- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Enabling the Check Point Endpoint Policy Server for external communication is necessary for some customers with remote workers that never enter the office, yet with the Check Point Endpoint solution on their corporate devices, policy updates, logs would only get to the Endpoint Server if the user VPNs into the environment. Setting up a Policy Server in the DMZ ensures that communication from the Endpoint clients to the Endpoint Server would happen regardless if the end user is connected via a VPN.
For the full list of White Papers, go here.
Hi Valeri,
This is document is very useful.
I have few queries here:
1)Our policy server is placed in DMZ which is behind the firewall.Users will be connecting to policy server from the internet.What all ports should be open on firewall so that the Endpoint Client can connect/update from policy server.
2)Do we need to export the Endpoint client and install on the Endpoint machine once NAT policies are created.Will the existing clients be able to connect to policy server after enabling NAT ?
3)Should we implement NAT policy first ,update the policies on the user machine and then move the users to internet ?
You can refer to this link concerning the ports: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
As for 2 and 3, I do not understand what you are trying to ask, sorry.
Hi Valeri,
Thanks for the port details.
As of now,there is no public IP assigned for the DMZ policy server.
The server list 'epsNetwork.xml' file will contain only private IP of the DMZ policy server(No public IP).
We have installed the Endpoint Client on some of the systems which are in LAN.These system will try to reach private IP of DMZ policy server.
Now the LAN machines are moved to home(internet) and there is no connectivity to DMZ policy server.
Now we are configuring the NAT for the DMZ policy server,server list 'epsNetwork.xml' will be updated with the public IP.
My question here is ,how the Endpoint Client will try to reach the public IP of DMZ policy server as the Endpoint Client is disconnected from the Policy server/Endpoint Server.
There are two possibilities here:
1. Policy server is accessible via its public IP address, with or without VPN connected
2. You create "disconnected" policy, which is enforced if the Policy Server is not available.
I believe this is thoroughly documented in the admin guide.
Hi Valeri,
Thanks for the information.
We want Policy Server to be accessible with its public IP address.
But the Endpoint Client is not connected to policy server,so it will not have public IP in the server list.
As per my understanding,we have two options here,please correct me if I am wrong:
1)Bring the machine from internet to the LAN and update the policy so that it will update the Server List 'epsNetwork.xml' with public IP of the policy server.
2)Export new endpoint client from the Endpoint Server and install on remote users,so that it will try to reach the public IP of the policy server which is in the 'epsNetwork.xml'
So, if your policy server has public IP address, all you need is to get the new endpoint policy on the client. The simplest way is to push policy to your RAS VPN GW and get clients connected. Upon connection, they should receive the new IP address of your policy server.
Hi Valeri,
Thanks for the info.
I have already exported and installed the EP Client on the machine(This client has private IP information of policy server).
There was no public IP configured during the EP client export.This client doesn't contain any public IP information as there is no NAT configuration.
After installing the EP Client on endpoint machine,I have configured NAT on Policy Server.
Now to connect EP Client with public IP,I have connected the remote machine through VPN and updated the policy.
Then disconnected the VPN and checked the status,it shows 'Disconnected' instead it should connect to public IP of the policy server.
If you sure the config you are using is compliant with the white paper, and there are no configuration issues that you can spot, please rase the case to TAC for further troubleshooting
Hi Val,
Is there an option to exclude the EPS server in the DMZ (or better said the public IP) from acting as an "FDE Pre-boot bypass server"?
If I use the option "Bypass Pre-boot user when connected to LAN" in the FDE settings, the Pre-Boot will be bypassed from anywhere in the internet :-(.
Thanks a lot in advance.
Karl-Hermann
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY