Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Vladimir
Champion
Champion

EndPoint Management in R80.20

I am trying to figure out if in R80.20+ the function of the Endpoint Management server is now integrated with general Management server and does not require any additional servers.

Since I am not very familiar with the EndPoint managment, please let me know if the products refered to as EndPoint Security, EndPoint Security Management and EndPoint Management refer to the same thing.

The client has R77.30 Management server with R75.XX Endpoint Security (or management) and they are looking to upgrade the whole shebang to R80.20.

 

So what I am trying to determine is what the best upgrade path is and if the policies, packages etc.. from the old EndPoint Management/Security server should and  could be migrated to a new consolidated Management server.  

 

Thank you,

Vladimir

16 Replies
Wolfgang
Authority
Authority

This is a very important question. I know that R80.20 SMS supports both gateway and endpoint management.

Have a Look at Endpoint Homepage in the Detail per release section......

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

But I can‘t found any usefull information for an upgrade and experience from a migration of an real environment. We had a customer running both managements on R77.30 and want to upgrade. 

Any information woud be very helpfull.

 

Kim_Moberg
Advisor

To my understanding R80.20 is fully supported running both gateway management and endpoint management om the same server.

in that way you can correlate both gateway logs with endpoint logs side by side. Quite cool feature actual

Best Regards
Kim
Vladimir
Champion
Champion

Domain Admin account for Endpoint Management is mentioned only once in the "Endpoint Security Management Server R80.20 Administration Guide" After the service account is created:

"Enter (and confirm) the password of the Active Directory Domain Admin user you created for Endpoint Security use."

I do not see the Domain Admin rights as a prerequisite earlier in the documentation.

 

PhoneBoy
Admin
Admin

The reason R77.30.0x existed was because Endpoint features were evolving faster than Network Management.
In R80.20, the management changes from R77.30.03 were merged in, so you can theoretically run them on the same appliance.
Whether you should do this is a different question.
Likewise, merging (or splitting) Network and Endpoint Management currently requires Professional Services (I.e. No automated process for this currently)
Vladimir
Champion
Champion

OK, so it is still advisable, from your point of view, to maintain the EndPoint management on a separate instance of the Management Server? Is it simply deployed as a "Secondary Management" and the Endpoint Management blade and Logging and Reporting enabled on it? Or is there a different ISO or FTW option for standalone Endpoint Management?

Daniel_Taney
Advisor

To @PhoneBoy' s point, we found a few compelling reasons to keep the management for the two separate. In our case, some of it was a matter of our primary SMS being located on a segment of the network that we don't allow everyone to reach. It made it easier to put the management for Endpoint on a LAN that was easily accessible by all our client machines.

We also found that the features in Endpoint have been evolving at a different, faster pace than most CP products. For that reason, we also liked the idea of keeping them separate. We have the flexibility to move the two between versions at different paces if necessary. The one tricky thing of doing it this way is getting the logs merged with the GW logs, but there are some good SK articles to help with that.

As far as setting it up, you wouldn't define it as a secondary management server. You would just use the R80.20 Management ISO and build a new SMS instance with Endpoint and Logging enabled. 

R80 CCSA / CCSE
Vladimir
Champion
Champion

Thank you @Daniel_Taney . Can you tell me about the integration of the SmartConsole and SmartEndpoint? In a Demo Mode, once you are in SmartConsole, you can drop down the menu in the top-left corner and start he SmartEndpoint from there without being prompted for logon and similar to the SmartDashboard for "unevolved" applications.

Is there a SIC established between SmartEndpoint and the Management Server? If so, how, if it is installed as another primary?

Daniel_Taney
Advisor

No, you don't establish SIC per se... it is a little confusing. I believe this SK helps explain ways to import logs from an externally  managed Management Server.

R80 CCSA / CCSE
0 Kudos
Vladimir
Champion
Champion

Thank you. From the looks of it, CP has some work to do in terms of integrating EP with Management in the same security domain. If the common wisdom is still to keep EP on a separate machine, as in the past, what is the justification of jumping through so many hoops to get them working together? That is a rhetorical question 🙂

Vladimir
Champion
Champion

Some help here please...

 

I am looking at the client with CPSM-P1003 (blades NPM, EPM, LOGS) and the CPEP-C1-VPN-F-VSI-25 license.

And am trying to figure out what, if anything, the EndPoint could manage on this client? I do not believe there is a dedicated VPN management section in the EndpoinPolicy and the only things that come to mind without additional licenses are the "Client Settings" and  perhaps "User Authentication", even that one I am not sure about.

Also, can someone tell me if these features:

2019-03-15 15_40_10-192.168.7.30 - Check Point SmartDashboard R80.10 - Mobile Access.png

 

Require EndPoint Firewall and Compliance blade to be taken advantage of?

If so and if this is the only goal for the client, do they actually need an EndPoint Management server? What other functionality would they be able to utilize with only VPN and Compliance blades licensed?

In Compliance section there are two options:

2019-03-15 15_46_11-.png

What relation do they have to EndPoint Security on Demand?

 

Thank you,

Vladimir

Daniel_Taney
Advisor

I believe that going forward, the SmartEndpoint is the management tool of choice. That is the tool where all the policy for the SandBlast, Disk Encryption, Capsule Docs, Firewall, etc.. blades resides. I'll be honest, I'm no expert on the "legacy" Endpoint; which I think its more what is illustrated in your screen shot, but Check Point has so many VPN / Remote Access options, it is almost dizzying 🙂 sk67820 gives you all the possible options! 

SmartEndpoint BladesSmartEndpoint Blades

I actually don't use the Endpoint Client for VPN. So I really can't comment too much on that piece of it. However, I believe that the settings and controls for that are still a part of the Mobile Access blade, which would be in the Legacy SmartDashboard. None of that changes in R80.20. You still have you use SmartDashboard to manage DLP, Anti-Spam, QoS, Mobile Access and HTTPS. 

I'm not sure if that helps answer your questions or not?

R80 CCSA / CCSE
Vladimir
Champion
Champion

Thank you. It still eludes me as to what the client is licensed for and what possible advantage they are getting from their EPM blade, given that they are only licensed for VPN and the EP container.

Since EP itself does not appear to have a dedicated VPN section in its policy, I have to only speculate that the "legacy" or "On Demand" is the option they have to use.

Really would like to get more clarity on the subject.

As you have mentioned there is an overabundance of EndPoint clients and Remote Access solutions. This makes life quite complicated, especially if we are not dealing with those on regular bases.

 

Regards,

Vladimir

0 Kudos
PhoneBoy
Admin
Admin

None of the VPN solutions require Endpoint Management to manage, which can be done with regular IPSec or Mobile Access Blade.
0 Kudos
Vladimir
Champion
Champion

And if client is looking to enforce compliance with Microsoft Patches and AV signatures, is this something that is achievable by using these rules to create a policy or choosing one of the three baked-in policies?

2019-03-15 20_57_44-192.168.7.30 - Check Point SmartDashboard R80.10 - Mobile Access.png

And the CPEP-C1-VPN-F-VSI-25 license covers this use case?

If this is the case, I am trying to figure out what is the reason for this client to maintain the EPM server if that's the only license for the endpoint that they are using.

Am I missing something?

0 Kudos
PhoneBoy
Admin
Admin

For Endpoint Compliance features, you definitely need SmartEndpoint.

ESOD is for access via the Mobile Access Portal.

Vladimir
Champion
Champion

Got it. Looking through the Endpoint Security R80.20 Management Server Administration Guide, I see that:

Container license -One license for each endpoint client (seat). This license is attached to the Endpoint Security Management Server.

Software Blade licenses -Network Protection - Bundle license that includes Endpoint Security Firewall, Compliance, Application Control, and Access Zones.
*Note - This license automatically comes with the Container License

And since client already has CPEP-C1-VPN-F-VSI-25 license, they should be able to enforce compliance on the VPN Endpoints using EPM.

 

Thank you for sticking with this thread!

 

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events