Video Screencast Help
Search Video Help Close Back
to help
Not able to make it to Vision this year? Get a sampling in the Best of Vision on Demand group.

Firewall Ports

Updated: 21 May 2010 | 4 comments
Yobo's picture
Yobo
0 0 Votes
Login to vote

Dear Partner,

I have a customer who is interested in symnatec endpoint.    The Symantec EndPoint Protection Manager is located in the Production LAN.

There is a Server in the DMZ  want to be managed by the symantec Endpoint protection.  I've seen the technote but not sure what are the actual ports.

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007090614430148

As this customer is a demanding customer, he want a proper ports to be between between  the systmenc endpoint proection manager which is on a Production LAN managing the DMZ Endpoint.
Are these the only port to be open? By the way, what s is encorces, not quite understand about this.

Port Number Port Type Initiated by Listening Process Description

80, 8014 TCP SEP Clients svchost.exe (IIS) Communication between the SEPM manager and SEP clients and Enforcers. (8014 in MR3 and later builds, 80 in older).
443 TCP SEP Clients svchost.exe (IIS) Optional secured HTTPS communication between a SEPM manager and SEP clients and Enforcers.

 

Discussion Filed Under:
, ,

Comments

Rafeeq's picture
24
Jul
2009
1 Vote +1
Login to vote
Rafeeq

you need to open the communication

As you have read in the document the communication port is the one needed to be open on your DMZ
this is the port you select while installing the manager,
if its on custom then it would by anything you decide or 8014 present their by default
if the client is able to communicate it will take the policy and virus defs.
Enforcer is again a diff product which can be integrated with SEPM.
you have Gateway , Lan, DHCP enforcers..

about enforcers find it here

http://www.symantec.com/business/support/overview....

Hope this was helpful..Good Day !@

Please don't forget to mark your thread solved with whatever answer helped you : ) Rafeeq

Kaushal Suthar's picture
24
Jul
2009
1 Vote +1
Login to vote
Kaushal Suthar

Perhaps if the server is in

Perhaps if the server is in DMZ, you could leave the SEP client unmanaged on that server. Because if you have SEPM on the default site with port 80, it would be inappropriate to punch holes in the DMZ firewall.

The unmanaged client can then be updated manually for definitions.

toko's picture
24
Jul
2009
0 Votes 0
Login to vote
toko

Our SEPM box is inside with clients in DMZ

We are running SEP 11 MR4 with the Management server on the inside.  We have clients in DMZ's

We only use port 8014 initiated by the client.  That means a rule on the DMZ interface from the client with a destination  of the management server and tcp port 8014.

I like that much better than what had to be done for legacy products.

Bekir's picture
26
Jul
2009
0 Votes 0
Login to vote
Bekir

As Kaushal says, I'd suggest

As Kaushal says, I'd suggest no to open any ports from DMZ to intranet. This would be opening a hole and against the best practice. Of course you may open the ports until you're done with testing your firewall policy for this server completely. A

For this situation I'd suggest you to create a DMZ test group in the SEP Manager, create the policies you want to apply to this server. Assign the policies to this group. And export an unmanaged package embedding this DMZ group's policies. And locally install the package on the server.

best regards,

Best regards,
Bekir Burak Durmaz

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
270,010