Manage remote Endpoint Protection clients when the Endpoint Protection Manager is behind a NAT
search cancel

Manage remote Endpoint Protection clients when the Endpoint Protection Manager is behind a NAT

book

Article ID: 177585

calendar_today

Updated On:

Products

Endpoint Protection Endpoint Security

Issue/Introduction

There are Symantec Endpoint Protection (SEP) clients in a remote location separated from the Symantec Endpoint Protection Manager (SEPM) by a network device (router or firewall) with Network Address Translation (NAT).

These SEP clients need to be managed by the SEPM.

Resolution


Establishing a site-to-site VPN tunnel is the best option. It allows the SEP clients to be managed like any other clients on the internal network. However, site-to-site VPN tunnel may not always be possible and sometimes, the risk of passing SEP traffic through external network may be acceptable.

This document explains how to achieve this without a site-to-site VPN tunnel.

  1. Add a client group for the clients in the remote location.
  2. Add a management server list with the external IP address of the NAT device, the port SEPM uses for client communication.
  3. Assign the management server list to the client group. Change communication mode to pull mode and set the heartbeat interval appropriately.
  4. Configure the NAT device to redirect traffic arriving on its external IP address and the port specified in task 2 to SEPM's internal IP address and the same port.
  5. Copy sylink.xml of the client group to existing clients or export client install package for the group, deploy it to the computers.
  6. We recommended you switch communication between SEPM and clients to https communication.

 


Task 1: Add a client group for the clients in the remote location

  1. In the SEPM console, click Clients.
  2. Under View Clients, select the group to which you want to add a new subgroup.
  3. On the Clients tab, under Tasks, click Add Group.
  4. In the Add Group for group name dialog box, type the group name and a description.
  5. Click OK.

 

Task 2: Add a management server list

  1. In the console, click Policies.
  2. In the Policies page, under View Policies, click Policy Components > Management Server Lists.
  3. Under Tasks, click Add a Management Server List.
  4. In the Management Server Lists dialog box, in the Name text field, type a name for the management server list and an optional description.
  5. To specify which communication protocol to use between the management servers and the clients, select one of the following options:
    • Use HTTP protocol
    • Use HTTPS protocol. Use this option if you want management servers to communicate by using HTTPS and if the server is running Secure Sockets Layer (SSL).
  6. If you require verification of a certificate with a trusted third-party certificate authority, check Verify certificate when using HTTPS protocol.
  7. To add a server, click Add > New Server.
  8. In the Add Management Server dialog box, in the Server address text field, type the external IP address of the NAT device.
  9. If you are using a non-default port number for either the HTTP or HTTPS protocol for this server, do one of the following tasks:
    • Check Customize HTTP port number and enter a new port number. The default port number for the HTTP protocol is 8014 for MR3 and later.
    • Check Customize HTTPS port number and enter a new port number. The default port number for the HTTPS protocol is 443.
  10. Click OK.

 

Task 3: Assign the management server list to the group

  1. In the console, click Policies.
  2. In the Policies page, under View Policies, click Policy Components > Management Server Lists.
  3. In the Management Server Lists pane, select the management server list you created in task 2.
  4. Under Tasks, click Assign the List.
  5. In the Apply Management Server List dialog box, check the group you created in task 1.
  6. Click Assign.
  7. When you are prompted, click Yes.

 

Task 4: Configure the NAT device to redirect traffic

Please consult your NAT device manual on how to perform this task.

 

Task 5: Copy sylink.xml

  1. In the Console, click Clients.
  2. In the View Clients column, select the group you created in task 1.
  3. Right-click the selected group, then click Export Communication Settings at the bottom of the drop-down menu.
  4. In Export Communication Settings, in the group name dialog box, click Browse. The default selection is My Documents.
  5. In the Select Export File dialog, locate the folder to which you want to export the sylink.xml file, and click OK.
  6. In the Export Group Registration Setting for group name dialog box, select one of the following options:
    • To apply the policies from the group from which the computer is a member, click Computer Mode.
    • To apply the policies from the group from which the user is a member, click User Mode.
  7. Click Export.
    If the file name already exists, click OK to overwrite it, or Cancel to save the file with a new file name.
  8. Copy the file to the desktop of the computers in the remote location.
  9. Open the client interface on the computers in remote location.
  10. Click on Help and Support and select Troubleshooting.
  11. Click Import, browse to the .xml file exported from the Manager, and click OK.

 

Task 6: Enabling SSL communications between a Symantec Endpoint Protection Manager and its clients

Read and follow the steps in Enable SSL communications between Endpoint Protection Manager and clients