Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
_Val_
Admin
Admin

White Paper - R80.20 Endpoint Policy Server in DMZ for External Access

Author

@Dan_Schneppenhe 

Abstract:

Enabling the Check Point Endpoint Policy Server for external communication is necessary for some customers with remote workers that never enter the office, yet with the Check Point Endpoint solution on their corporate devices, policy updates, logs would only get to the Endpoint Server if the user VPNs into the environment. Setting up a Policy Server in the DMZ ensures that communication from the Endpoint clients to the Endpoint Server would happen regardless if the end user is connected via a VPN.

 

For the full list of White Papers, go here

11 Replies
nagaraja_cs
Contributor

Hi Valeri,

This is document is very useful.

I have few queries here:

1)Our policy server is placed in DMZ which is behind the firewall.Users will be connecting to policy server from the internet.What all ports should be open on firewall so that the Endpoint Client can connect/update from policy server.

2)Do we need to export the Endpoint client and install on the Endpoint machine once NAT policies are created.Will the existing clients be able to connect to policy server after enabling NAT ?

3)Should we implement NAT policy first ,update the policies on the user machine and then move the users to internet ?

0 Kudos
_Val_
Admin
Admin

You can refer to this link concerning the ports: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

As for 2 and 3, I do not understand what you are trying to ask, sorry. 

 

0 Kudos
nagaraja_cs
Contributor

Hi Valeri,

Thanks for the port details.

As of now,there is no public IP assigned for the DMZ policy server.

The server list 'epsNetwork.xml' file will contain only private IP of the DMZ policy server(No public IP).

We have installed the Endpoint Client  on some of the systems which are in LAN.These system will try to reach private IP of DMZ policy server.

Now the LAN machines are moved to home(internet) and there is no connectivity to DMZ policy server.

Now we are configuring the NAT for the DMZ policy server,server list 'epsNetwork.xml' will be updated with the public IP.

My question here is ,how the Endpoint Client will try to reach the public IP of DMZ policy server as the Endpoint Client is disconnected from the Policy server/Endpoint Server.

 

 

 

 

0 Kudos
_Val_
Admin
Admin

There are two possibilities here:

1. Policy server is accessible via its public IP address, with or without VPN connected

2. You create "disconnected" policy, which is enforced if the Policy Server is not available. 

 

I believe this is thoroughly documented in the admin guide.

0 Kudos
nagaraja_cs
Contributor

Hi Valeri,

Thanks for the information.

We want Policy Server to be accessible with its public IP address.

But the Endpoint Client is not connected to policy server,so it will not have public IP in the server list.

As per my understanding,we have two options here,please correct me if I am wrong:

1)Bring the machine from internet to the LAN and update the policy so that it will update the Server List 'epsNetwork.xml' with public IP of the policy server.

2)Export new endpoint client from the Endpoint Server and install on remote users,so that it will try to reach the public IP of the policy server which is in the 'epsNetwork.xml'

0 Kudos
_Val_
Admin
Admin

So, if your policy server has public IP address, all you need is to get the new endpoint policy on the client. The simplest way is to push policy to your RAS VPN GW and get clients connected. Upon connection, they should receive the new IP address of your policy server. 

0 Kudos
nagaraja_cs
Contributor

Hi Valeri,

Thanks for the info.

I have already exported and installed the EP Client on the machine(This client has private IP information of policy server).

There was no public IP configured during the EP client export.This client doesn't contain any public IP information as there is no NAT configuration.

After installing the EP Client on endpoint machine,I have configured NAT on Policy Server.

Now to connect EP Client with public IP,I have connected the remote machine through VPN and updated the policy.

Then disconnected the VPN and checked the status,it shows 'Disconnected' instead it should connect to public IP of the policy server.

 

0 Kudos
_Val_
Admin
Admin

If you sure the config you are using is compliant with the white paper, and there are no configuration issues that you can spot, please rase the case to TAC for further troubleshooting

0 Kudos
Karl-Hermann
Explorer

Hi Val,

Is there an option to exclude the EPS server in the DMZ (or better said the public IP) from acting as an "FDE Pre-boot bypass server"?

If I use the option "Bypass Pre-boot user when connected to LAN" in the FDE settings, the Pre-Boot will be bypassed from anywhere in the internet :-(.

Thanks a lot in advance.

Karl-Hermann

 

0 Kudos
Pavlo
Explorer

Hello Valeri Loukine,

Our environment was build like in manual you provided.

We have Policy server in DMZ and there is a probability of changing external IP translating to local interface in near future.

How to get external endpoint clients not disconnected?

Could you please give advise or corresponding SK if exist.

0 Kudos
_Val_
Admin
Admin

It is best to reach out to TAC for official recommendations.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events