topic Re: Endpoint Policy Server in Endpoint

Endpoint Policy Server

J_B — Mon, 10 Feb 2020 16:31:34 GMT

When pushing out new clients to devices, does the Endpoint Policy Server handle this, or will the new client be downloaded from the Primary Management Server?

I was almost sure that the client would be downloaded from the Policy Server that the client is connected to, but it's not really clear within the documentation as it doesn't specify client upgrades? We're gradually updating 4000+ clients and the comms links are getting hammered, almost as if all the client downloads are coming from the Primary Management Server.

The Endpoint Policy Server handles the most frequent and bandwidth-consuming communication. The Endpoint Policy Server handles these requests without forwarding them to the Endpoint Security Management Server:

All heartbeat and synchronization requests.
Policy downloads
Anti-Malware updates
All Endpoint Security client logs (the Endpoint Policy Server is configured as Log Server by default).

It would be great if you could restrict the Policy Servers to only communicate with certain subnets that you specify, a bit like what you can do with distribution points within SCCM. There doesn't seem to be any real logic behind the proximity analysis, apart from a simple ping command.

Re: Endpoint Policy Server

PhoneBoy — Wed, 12 Feb 2020 01:57:56 GMT

It uses ping to determine proximity analysis, you are correct.
I assume you could restrict access to the Policy Server using a firewall rule if needed.

Re: Endpoint Policy Server

J_B — Thu, 13 Feb 2020 10:47:50 GMT

Can we submit feature requests for future releases/fixes? In a large environment with 100's of sites the way policy servers work really hamper the network when it comes to client upgrades.

Policy updates, or AntiMalware upgrades are great when using a policy server. But not when it comes to installing a new 700MB client on 5000 machines. A client should always look to use a policy server on it's own subnet for a client upgrade, not one over the WAN link.

Thanks

Re: Endpoint Policy Server

PhoneBoy — Thu, 13 Feb 2020 19:45:23 GMT

The naive question I have is: shouldn't the policy server in your network have lower latency than one over the WAN link?
In any case, the formal link to submit RFEs: https://rfe.checkpoint.com/rfe/rfe.htm
If it's a deal breaker, I highly recommend working with your local office.

Re: Endpoint Policy Server

J_B — Fri, 14 Feb 2020 09:16:55 GMT

They're fast WAN links so the latency is negligible across most of the sites. Until of course clients start running client upgrades across all the WAN links instead of just using the policy server on their own subnet.

Thanks for the link.