To my understanding R80.20 is fully supported running both gateway management and endpoint management om the same server.

in that way you can correlate both gateway logs with endpoint logs side by side. Quite cool feature actual

OK, so it is still advisable, from your point of view, to maintain the EndPoint management on a separate instance of the Management Server? Is it simply deployed as a "Secondary Management" and the Endpoint Management blade and Logging and Reporting enabled on it? Or is there a different ISO or FTW option for standalone Endpoint Management?

To @PhoneBoy' s point, we found a few compelling reasons to keep the management for the two separate. In our case, some of it was a matter of our primary SMS being located on a segment of the network that we don't allow everyone to reach. It made it easier to put the management for Endpoint on a LAN that was easily accessible by all our client machines.

We also found that the features in Endpoint have been evolving at a different, faster pace than most CP products. For that reason, we also liked the idea of keeping them separate. We have the flexibility to move the two between versions at different paces if necessary. The one tricky thing of doing it this way is getting the logs merged with the GW logs, but there are some good SK articles to help with that.

As far as setting it up, you wouldn't define it as a secondary management server. You would just use the R80.20 Management ISO and build a new SMS instance with Endpoint and Logging enabled. 

Thank you @Daniel_Taney . Can you tell me about the integration of the SmartConsole and SmartEndpoint? In a Demo Mode, once you are in SmartConsole, you can drop down the menu in the top-left corner and start he SmartEndpoint from there without being prompted for logon and similar to the SmartDashboard for "unevolved" applications.

Is there a SIC established between SmartEndpoint and the Management Server? If so, how, if it is installed as another primary?

No, you don't establish SIC per se... it is a little confusing. I believe this SK helps explain ways to import logs from an externally  managed Management Server.

Thank you. From the looks of it, CP has some work to do in terms of integrating EP with Management in the same security domain. If the common wisdom is still to keep EP on a separate machine, as in the past, what is the justification of jumping through so many hoops to get them working together? That is a rhetorical question 🙂

I believe that going forward, the SmartEndpoint is the management tool of choice. That is the tool where all the policy for the SandBlast, Disk Encryption, Capsule Docs, Firewall, etc.. blades resides. I'll be honest, I'm no expert on the "legacy" Endpoint; which I think its more what is illustrated in your screen shot, but Check Point has so many VPN / Remote Access options, it is almost dizzying 🙂 sk67820 gives you all the possible options! 

SmartEndpoint Blades

I actually don't use the Endpoint Client for VPN. So I really can't comment too much on that piece of it. However, I believe that the settings and controls for that are still a part of the Mobile Access blade, which would be in the Legacy SmartDashboard. None of that changes in R80.20. You still have you use SmartDashboard to manage DLP, Anti-Spam, QoS, Mobile Access and HTTPS. 

I'm not sure if that helps answer your questions or not?

Thank you. It still eludes me as to what the client is licensed for and what possible advantage they are getting from their EPM blade, given that they are only licensed for VPN and the EP container.

Since EP itself does not appear to have a dedicated VPN section in its policy, I have to only speculate that the "legacy" or "On Demand" is the option they have to use.

Really would like to get more clarity on the subject.

As you have mentioned there is an overabundance of EndPoint clients and Remote Access solutions. This makes life quite complicated, especially if we are not dealing with those on regular bases.

Regards,

Vladimir

And if client is looking to enforce compliance with Microsoft Patches and AV signatures, is this something that is achievable by using these rules to create a policy or choosing one of the three baked-in policies?

And the CPEP-C1-VPN-F-VSI-25 license covers this use case?

If this is the case, I am trying to figure out what is the reason for this client to maintain the EPM server if that's the only license for the endpoint that they are using.

Am I missing something?

For Endpoint Compliance features, you definitely need SmartEndpoint.

ESOD is for access via the Mobile Access Portal.

Got it. Looking through the Endpoint Security R80.20 Management Server Administration Guide, I see that:

Container license -One license for each endpoint client (seat). This license is attached to the Endpoint Security Management Server.

Software Blade licenses -Network Protection - Bundle license that includes Endpoint Security Firewall, Compliance, Application Control, and Access Zones.
*Note - This license automatically comes with the Container License

And since client already has CPEP-C1-VPN-F-VSI-25 license, they should be able to enforce compliance on the VPN Endpoints using EPM.

Thank you for sticking with this thread!