topic Re: Checkpoint Sandblast Agent need to connect when in Roaming in Endpoint

Checkpoint Sandblast Agent need to connect when in Roaming

Chinmaya_Naik — Wed, 27 Nov 2019 10:26:31 GMT

Hi Team,

Our requirement is to connect the Endpoint Security Management Server when the machine is outside of the organization. Like the machine should communicate to the Endpoint Management Server using public internet. So the Administrator able to see the live logs from the Management console.

Some Few Solution:

1. We can deploy Endpoint Security Management Server on Cloud. (Cloud Management for SandBlast Agent)(sk117536).

2. We can use Remote Access VPN to able to communicate with the Endpoint Management Server which required additional Checkpoint Security Gateway to establish a tunnel or we also use the third party remote VPN solution if the customer is not using CP security Gateway.

The reason that not feasible the above solution for Some customer:-

Reason 1: Customer is not ready to deploy on the cloud Because they already have enough resources to deploy Endpoint Security Management Server On-premises.

Reason 2: Most of the user are staying outside of the organization and also they don't have much idea that every time connects to the Endpoint Server using VPN.

NOTE: Some of the other vendors such as Symantec is using one feature that gives you an option to define the public IP on the Management Server console with any PORT as per our choice. Also, that same PORT needs to define allow on the Internet-facing Firewall with Static NAT configuration so if the customer is outside of the organization able to communicate with Server without the need of any VPN solution.

So My query is that, Is there any alternate solution that we able to communicate with the Endpoint Management Server when on outside of the organization.

Regards

@Chinmaya_Naik

Re: Checkpoint Sandblast Agent need to connect when in Roaming

G_W_Albrecht — Wed, 27 Nov 2019 10:46:27 GMT

I can only refer to the Endpoint Security Administration Guide R80.30 which states:

Client to Server Communication

These services are used by the client to communicate with the Endpoint Policy Server or the Endpoint Security Management Server.

The client is always the initiator of the connections. Service (Protocol/Port)	Communication	Notes
HTTPS (TCP/443)	Most communication is over HTTPS TLSv1.2 encryption.	These are two examples: • Endpoint registration • New file encryption key retrieval
• Policy downloads	The policy files themselves are encrypted with AES.
• Heartbeat	A periodic client connection to the server. The client uses this connection to inform the server about changes in the policy status and compliance. You can configure the Heartbeat Interval (on page 21).
• Application Control queries	These are queries for the reputation of unknown applications.
• Log uploads	These connections send logs to the server.
For more sensitive services, the payload is encrypted using a proprietary Check Point protocol.	These are the encrypted sensitive services: • Full Disk Encryption Recovery Data Upload • Media Encryption & Port Protection Key Exchange • Full Disk Encryption User Acquisition & User credentials.

HTTP (TCP/80)

• Anti-Malware signature updates

Verification is done by the engine before loading the signatures, and during the update process.

• Client package downloads

The packages are signed and verified on the client before being installed.

• Synchronization

These connections send client policy updates and send status, and module updates to the server.

These HTTP messages are encrypted using a proprietary Check Point encryption protocol.

Re: Checkpoint Sandblast Agent need to connect when in Roaming

Chris_Atkinson — Wed, 27 Nov 2019 11:21:27 GMT

Have you considered deploying a separate Endpoint policy server in your DMZ?

Refer also sk112099 that talks to accessibility of the EPM via NAT.

Re: Checkpoint Sandblast Agent need to connect when in Roaming

Chinmaya_Naik — Thu, 28 Nov 2019 11:04:45 GMT

@Chris_Atkinson

Thanks for the suggestion.

As far I know that, If I build a Management Server with Private IP address and then enable the Endpoint security blade and export the client package (Not Initial client) then when I installed the client on any machine then after installation Client try to communicate with IP address (Management Server Private IP address) So basically if I follow sk112099 did the same also then How the Client will try to communicate with the Public IP ?

Endpoint Server is hosted behind the Firewall.

Workaround😉

Not Sure the below suggestion is recommended or not but work for me.

Step1: Create a static NAT for Endpoint Management Server (Give a Static public IP) on the Internet-facing firewall.

Step2: Configure external NAT on Endpoint Management Server (sk112099).

Step3: Change the Management Server IP using Smartconsole and publish and don't install the database because its not possible because we change the IP address from private to public IP.

Step4: Close the SmartConsole and reopen the Smartconsole by using the Private IP address and you able to see the public IP address on the Smartconsole.

Step5: Open the Endpoint Management Console and create a new package and export the msi package.

Step6: Now installed that package on windows Machine and connect using public internet and able to communicate with the Endpoint Management Server.

Step7: Change the IP address of MGMT Server on Smart Console and able to install the Database.

Its work for me 😉😉

Regards

@Chinmaya_Naik

Re: Checkpoint Sandblast Agent need to connect when in Roaming

Chris_Atkinson — Thu, 28 Nov 2019 11:13:05 GMT

If memory serves the process used to involve the creation of a psuedo dummy object for the public IP and manipulation of the following list (see below) but has been a while since I last used this method... would defer to the SK / TAC for confirming the current process.

SmartEndpoint > Manage > Endpoint Servers > New