You need to know the best practices for installing the Symantec Endpoint Protection (SEP) client to computers exposed to the Internet in a Demilitarized Zone (DMZ) or as a Bastion host.
Note: Computers that are directly connected to the Internet are at much higher risk from attacks that utilize 0-day exploits or other unknown threats that computers on your internal network. Consider protecting any computers directly connected to the Internet with Symantec Data Center Security (see https://www.symantec.com/products/threat-protection/data-center-security for more information).
The SEP client can be self-managed, managed by a Symantec Endpoint Protection Manager (SEPM) in the DMZ, managed by an Internet-connected SEPM in another network, or managed by a SEPM inside your private network. Ensure managed clients are able to communicate with their manager(s) over HTTP and/or HTTPS (default HTTP port: TCP 8014, default HTTPS port: TCP 443). This will likely require creating application and perimeter firewall rules to pass the traffic. You can limit your firewall ACL to only pass SEP client-server traffic between known-good addresses to prevent possible exploit attempts.