Hi,
Thank you for posting in Symantec community.
SEPM in the DMZ: Recommendations and considerations
DMZ's are accessible from the Internet, so it is possible for someone to attempt to access (hack) into the server system that is running the SEPM through other vulnerabilities in the OS or other software running on that server. If successful, they might be able to access SEP database, which contains information about every computer in the company's organization that is defended by SEP. This includes the IP address, computer name and SEP version they are running (some older releases of SEP have known vulnerabilities) or which SEP clients have AutoProtect disabled or which clients have no firewall enabled.
For these reasons, Symantec recommends hardening the operating system on the server where Symantec Endpoint Protection Manager will be installed. One way to accomplish this is to install Symantec Critical System Protection. For more information about Critical System Protection, please see http://www.symantec.com/business/critical-system-protection
Firewall Configuration (bi-directional):
Mandatory Firewall Ports:
TCP 1433: Default SQL Port
Optional Firewall Ports:
TCP 334: RDP
TCP 9090: SEPM Remote Management Console
Replication Considerations:
By default, the first SEPM in a site is responsible for responding to and processing replication events from other sites. If there are multiple SEPMs in a site, you can change this setting by editing the Replication Management Server List in the Replication Partner Properties in the Admin > Servers view.
-
If the SEPM in the DMZ is the first of multiple SEPMs in a site, Symantec recommends modifying the Replication Management Server List and nominating a different SEPM to process the replication events.
-
If the SEPM in the DMZ is the only SEPM in the Site, then port 8443 will need to be opened on the firewall.