Where to place the appliance in your network for best results
Last Updated September 25, 2018
The placement of your appliance depends upon whether the appliance is a management platform, network scanner, or all-in-one device. The Symantec Advanced Threat Protection (ATP) appliance must be able to perform the following depending upon its role:
Scan all network traffic coming into and out of the organization
Determine the source and destination of all traffic
Detect internal connection endpoints
Act as a network proxy for endpoints (if integrating with Symantec Endpoint Protection Manager)
Have a minimal affect on network performance
If your architecture includes a demilitarized zone (DMZ) and you integrate ATP with Symantec Endpoint Protection, don't place the following in the DMZ:
Management platform appliance
Symantec Endpoint Protection
Deploying the appliance between a proxy and firewall prevents ATP from detecting the IP address of the source endpoint. So in this scenario, you must enable the X-Forwarded-For: header field. You might also need to configure your firewall to strip the X-Forwarded-For: header field.
ATP does not scan traffic between internal computers. The exception is when one of the computers is a proxy server. The internal traffic that is routed to a proxy server is scanned because it is outbound network traffic.
If you want ATP to reach the Internet through a proxy server, you must treat the appliance as a trusted device and disable authentication. ATP does not support passing Basic Authentication credentials to the proxy. ATP supports Basic or Simple Password Authentication to the proxy.
You can use the management port for any of the following:
To access ATP Manager.
For communication to Symantec's servers (e.g., LiveUpdate, cloud-based sandboxing, Insight, telemetry, etc.).
To facilitate communication to Symantec Endpoint Protection Manager and endpoints for the endpoint proxy.
The management network should not be open to the Internet as a whole. If you need access to the management network from outside, a VPN or short-lived Remote Desktop connection is recommended.
In Inline mode, the management port must be on a different subnet from the Inline interface.
The following figures show examples of network configurations. You can use the ATP 8840, 8880, or virtual appliance in any of these configurations.
You might need crossover cables for Inline deployment if devices connected to WAN port and LAN port don't have automatic MDI/MDI-X configuration.
Figure: Simple port span/tap network configuration
Figure: Port span/tap with multiple monitor ports
Figure: Simple inline network configuration
Figure: Inline with firewalls, proxies, and appliances, including a management platform