How does one configure SEPM 12.1 to manage 'out of network' computers?
I cannot find instructions in the Admin guide or anywhere else for my need. I will describe my need here.
First some background:
I have a corporate WAN (Windows Servers) with offices in varying parts of the US. These offices are networked back to the main office where the SEPM is located. Those clients are fine as far as being managed goes. They get policies changes/updates, if they get infected I receive an email, etc. Basically normal SEPM to SEP client environment.
But, I have over 100 computers that were in an office only for software installations before being deployed. They have the SEP 11.xx client or SEP 12.1 client on them with policies from the time of their initial software installations, but are not being managed by the SEPM because they are out of the office, not in the WAN, therefore are not networked back to the SEPM because they are not in the Windows Domain. They will never be part of the domain. They do have internet access but not to the Windows network. So, while they do ge their AV definitions via their internet connection, they don't get updated POLICIES, and if they get infected no email is sent to the SEPM, because the client cannot reach the SEPM. Many need upgrading from SEP 11 to SEP 12 and the SEPM cannot communicate with them. I have new policies that need to be installed. The SEPM is only available to communicate with f computers that are in the WAN I have mentioned.
I want to avoid manual exporting of policies at each client. The time it would take to physically touch each client is HUGE and I don't want to even try that. And anyway they need to be managed, even though they are outside the Windows network. Additionally, there are many existing domain SEP clients that are laptops and travel out of the office often. I want them to be managed as well via their internet connections when outside the Domain.
Now, for what I want to do with SEPM:
My question: Is is possible to set up the SEPM as, effectively, a public facing server through a DMZ, maybe even with a proxy server between the DMZ and the SEPM on my network to increase security; in order to manage these SEP client computers that are never in the network? I see instructions for Symantec reporting servers or additional servers in a DMZ, but I find no guidelines/instructions to set up what I have just described. Keep in mind there is no more IIS in SEP 12. It is Apache Tomcat which I am not familiar with.
I think it can work this way, conceptually: I wonder if anyone has tried this before with SEP. Here goes:
First of all my SEPM servers name is not the FQDN of the server, but only the host name. It appears I'll have to reinstall SEPM from scratch and make the server name the FQDN of the server. Recall this server is already managing clients in a Windows network. Then, after the reinstall, register the FQDN of this server as an MX record on the internet. Then setup the FQDN of the SEPM on a DMZ in one of my network engineers routers, maybe take the extra step of pointing the DMZ to a Proxy server. Then point the proxy server to my internal SEPM. Now that this path of communication is set up to reach the internal network SEPM from anywhere on the internet, the clients that have SEP 11 and SEP 12 installed hopefully will start to communicate? It's at this point I can update policies on those clients, upgrade the SEP 11.xx client to SEP 12, etc.
Does anyone know for sure if this can work? Or perhaps another way to set this up?