Video Screencast Help

SEPM 12.1.2 with Clients in DMZ Zone

Created: 12 Apr 2013 | 9 comments

We have several SEP clients in a DMZ zone - public facing - our firewall group have given us the notification that our internal SEPM cannot communicate with the clients int he external DMZ.  We have 2 firewalls   internal | DMZ1 | DMZ2  to get through.

 

They want to see a "relay" (I'm thinking group update provider??) in DMZ1 to distribute updates via our internal SEPM.  Does the GUP provide the status of the clients it manages to the internal SEPM or is it for ONLY providing content updates?

 

 

Thank you

Operating Systems:

Comments 9 CommentsJump to latest comment

_Brian's picture

The GUP can only provide content updates, nothing else at this time.

For additional reading, have you seen the articles for SEP in a DMZ?

 

Best Practices: Configuring a Symantec Endpoint Protection environment in a DMZ

Article:TECH178325  |  Created: 2012-01-05  |  Updated: 2012-01-05  |  Article URL http://www.symantec.com/docs/TECH178325

 

Security recommendations regarding SEP client installed on server located in DMZ

Article:TECH122858  |  Created: 2010-01-29  |  Updated: 2010-01-09  |  Article URL http://www.symantec.com/docs/TECH122858

 

Communication issues with SEP client installed in DMZ while the SEP Manager is outside DMZ

Article:TECH146736  |  Created: 2010-12-21  |  Updated: 2011-06-08  |  Article URL http://www.symantec.com/docs/TECH146736

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

fishnowworknever's picture

Thank you for the info.

 

I have read those articles, however our policy states that any server in the external DMZ is not allowed to pass through both firewalls, there must be some type of "relay"

 

Does SEPM 12 offer anything that will do this?  I really don't want to have a bunch of unmanaged clients out on our DMZ and no way of knowing if they are out of date, compromised etc.

 

 

_Brian's picture

You would need to put a SEPM in the DMZ to manage those clients.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

fishnowworknever's picture

How about this scenario....I move our current SEPM server to DMZ1  (in between internal and DMZ2) - this would act as a relay for both internal and external.

It would be on a completely different network, so I assume I would need to update the sylink on all current managed clients?

_Brian's picture

That can be done.

Helpful thread/advice with similar scenario and what to do:

http://www.symantec.com/connect/forums/change-ip-a...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

Please check this Thread: https://www-secure.symantec.com/connect/forums/server-dmz

and check this Article:

Updating downloads in an internal LiveUpdate Administrator 2.x Server using the downloads from an external LiveUpdate Server

http://www.symantec.com/docs/TECH106254

NOTE: The above Article applies to both SEP 11.x and SEP 12.1

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

fishnowworknever's picture

Here's what I am planning to do, please correct me if I'm wrong. 

 

I have obtained an IP for DMZ1 and added that IP to the SML.  All clients now have the updated SML.

 

My question is, is it ok for me to have added that IP under the same Priority as the current server/ip? Or should i have made another priority then added a server?

 

I do not plan to spin up another SEPM, rather just change IP / Domain on the current SEPM to the one I specified in the SML

 

 

Thank you 

Mithun Sanghavi's picture

 

Hello,

Please refer to the following article: http://www.symantec.com/docs/TECH104389

Add MACHINE_1 under Priority 2 and add MACHINE_2 under Priority 1, and assign this New Management Server List to all the groups.

To answer your question, the SEP clients contact the SEPM using the IP address.
 
So, as long as your client machines are able to contact the new server on the installation port and IP address of the server, the migration should be fine.
 
Secondly, just make sure, that your DNS resolves the server name to the new IP after all. you can always try and bring it back to the old vlan.
 
Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.