Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
J_B
Collaborator

Endpoint Policy Server

When pushing out new clients to devices, does the Endpoint Policy Server handle this, or will the new client be downloaded from the Primary Management Server? 

I was almost sure that the client would be downloaded from the Policy Server that the client is connected to, but it's not really clear within the documentation as it doesn't specify client upgrades?  We're gradually updating 4000+ clients and the comms links are getting hammered, almost as if all the client downloads are coming from the Primary Management Server.

The Endpoint Policy Server handles the most frequent and bandwidth-consuming communication. The Endpoint Policy Server handles these requests without forwarding them to the Endpoint Security Management Server:

  • All heartbeat and synchronization requests.
  • Policy downloads
  • Anti-Malware updates
  • All Endpoint Security client logs (the Endpoint Policy Server is configured as Log Server by default).

It would be great if you could restrict the Policy Servers to only communicate with certain subnets that you specify, a bit like what you can do with distribution points within SCCM.  There doesn't seem to be any real logic behind the proximity analysis, apart from a simple ping command.

4 Replies
PhoneBoy
Admin
Admin

It uses ping to determine proximity analysis, you are correct.
I assume you could restrict access to the Policy Server using a firewall rule if needed.
J_B
Collaborator

Can we submit feature requests for future releases/fixes?  In a large environment with 100's of sites the way policy servers work really hamper the network when it comes to client upgrades.  

Policy updates, or AntiMalware upgrades are great when using a policy server.  But not when it comes to installing a new 700MB client on 5000 machines.  A client should always look to use a policy server on it's own subnet for a client upgrade, not one over the WAN link.

Thanks

PhoneBoy
Admin
Admin

The naive question I have is: shouldn't the policy server in your network have lower latency than one over the WAN link?
In any case, the formal link to submit RFEs: https://rfe.checkpoint.com/rfe/rfe.htm
If it's a deal breaker, I highly recommend working with your local office.
J_B
Collaborator

They're fast WAN links so the latency is negligible across most of the sites.  Until of course clients start running client upgrades across all the WAN links instead of just using the policy server on their own subnet.

Thanks for the link.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events