZ, so I guess creating one MSL to be used by the DMZ SEP client is impossible to do because the next available SEPM in the list is on different network zone protected with firewall.

in that case you need to allow port(SEPM) on firewall,be default 8014.if you don't client won't connect to other location SEPM