Data Loss Prevention

We are looking into moving our Prevent servers to Amazon and would like to know exactly what ports do we need open? We have opened ports 8100 so that enforce can talk to the prevent server but I can ping the prevent server.

Has anyone else successfully deployed their prevent servers in a hosted environment?

Mike,

One main piece of advice, when deploying like this, you will want to use the keytool to ensure you use a custom key for communication between your systems. If this is not done, you will be using the default key that ships with the product, which could allow external parties to talk to your server and receive information.

I would guess that you likely can't ping the server as you haven't opened up the ports for ICMP, or Amazon is blocking you from pinging the system. Can you ping the system from any other servers currently hosted in the Amazon site? You may want to try that first and work with Amazon on network configurations to ensure optimal connectivity. This sounds more like a network troubleshooting issue than a DLP specific communication issue. You may also want to try and open up a telnet session to the server on port 8100 to see if the communication is there or not.

I will also bet some of the partners on here can chime in and give you some tips as I haven't done it myself in that method. Some of our partners though actually provide this service in a similar manner. I also know that I've had some of my own customers actually deploy the Prevent boxes in their DMZ for endpoints to communicate back in when not on the internal network. This would fall in line with a similar configuration.

Hey Shawn, sorry I should have given a tad more information. I did go ahead and use the keytool which I found I had to install the same key on the rest of the servers in our network. I am able to ping the server in amazon but I cannot telnet to it.

We did have our prevent servers in the DMZ at our company but for some reason beyond me they decided to move them to amazon.

Mike,

I seem to remeber a previous conversation here about the same thing, or similiar. as for port wise here is what i have which are all default. i would check with the network guys to make sure you are allowed to pass the traffic from the servers to the endpoint box. I found th previous post so ill share the link with you.

https://www-secure.symantec.com/connect/forums/dlp-endpoint-agents-communicate-internet-not-vpn

1. Enforce Server (https) -- port: 443 (Windows) -- port: 8443 (Linux)
2. Upgrade Wizard (Enforce) -- port: 8300
3. Communications from Enforce to Oracle Database -- port: 1521
4. Communications from Enforce to Detection Servers -- port: 8100
5. Communications from Endpoint Agents to Enforce Server -- port: 8000
6. Ports used by Network Prevent (Web) -- 80, 8080, as per Proxy specification
7. Ports used by Network Prevent (Email)
    -- MTAResubmitPort: 10026 (default)
    -- ServerSocketPort: 10025 (default)
8. Ports used by Network Discover crawlers and scanners

Thanks.

It appears networking only had one way communication open to pot 8100. Two way is now established and it is working.

Now time to install the certs for google.

Sounds appropriate. Lots of cloud hosting systems will open outbound ports open, but not inbound. Glad you were able to sort that out and that we could be of help to you.