I  am planning to install my SEPM server in DMZ what ports i need to open?

Which Communications Ports does Symantec Endpoint Protection use?

http://www.symantec.com/business/support/index?page=content&id=TECH163787

Symantec Endpoint Protection Manager requires TCP port information.
https://www-secure.symantec.com/connect/articles/symantec-endpoint-protection-manager-requires-tcp-port-information

Great is it same for SEP 11 and 12?

Earlier we had two sepearte KB, one from SEP 11 and other for SEP 12.

Now we have got one consolidated which has the information for both.

Along with that, if the server has any other role, Please follow

http://support.microsoft.com/kb/832017

Best Practices: Configuring a Symantec Endpoint Protection environment in a DMZ

http://www.symantec.com/business/support/index?page=content&id=TECH178325

SEPM in the DMZ: Recommendations and considerations

DMZ's are accessible from the Internet, so it is possible for someone to attempt to access (hack) into the server system that is running the SEPM through other vulnerabilities in the OS or other software running on that server. If successful, they might be able to access SEP database, which contains information about every computer in the company's organization that is defended by SEP. This includes the IP address, computer name and SEP version they are running (some older releases of SEP have known vulnerabilities) or which SEP clients have AutoProtect disabled or which clients have no firewall enabled.

For these reasons, Symantec recommends hardening the operating system on the server where Symantec Endpoint Protection Manager will be installed. One way to accomplish this is to install Symantec Critical System Protection. For more information about Critical System Protection, please see http://www.symantec.com/business/critical-system-protection

Firewall Configuration (bi-directional):

Mandatory Firewall Ports:

TCP 1433: Default SQL Port

Optional Firewall Ports:

TCP 334: RDP

TCP 9090: SEPM Remote Management Console

Replication Considerations:

By default, the first SEPM in a site is responsible for responding to and processing replication events from other sites. If there are multiple SEPMs in a site, you can change this setting by editing the Replication Management Server List in the Replication Partner Properties in the Admin > Servers view.

• If the SEPM in the DMZ is the first of multiple SEPMs in a site, Symantec recommends modifying the Replication Management Server List and nominating a different SEPM to process the replication events.

• If the SEPM in the DMZ is the only SEPM in the Site, then port 8443 will need to be opened on the firewall.

Yes, this is what I need to configure as well.

Thanks for sharing

Hi,

Just few words after Prachand post.

Before asking yourself wich port need to be opened, ask yourself about your need to have SEPM on DMZ.

Typicaly the DMZ area is used to communicate to the Big Bad Internet area, so the only need that SEPM communicate with internet is to update itself, and generaly, a proxy server is used in DMZ to secure Internet acces (http and other Internet protocol) between your LAN, and Internet.

It-s very hazardous to make SEPM accessible on the internet, remember that even i f your security gateway is on date, the DMZ area can be accessed and your SEPM architecture need to be extremly secured, even in your LAN, so in the DMZ, if this architecture is the only possible, a SEPM server need to be strongly secured.

Olivier