When configuring a firewall operating between the SEP client in DMZ and SEPM in local LAN it is necessary to allow on the firewall only one of the two ports: HTTP 8014/80 or HTTPS 443, which is answering the security standards and it is limiting open ports to necessary minimum. Limited number of open ports is allowing the firewall Administrator to monitor the communication and create appropriate rules on the application level granting only to SEP processes the rights to use dedicated open ports.
In high security environments where communication between servers located in DMZ and internal LAN is not allowed please consider the following scenarios:
- Installing Unmanaged SEP clients on servers in DMZ updating virus definitions directly from internet
- Installing Unmanaged SEP clients on servers in DMZ updating virus definitions with Intelligent Updater file
- Installing in DMZ a dedicated instance of LiveUpdate Administrator supplying virus definitions only to servers in DMZ
- Installing in DMZ a dedicated instance of SEPM supplying virus definitions only to servers in DMZ
The last solution is the most secure but at the same time requires more investment in terms of administration effort and system resources. We recommend to evaluate what is the security level requested by your business needs and select and implement the solution answering these needs accordingly.