Create a Post
Showing results for 
Search instead for 
Did you mean: 

Policy Server in DMZ


I would like to allow external users and road warriors which do not have VPN and access to the Endpoint Security Management to connect and download policy from a Policy Server. Since I don't want to expose my Endpoint Mgmt to the internet, I thought about putting a policy server which will deliver the policy to such users.

As far as I understand, all I have to do is to configure the policy server with External IP address and export the MSI package to the users. 

Will the users be able to connect for the first time directly to the policy server to pull the package after installation?

Does anybody try it before and can point if it is working?

Are there any best practices for deploying policy server in the DMZ?

Are there any pros and cons for such a configuration?

What about Security Considerations? 

5 Replies


We have operated this way for a number of months.  If you are using NAT, you just need to define an auto NAT on the Policy Server objects and ensure the NAT policy is implemented on the firewall in front of the Policy Server.

We have done full deployments using the installer agent in this model.

Things to consider:

1) The endpoints will always try to talk to the manager as a path of last resort, so you need to actively block this traffic if it is accessible via RAS etc.

2) The endpoints will try to connect to the native and NAT IP addresses so clients may traverse different paths depending on whether they are VPN connected or not.  Again, we prefer to block the native traffic and make it predictably come via the Internet (also saves crypto overhead on RAS gateway).

3) If you perform remote upgrades, you need to take care not to swamp your internet connection as a large number of clients could do.

We have also asked Check Point questions around whether the Policy Server is designed to be Internet facing and also whether its possible to reverse proxy the traffic.  So far haven't had a response.  The "outer shell" of the server is Apache and a quick config review has shown it to be reasonably well hardened and configured.  Of course you want to place it behind a properly configured gateway with up to date IPS protections etc.



You can use the Mobile Access blade to Reverse Proxy the Endpoint server.  This was recommended to us by a Check Point SE a while back, search for proxy in sk108375 and page 162 in "Endpoint Security Administration Guide R77.30.01". 

In R77.30 this needed a hotfix but with R80.10 its just a matter of enabling it and configuring the rules using CLI - sk110348.


Thanks for the detailed response James and Clint, 

I think MAB is out of the question at the moment, but once we deploy the package and set up VPN for the users, they will be able to access the Management via the VPN and the policy server in DMZ can be used as a backup. 

One more question about security, are you using strong authentication to authenticate the users and is it a problem when the user cannot access the Endpoint Management Server (which means authentication is proxied via Policy server)?

0 Kudos

Another question that I had in mind is:

If the users are always connected to the policy server in the DMZ, then they will never get a disconnected policy when outside of the network or not connected to VPN. Do you see this as an issue?

0 Kudos

We have a policy server in the DMZ to keep outside machines connected and up to date with policy. We did this to avoid needing a VPN connection on all of our external machines. For the most part this works well, but sometimes we end up having to connect a VPN to get the endpoint to update/connect.

Another thing, we currently have no way to tell the clients which policy server to connect to, Internal or DMZ. We see internal clients connected to the DMZ policy server at times. I wish we had a better way to control when clients connected on Prem always use the internal policy server, when that connection is unavailable, try the DMZ policy server.

0 Kudos