This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Chinmaya_Naik
Advisor
‎2019-11-27 02:24 AM
Jump to solution

Checkpoint Sandblast Agent need to connect when in Roaming

Hi Team,

Our requirement is to connect the Endpoint Security Management Server when the machine is outside of the organization. Like the machine should communicate to the Endpoint Management Server using public internet. So the Administrator able to see the live logs from the Management console.

Some Few Solution:

1. We can deploy Endpoint Security Management Server on Cloud. (Cloud Management for SandBlast Agent)(sk117536).

2. We can use Remote Access VPN to able to communicate with the Endpoint Management Server which required additional Checkpoint Security Gateway to establish a tunnel or we also use the third party remote VPN solution if the customer is not using CP security Gateway.

The reason that not feasible the above solution for Some customer:-

Reason 1: Customer is not ready to deploy on the cloud Because they already have enough resources to deploy Endpoint Security Management Server On-premises.

Reason 2: Most of the user are staying outside of the organization and also they don't have much idea that every time connects to the Endpoint Server using VPN.

 

NOTE: Some of the other vendors such as Symantec is using one feature that gives you an option to define the public IP on the Management Server console with any PORT as per our choice. Also, that same PORT needs to define allow on the Internet-facing Firewall with Static NAT configuration so if the customer is outside of the organization able to communicate with Server without the need of any VPN solution.

 

So My query is that, Is there any alternate solution that we able to communicate with the Endpoint Management Server when on outside of the organization.

 

Regards

@Chinmaya_Naik 

 

 

 

 

 

1 Solution

Accepted Solutions
Chinmaya_Naik
Advisor
‎2019-11-28 02:52 AM
In response to Chris_Atkinson
Jump to solution

@Chris_Atkinson 

Thanks for the suggestion.

As far I know that, If I build a Management Server with Private IP address and then enable the Endpoint security blade and export the client package (Not Initial client) then when I installed the client on any machine then  after installation Client try to communicate with IP address (Management Server Private IP address) So basically if I follow  sk112099  did the same also then How the Client will try to communicate with the Public IP ?

 

Endpoint Server is hosted behind the Firewall.

Workaround😉

Not Sure the below suggestion is recommended or not but work for me.

Step1: Create a static NAT for Endpoint Management Server (Give a Static public IP) on the Internet-facing firewall.

Step2: Configure external NAT on Endpoint Management Server (sk112099).

Step3: Change the Management Server  IP using Smartconsole and publish and don't install the database because its not possible because we change the IP address from private to public IP.

Step4: Close the SmartConsole and reopen the Smartconsole by using the Private IP address and you able to see the public IP address on the Smartconsole.

Step5: Open the Endpoint Management Console and create a new package and export the msi package.

Step6: Now installed that package on windows Machine and connect using public internet and able to communicate with the Endpoint Management Server.

Step7: Change the IP address of MGMT Server on Smart Console and able to install the Database.

Its work for me 😉😉

 

Regards

@Chinmaya_Naik 

 

View solution in original post

4 Replies
G_W_Albrecht
Legend Legend
Legend
‎2019-11-27 02:46 AM
Jump to solution

I can only refer to the Endpoint Security Administration Guide R80.30 which states:

Client to Server Communication 

These services are used by the client to communicate with the Endpoint Policy Server or the Endpoint Security Management Server. 

The client is always the initiator of the connections. Service (Protocol/Port) 

Communication 

Notes 

HTTPS (TCP/443) 

Most communication is over HTTPS TLSv1.2 encryption. 

These are two examples: 

• Endpoint registration 

• New file encryption key retrieval 

 

 

• Policy downloads 

 

The policy files themselves are encrypted with AES. 

  

 

• Heartbeat 

 

A periodic client connection to the server. The client uses this connection to inform the server about changes in the policy status and compliance. You can configure the Heartbeat Interval (on page 21). 

  

 

• Application Control queries 

 

These are queries for the reputation of unknown applications. 

  

 

• Log uploads 

 

These connections send logs to the server. 

  

For more sensitive services, the payload is encrypted using a proprietary Check Point protocol. 

These are the encrypted sensitive services: 

• Full Disk Encryption Recovery Data Upload 

• Media Encryption & Port Protection Key Exchange 

• Full Disk Encryption User Acquisition & User credentials. 

  

HTTP (TCP/80) 

 

• Anti-Malware signature updates 

 

Verification is done by the engine before loading the signatures, and during the update process. 

 

• Client package downloads 

 

The packages are signed and verified on the client before being installed. 

 

• Synchronization 

 

These connections send client policy updates and send status, and module updates to the server. 

These HTTP messages are encrypted using a proprietary Check Point encryption protocol. 
CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Chris_Atkinson
Employee Employee
Employee
‎2019-11-27 03:09 AM
Jump to solution

Have you considered deploying a separate Endpoint policy server in your DMZ?

Refer also sk112099 that talks to accessibility of the EPM via NAT.

CCSM R77/R80/ELITE
Chinmaya_Naik
Advisor
‎2019-11-28 02:52 AM
In response to Chris_Atkinson
Jump to solution

@Chris_Atkinson 

Thanks for the suggestion.

As far I know that, If I build a Management Server with Private IP address and then enable the Endpoint security blade and export the client package (Not Initial client) then when I installed the client on any machine then  after installation Client try to communicate with IP address (Management Server Private IP address) So basically if I follow  sk112099  did the same also then How the Client will try to communicate with the Public IP ?

 

Endpoint Server is hosted behind the Firewall.

Workaround😉

Not Sure the below suggestion is recommended or not but work for me.

Step1: Create a static NAT for Endpoint Management Server (Give a Static public IP) on the Internet-facing firewall.

Step2: Configure external NAT on Endpoint Management Server (sk112099).

Step3: Change the Management Server  IP using Smartconsole and publish and don't install the database because its not possible because we change the IP address from private to public IP.

Step4: Close the SmartConsole and reopen the Smartconsole by using the Private IP address and you able to see the public IP address on the Smartconsole.

Step5: Open the Endpoint Management Console and create a new package and export the msi package.

Step6: Now installed that package on windows Machine and connect using public internet and able to communicate with the Endpoint Management Server.

Step7: Change the IP address of MGMT Server on Smart Console and able to install the Database.

Its work for me 😉😉

 

Regards

@Chinmaya_Naik 

 

Chris_Atkinson
Employee Employee
Employee
‎2019-11-28 03:13 AM
In response to Chinmaya_Naik
Jump to solution

If memory serves the process used to involve the creation of a psuedo dummy object for the public IP and manipulation of the following list (see below) but has been a while since I last used this method... would defer to the SK / TAC for confirming the current process.

SmartEndpoint > Manage > Endpoint Servers > New

 

 

 

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events