This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
_Val_
Admin
Admin
‎2019-05-08 12:47 AM

White Paper - R80.20 Endpoint Policy Server in DMZ for External Access

Author

@Dan_Schneppenhe 

Abstract:

Enabling the Check Point Endpoint Policy Server for external communication is necessary for some customers with remote workers that never enter the office, yet with the Check Point Endpoint solution on their corporate devices, policy updates, logs would only get to the Endpoint Server if the user VPNs into the environment. Setting up a Policy Server in the DMZ ensures that communication from the Endpoint clients to the Endpoint Server would happen regardless if the end user is connected via a VPN.

 

For the full list of White Papers, go here

Preview file
1957 KB
9 Replies
nagaraja_cs
Contributor
‎2020-03-19 10:56 PM

Hi Valeri,

This is document is very useful.

I have few queries here:

1)Our policy server is placed in DMZ which is behind the firewall.Users will be connecting to policy server from the internet.What all ports should be open on firewall so that the Endpoint Client can connect/update from policy server.

2)Do we need to export the Endpoint client and install on the Endpoint machine once NAT policies are created.Will the existing clients be able to connect to policy server after enabling NAT ?

3)Should we implement NAT policy first ,update the policies on the user machine and then move the users to internet ?

0 Kudos
_Val_
Admin
Admin
‎2020-03-21 05:34 AM
In response to nagaraja_cs

You can refer to this link concerning the ports: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

As for 2 and 3, I do not understand what you are trying to ask, sorry. 

 

0 Kudos
nagaraja_cs
Contributor
‎2020-03-24 12:00 AM
In response to _Val_

Hi Valeri,

Thanks for the port details.

As of now,there is no public IP assigned for the DMZ policy server.

The server list 'epsNetwork.xml' file will contain only private IP of the DMZ policy server(No public IP).

We have installed the Endpoint Client  on some of the systems which are in LAN.These system will try to reach private IP of DMZ policy server.

Now the LAN machines are moved to home(internet) and there is no connectivity to DMZ policy server.

Now we are configuring the NAT for the DMZ policy server,server list 'epsNetwork.xml' will be updated with the public IP.

My question here is ,how the Endpoint Client will try to reach the public IP of DMZ policy server as the Endpoint Client is disconnected from the Policy server/Endpoint Server.

 

 

 

 

0 Kudos
_Val_
Admin
Admin
‎2020-03-24 12:49 AM
In response to nagaraja_cs

There are two possibilities here:

1. Policy server is accessible via its public IP address, with or without VPN connected

2. You create "disconnected" policy, which is enforced if the Policy Server is not available. 

 

I believe this is thoroughly documented in the admin guide.

0 Kudos
nagaraja_cs
Contributor
‎2020-03-24 12:58 AM
In response to _Val_

Hi Valeri,

Thanks for the information.

We want Policy Server to be accessible with its public IP address.

But the Endpoint Client is not connected to policy server,so it will not have public IP in the server list.

As per my understanding,we have two options here,please correct me if I am wrong:

1)Bring the machine from internet to the LAN and update the policy so that it will update the Server List 'epsNetwork.xml' with public IP of the policy server.

2)Export new endpoint client from the Endpoint Server and install on remote users,so that it will try to reach the public IP of the policy server which is in the 'epsNetwork.xml'

0 Kudos
_Val_
Admin
Admin
‎2020-03-24 01:23 AM
In response to nagaraja_cs

So, if your policy server has public IP address, all you need is to get the new endpoint policy on the client. The simplest way is to push policy to your RAS VPN GW and get clients connected. Upon connection, they should receive the new IP address of your policy server. 

0 Kudos
nagaraja_cs
Contributor
‎2020-04-06 06:20 AM
In response to _Val_

Hi Valeri,

Thanks for the info.

I have already exported and installed the EP Client on the machine(This client has private IP information of policy server).

There was no public IP configured during the EP client export.This client doesn't contain any public IP information as there is no NAT configuration.

After installing the EP Client on endpoint machine,I have configured NAT on Policy Server.

Now to connect EP Client with public IP,I have connected the remote machine through VPN and updated the policy.

Then disconnected the VPN and checked the status,it shows 'Disconnected' instead it should connect to public IP of the policy server.

 

0 Kudos
_Val_
Admin
Admin
‎2020-04-06 06:22 AM
In response to nagaraja_cs

If you sure the config you are using is compliant with the white paper, and there are no configuration issues that you can spot, please rase the case to TAC for further troubleshooting

0 Kudos
Karl-Hermann
Explorer
‎2020-08-18 07:06 AM

Hi Val,

Is there an option to exclude the EPS server in the DMZ (or better said the public IP) from acting as an "FDE Pre-boot bypass server"?

If I use the option "Bypass Pre-boot user when connected to LAN" in the FDE settings, the Pre-Boot will be bypassed from anywhere in the internet :-(.

Thanks a lot in advance.

Karl-Hermann

 

0 Kudos