Best Practices: Symantec Endpoint Protection Client in a Demilitarized Zone
search cancel

Best Practices: Symantec Endpoint Protection Client in a Demilitarized Zone

book

Article ID: 152104

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You need to know the best practices for installing the Symantec Endpoint Protection (SEP) client to computers exposed to the Internet in a Demilitarized Zone (DMZ) or as a Bastion host.


Cause


Resolution

Note: Computers directly connected to the Internet have a higher risk from attacks that utilize 0-day exploits or other unknown threats, than the computers on your internal network. Consider protecting any computers directly connected to the Internet with Symantec Data Center Security (see Symantec hybrid cloud security for more information).

Management Considerations

The SEP client can be self-managed, managed by a Symantec Endpoint Protection Manager (SEPM) in the DMZ, managed by an Internet-connected SEPM in another network, or managed by a SEPM inside your private network. Ensure managed clients are able to communicate with their manager(s) over HTTP and/or HTTPS (default HTTP port: TCP 8014, default HTTPS port: TCP 443). This will likely require creating application and perimeter firewall rules to pass the traffic. You can limit your firewall ACL to only pass SEP client-server traffic between known-good addresses to prevent possible exploit attempts.

Allow Insight lookups and submissions

Ensure your clients are able to communicate with the Symantec Insight servers. See URLs that allow SEP and SES to connect to Symantec servers  for more information.