You need to know the best practices for exposing a Symantec Endpoint Protection Manager (SEPM) to the Internet in a Demilitarized Zone (DMZ) or as a Bastion host.
Symantec does not recommend directly connecting a SEPM to the Internet to prevent possible exploitation of the SEPM, or its underlying operating system. If you require an Internet accessible SEPM, minimize your exposure to attacks by taking the following actions:
- If possible, block access to SEPM ports not needed for client-server communications
- If you are unable to update to the latest version of SEPM, review any security advisories related to your SEPM version, and apply any mitigation steps
- Install Symantec Endpoint Protection (SEP) client and enable all protection technologies
- Install Symantec Data Center Security (DCS) client to harden the Operating System against possible attacks (see https://www.symantec.com/products/threat-protection/data-center-security for more information)
- Regularly audit the security of your computers in the DMZ
Configure Firewall Rules
To minimize exposure to exploitation attempts, only allow incoming connections over the ports you absolutely need. For example:
- Block external access to the SEPM Web services port (default: TCP 8446)
- Block external access to the SEPM Reporting server (default: TCP 8445)
- Block external access to the SEPM Console port (default: TCP 8443)
- If you plan to host clients outside of the DMZ, allow external access to the SEPM client-server communications port(s) (default HTTP: TCP 8014, default HTTPS: TCP 443)
- If you only plan to host clients in the DMZ, block external access to the client server communications port(s)
- If your SEPM database is on a Microsoft SQL server that is not in the DMZ, you must allow communications between the SEPM and the SQL server (default TCP 1433)
SEPM replication takes place over the SEPM communications port (default: TCP 8443). To limit exposure to attacks, do not directly connect your replication partner SEPM to the Internet. If you must replicate with a SEPM in the DMZ, you must allow communications between the replication partner SEPM servers over the SEPM communications port.