Video Screencast Help

Server in DMZ

Created: 28 Jul 2012 • Updated: 28 Jul 2012 | 7 comments
NMG's picture
This issue has been solved. See solution.

I  am planning to install my SEPM server in DMZ what ports i need to open?

Discussion Filed Under:

Comments 7 CommentsJump to latest comment

P_K_'s picture

Which Communications Ports does Symantec Endpoint Protection use?

Symantec Endpoint Protection Manager requires TCP port information.

MCT MCSE-2012 Symantec Technical Specialist (SCTS)

NMG's picture

Great is it same for SEP 11 and 12?

P_K_'s picture

Earlier we had two sepearte KB, one from SEP 11 and other for SEP 12.

Now we have got one consolidated which has the information for both.

MCT MCSE-2012 Symantec Technical Specialist (SCTS)

P_K_'s picture

Along with that, if the server has any other role, Please follow

MCT MCSE-2012 Symantec Technical Specialist (SCTS)

P_K_'s picture

Best Practices: Configuring a Symantec Endpoint Protection environment in a DMZ

SEPM in the DMZ: Recommendations and considerations

DMZ's are accessible from the Internet, so it is possible for someone to attempt to access (hack) into the server system that is running the SEPM through other vulnerabilities in the OS or other software running on that server. If successful, they might be able to access SEP database, which contains information about every computer in the company's organization that is defended by SEP. This includes the IP address, computer name and SEP version they are running (some older releases of SEP have known vulnerabilities) or which SEP clients have AutoProtect disabled or which clients have no firewall enabled.

For these reasons, Symantec recommends hardening the operating system on the server where Symantec Endpoint Protection Manager will be installed. One way to accomplish this is to install Symantec Critical System Protection. For more information about Critical System Protection, please see

Firewall Configuration (bi-directional):

Mandatory Firewall Ports:

TCP 1433: Default SQL Port

Optional Firewall Ports:

TCP 334: RDP

TCP 9090: SEPM Remote Management Console

Replication Considerations:

By default, the first SEPM in a site is responsible for responding to and processing replication events from other sites. If there are multiple SEPMs in a site, you can change this setting by editing the Replication Management Server List in the Replication Partner Properties in the Admin > Servers view.

  • If the SEPM in the DMZ is the first of multiple SEPMs in a site, Symantec recommends modifying the Replication Management Server List and nominating a different SEPM to process the replication events.

  • If the SEPM in the DMZ is the only SEPM in the Site, then port 8443 will need to be opened on the firewall.

MCT MCSE-2012 Symantec Technical Specialist (SCTS)

Dushan Gomez's picture

Yes, this is what I need to configure as well.

Thanks for sharing

Dushan Gomez
IT Manager
VCP 4 and 5 | MCITP Exchange Server | MCTS SharePoint Server | MCP Windows XP

Olivier_C's picture


Just few words after Prachand post.

Before asking yourself wich port need to be opened, ask yourself about your need to have SEPM on DMZ.

Typicaly the DMZ area is used to communicate to the Big Bad Internet area, so the only need that SEPM communicate with internet is to update itself, and generaly, a proxy server is used in DMZ to secure Internet acces (http and other Internet protocol) between your LAN, and Internet.

It-s very hazardous to make SEPM accessible on the internet, remember that even i f your security gateway is on date, the DMZ area can be accessed and your SEPM architecture need to be extremly secured, even in your LAN, so in the DMZ, if this architecture is the only possible, a SEPM server need to be strongly secured.