I'm looking for Symantec's take on placing a SEPM in a DMZ in order to manage remote clients. This will be for roughly ~200 SEP clients which come and go from the corporate network. When they go off the network, I want them to move over to the SEPM in the DMZ so that we still have visibility of them and can manage accordingly.

We are on 12.1.4a and this is a new requirement so I want to get this right. I'm just looking for what port(s) are needed and other recommendations provided by Symantec.

Start with these and let me kow if you have questions:

Best Practices: Configuring a Symantec Endpoint Protection environment in a DMZ

http://www.symantec.com/docs/TECH178325

Security recommendations regarding SEP client installed on server located in DMZ

http://www.symantec.com/docs/TECH122858

Communication issues with SEP client installed in DMZ while the SEP Manager is outside DMZ

http://www.symantec.com/docs/TECH146736

Critical System Protection

http://www.symantec.com/critical-system-protection
 

check this

once you place SEPM in DMZ you need to create an Managemet server list ( external IP) assign that to remote clients and a location specific condition so that they can switch over to this sepm when they are off network.

How to allow Symantec Endpoint Protection clients in a remote location to be managed by a Symantec Endpoint Protection Manager that's behind a NAT device

http://www.symantec.com/business/support/index?page=content&id=TECH93033

Ports are using in SEPM DMZ

Firewall Configuration (bi-directional):

Mandatory Firewall Ports:

TCP 1433: Default SQL Port 

Optional Firewall Ports:

TCP 334: RDP

TCP 9090: SEPM Remote Management Console

SEP Configuration for DMZ Servers

https://www-secure.symantec.com/connect/articles/sep-configuration-dmz-servers

Hello,

Best Practices: Configuring a Symantec Endpoint Protection environment in a DMZ

http://www.symantec.com/business/support/index?page=content&id=TECH178325&profileURL=https%3A%2F%2Fsymaccount-profile.symantec.com%2FSSO%2Findex.jsp%3FssoID%3D13949764509257qSSuWRH8A1vUUTwBdwjWdF5QW3B098Bmy3et

https://www-secure.symantec.com/connect/forums/what-ports-needs-openning-dmz-servers-be-managed

https://www-secure.symantec.com/connect/forums/firewall-ports-push-deployment

Thumbs Up to the aboce posts

My own notes on having done this before a few times:

1. I find most customers requiring management of external endpoints prefer to have that traffic encrypted, so check out the below article:
   http://www.symantec.com/docs/TECH162326
2. The MSL telling clients to connect to the externally resolvable address on 443, should be assigned to an external location so that clients only use it when out of the office
3. For this external location (in addition to telling clients to use the external address over 443), you will probably want to tell the clients to grab defs from Syman LiveUpdate (to save on your own WAN bandwidth)
4. As you can tell from point 2, you'd likely need to open up port 443 for the interwebs to the SEPM in the DMZ for the client's to check in
5. The ports from the DMZ SEPM to the internal network will depend on your setup.  If connecting to an internal SQL server, then it'll be whatever port the instance is listening on (typically 1433), or if replicating with an internal SEPM then it's port 8443

Hi

Refer the link below

http://www.symantec.com/docs/TECH122858

Regards

Everyone - thank you for your responses.

-Dan