Endpoint Protection

Hi All,

I would like to find out the possibility of placing a SEP manager in the DMZ to maange the corporate clients not connecting to our corporate network.

Has anyone tried this setup before ?
What is the risk involved ?

Regards
TPanalyst 

follow this document

http://www.symantec.com/connect/forums/sepm-dmz-deployment-best-practice

Please check this Thread: https://www-secure.symantec.com/connect/forums/server-dmz

Articles:

Best Practices: Configuring a Symantec Endpoint Protection environment in a DMZ

http://www.symantec.com/business/support/index?page=content&id=TECH178325

Security recommendations regarding SEP client installed on server located in DMZ

http://www.symantec.com/docs/TECH122858

Hi,

I would like to share following article with you.

How to allow Symantec Endpoint Protection clients in a remote location to be managed by a Symantec Endpoint Protection Manager that's behind a NAT device

http://www.symantec.com/docs/TECH93033

It will work fine just make sure you only allow the necessary ports for access. This article is a good start

Best Practices: Configuring a Symantec Endpoint Protection environment in a DMZ

If your aim is only to update the roming client you can define combination location awareness and liveupdate policy insted putting SEPM in DMZ. 

Thanks guys for the info, I'l llook into it.

I would like not only updating the definition, but also update the policy and receive logs...as though the clients in within the network.

You can have a SEPM in DMZ for all roaming\WAN clients.

Do you want this only to update definitions or policies and other controls as well ?

Do you want this DMZ SEPM to be standalone or a replication partner of Production SEPM.

You can Put a SEPM in DMZ as a replication partner of production SEPm you would need to open pot 8443 between these SEPM.

Then add the FQDN or Public IP of the DMZ SEPM to the Management Server List. Then clients which are out of network will automatically be re-directed to DMZ SEPM.