Patch Management Group

 View Only

  • 1.  HELP! Needing some guidance on implementing CEM in a pre-existing environment

    Posted Feb 08, 2017 02:26 PM

    Our environment consists of 1 notification server, and 3 site servers with one of those in the same vLan as the Notification server, the other two are at remote locations.  All 3 site servers are task and package servers.  I have my internet gateway server sitting in the DMZ ready for setup.  I know port 4726 inbound from the gateway, needs to be open to my NS.  However, my question is the one package server I have in the same vLan as the NS would this one need to have port 4726 inbound to it as well.  Or will just having the firewall open for the NS?  I've seen diagrams and read documentation which references a standalone package server for the DMZ, however all of my package servers serve internal systems as well.  The server in my vLan is also my imaging server, so I don't want to jeopodize the functionality.

    Was wanting to get this done by this weekend but didn't know if I could use this one server as a package server for both internal and external clients.



  • 2.  RE: HELP! Needing some guidance on implementing CEM in a pre-existing environment
    Best Answer

    Broadcom Employee
    Posted Feb 14, 2017 07:59 AM

    Hi mmathews,

    1) When you are creating a "Symantec Agent"  (CEM Web Site) on Notification Server machine, then it automatically adds 4726 port in 'InBound' Firewall rule settings.

    IBCM_1.jpg

    2) Same does "CEM Gateway" when you are specifying on which port to listen incoming connections.

    IBCM_2.jpg

    So Site Servers, CEM Agents and NS will be communicating by 4726 via CEM Gateway through 777 port.

    3) Information on CEM Site Server binding settings says that you need to have open InBound firewall rule for port on which Site Server is working (4726, or 443, etc)

    IBCM_3.jpg

    Hope this information gives an answer for your case.

    Other information regarding CEM:

    Regards,

    IP.



  • 3.  RE: HELP! Needing some guidance on implementing CEM in a pre-existing environment

    Posted Feb 14, 2017 09:28 AM

    Mathews,

    I implemented the CEM in my environment a few months ago. I used the existing Site server in the same LAN as NS and added them to the Internet site. They serve both internal and external clients without major issues.We use also our Package server as PXE servers together with Ghost Solution 3.1 for image deployment. Below is the diagram with the ports opened in DMZ for internal and external connections.Gateway firewall configuration.png

    I hope it helps.

    Tomasz