Video Screencast Help

deploying SEP client in remote DMZ area ?

Created: 29 Aug 2012 • Updated: 04 Sep 2012 | 9 comments
This issue has been solved. See solution.

Hi,

What port that I need to open to b e able to successfully push install SEP client to all of my DMZ client ?

installing 100+ SEP client by remote desktoping into server one by one is not what my manager wants :-|

Comments 9 CommentsJump to latest comment

Ashish-Sharma's picture

Firewall Configuration (bi-directional):

 Mandatory Firewall Ports:

TCP 1433: Default SQL Port 

 Optional Firewall Ports:

TCP 334: RDP

TCP 9090: SEPM Remote Management Console

Firewall Configuration (bi-directional):

Refer to the Management Server List assigned to the client group to determine the communications port the SEP clients will use to communicate to the SEPM.  Default values are:

 TCP 80 (MR2 and earlier)

TCP 8014 (MR3 and later)

TCP 443 (secure communications) 

NOTE: You may consider using non-standard ports for communication as another layer of protection.  This communications port is configurable in the Management Server List assigned to the client group.

Push deployment port that needs to be open

TCP 139 and 445 on management servers and clients

UDP 137 and 138 on management servers and clients

TCP ephemeral ports on management servers and clients

Overview of Push Deployment Wizard in Symantec Endpoint Protection 12.1

https://www-secure.symantec.com/connect/articles/overview-push-deployment-wizard-symantec-endpoint-protection-121

Symantec Endpoint Protection 12.1: Installing the Manager for the first time and deploying clients

http://www.symantec.com/business/support/index?page=content&id=TECH163580

 Edit...

Check this artical.

http://www.symantec.com/business/support/index?page=content&id=TECH92051&locale=en_US

 

 Best Practices: Configuring a Symantec Endpoint Protection environment in a DMZ

http://www.symantec.com/docs/TECH178325 

 

http://www.symantec.com/connect/articles/sep-121-best-practice-license-other-articles

Thanks In Advance

Ashish Sharma

 

 

Leo Young's picture

as i know, you should open 139/445 inbound on clients side and 139/445 outbound on server side.

John Santana's picture

ok, so it means that it uses SAMBA as the communiation port.

However, since we have deployed already several hundred server, inthe DMZ, opening SAMBA port into the internal network is not an option, so is there any other way to open it up ?

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

Leo Young's picture

why? is it hard for you to configure firewall to open the ports? your SEPM is in the internal network and your other servers are in the DMZ, between them is a firewall, you just need to open the ports from internal netwok outbound to DMZ. and will it cause any security issue to your internal network? i don't think so.

or your servers in DMZ have build-in firewall already configured to forbid 139/445 inbound, and if you want to open the ports, you have to configure the servers one by one?

John Santana's picture

Leo,

as per the security best practice yes you are right, the Internal SEPM should not be accessed by the client in the DMZ. Now I understand that within the DMZ server VLAN, the DMZ SEPM should be able to push it to the DMZ client with port 445 :-)

the only problem is that the local administrator is all different for each servers :-(

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

Leo Young's picture

It will be much better than use remote destop to install these servers one by one , won't it ? :-)

Mithun Sanghavi's picture

Hello,

Please check this Thread: https://www-secure.symantec.com/connect/forums/server-dmz

and check these Articles:

Best Practices: Configuring a Symantec Endpoint Protection environment in a DMZ

http://www.symantec.com/business/support/index?page=content&id=TECH178325

Security recommendations regarding SEP client installed on server located in DMZ

http://www.symantec.com/docs/TECH122858

Communication issues with SEP client installed in DMZ while the SEP Manager is outside DMZ

http://www.symantec.com/docs/TECH146736

Updating downloads in an internal LiveUpdate Administrator 2.x Server using the downloads from an external LiveUpdate Server

http://www.symantec.com/docs/TECH106254

NOTE: The above Articles applies to both SEP 11.x and SEP 12.1

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SOLUTION
mon_raralio's picture

I was also wondering if having a separate SEPM on the DMZ for the DMZ servers assuming that there are quite a lot to manage and have that SEPM load balance to the SEPM server in the intranet.

“Your most unhappy customers are your greatest source of learning.”

John Santana's picture

Thanks Mithun for the links :-)

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.