Endpoint Protection

 View Only

  • 1.  Deploying SEP 12.x into a DMZ

    Posted Oct 29, 2014 11:50 AM

    I have tried searching.  Anytime I mention Cisco, I get references to UCS or ACS.  If I mention firewall, I get Windows and SEP Firewall.

    Here's what we're doing:  We are creating a new DMZ architecture, with Cisco ASA's in between the LAN and the DMZ.  The DMZ servers will be in their own AD domain.  Since the SEP services will vary greatly, I also created a new Domain in the SEPM.  I need to determine the best SEP and firewall configuration for this.  Primarily, I'm talking about being able to manage the SEP clients in the DMZ using SEPM inside the LAN.  So...

    On the SEP side, we created the domain, and an install packge for it, saved on a server designated a DMZ management server.  SEP has that management server designated as a GUP.

    So on the firewall side, that GUP needs what rules on the ASA in order to communicate with the SEPM?  I think it needs TCP 8014, for SEP/SEPM communications.  TCP and UDP 2967 for SEPM/GUP communications.  TCP 443 to the SEPM.  LiveUpdate will not permit access to Symantec.  Only via the SEPM.

    Is that right for the GUP?  What permissions do SEP clients in the DMZ domain need in order to have full functionality?  Do they need any permissions direct to the SEPM?  It seems to me that the SEP clients need 8014 to the SEPM so that they can register with the SEPM and download the polices, like the GUP setting.  Or have I misread, and that's included in the install package I created on the SEPM?

    My fellows on the Security team who concentrate on the ASA firewalls complain that opening these ports for all DMZ servers to allow SEP communication are breaking the whole reason for having the servers in the DMZ.  Am I misunderstanding?  Is there a document that can give me better guidance on what I absolutely need, and what I can tighten down when it comes to the interaction between these DMZ servers and the SEPM?



  • 2.  RE: Deploying SEP 12.x into a DMZ
    Best Answer

    Posted Oct 29, 2014 12:05 PM

    These should help you out, yeah those ports need to be open 

    Best Practices: Configuring a Symantec Endpoint Protection environment in a DMZ

    http://www.symantec.com/business/support/index?page=content&id=TECH178325



  • 3.  RE: Deploying SEP 12.x into a DMZ
    Best Answer



  • 4.  RE: Deploying SEP 12.x into a DMZ

    Posted Oct 29, 2014 01:09 PM

    Thumbs up to the above posts.  Very helpful info!

    My two pence is:

    1. Yes, if you wan to manage clients in the DMZ from an internal SEPM, then you'll need to open up port 8014 from the DMZ endpoints to the internal SEPM.  You won't need to worry about the GUP port as that traffic is internal to the DMZ
    2. The point of the DMZ is to act a layer of abstraction between external parties and your internal resources.  Therefore, allowing endpoints out on the internet to get through to the internal SEPM would invalidate the point of a DMZ.  Allowing endpoints in the DMZ to access an internal SEPM would not.  That said, the more you open up, the more vulnerable you are, so I understand their concerns
    3. As mentioned in the articles linked by Rafeeq and Brian, an option would be to pop a SEPM replication partner in the DMZ.  That way the endpoints in the DMZ communciate with the DMZ SEPM only, and only the DMZ SEPM talks to the Internal SEPM (over port 8443 by default).


  • 5.  RE: Deploying SEP 12.x into a DMZ

    Posted Oct 29, 2014 04:07 PM

    Thanks, all.

    I knew those documents had to exist.

    We went back and forth several times over whether to install a SEPM in the DMZ.  In the end, we wanted to keep the architecture as simple as possible, and using the DMZ's management server as a GUP seemed better than as a SEPM (considering all the other management tools that are being installed there.