Video Screencast Help

SEPM in DMZ deployment best practice

Created: 30 Jul 2012 • Updated: 01 Aug 2012 | 9 comments
This issue has been solved. See solution.

Hi All,

Can anyone here share your configuration or best practice in how to enable the SEPM v12.1 as the DMZ SEPM server deployment which talks to the internal SEPM server in my internal LAN for the update ?

This DMZ SEPM will do the update and management for all of my DMZ internet facing production web servers.

Thanks.

Comments 9 CommentsJump to latest comment

Dushan Gomez's picture

thanks for the reply,

As per the best practice, the Database of this SEPM DMZ shall be just self contained right ?

rather than opening port 1433 for the SQL server, and all of the updates will be replicated / pushed from the internal SEPM server.

Dushan Gomez
IT Manager
VCP 4 and 5 | MCITP Exchange Server | MCTS SharePoint Server | MCP Windows XP

 

pete_4u2002's picture

the DB if is SQL, then port needs to be opened for 1433 as sql listens on this port ( default).

Mithun Sanghavi's picture

Hello,

I agree, incase you are running the SQL database the port would be required to be opened.

Please check this Thread: https://www-secure.symantec.com/connect/forums/server-dmz

Articles: 

Best Practices: Configuring a Symantec Endpoint Protection environment in a DMZ

http://www.symantec.com/business/support/index?page=content&id=TECH178325

Security recommendations regarding SEP client installed on server located in DMZ

http://www.symantec.com/docs/TECH122858

NOTE: The above Articles applies to both SEP 11.x and SEP 12.1

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Vikram Kumar-SAV to SEP's picture

Depends how many servers you have in DMZ....

Option1: Install SEPM with Embedded DB and it will replication with Production SEPM.

Option2: Let All Servers in DMZ take direct updates from Production SEPM.. Open IP :Port specific Firewall rules for the DMZ Segments

Option3: From Production SEPm/DB install a new Failover/LB server in DMZ. Keep all DMZ servers in one group and apply MSL on that group only to communicate with that SEPM.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

Dushan Gomez's picture

Hm...

Option #3 is interesting, so SEPM load balancing the AV distribution, updates and policy enforcement as well ? 

Dushan Gomez
IT Manager
VCP 4 and 5 | MCITP Exchange Server | MCTS SharePoint Server | MCP Windows XP

 

AravindKM's picture

In SEPM you can manage all the policies (including how the clients should receive updates) through groups.

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

Vikram Kumar-SAV to SEP's picture

Yup..that SEPM should be able to do everything as your production SEPM..

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.