- CheckMates
- :
- Products
- :
- Harmony
- :
- Endpoint
- :
- White Paper - R80.20 Endpoint Policy Server in DMZ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
White Paper - R80.20 Endpoint Policy Server in DMZ for External Access
Author
Abstract:
Enabling the Check Point Endpoint Policy Server for external communication is necessary for some customers with remote workers that never enter the office, yet with the Check Point Endpoint solution on their corporate devices, policy updates, logs would only get to the Endpoint Server if the user VPNs into the environment. Setting up a Policy Server in the DMZ ensures that communication from the Endpoint clients to the Endpoint Server would happen regardless if the end user is connected via a VPN.
For the full list of White Papers, go here.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Valeri,
This is document is very useful.
I have few queries here:
1)Our policy server is placed in DMZ which is behind the firewall.Users will be connecting to policy server from the internet.What all ports should be open on firewall so that the Endpoint Client can connect/update from policy server.
2)Do we need to export the Endpoint client and install on the Endpoint machine once NAT policies are created.Will the existing clients be able to connect to policy server after enabling NAT ?
3)Should we implement NAT policy first ,update the policies on the user machine and then move the users to internet ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can refer to this link concerning the ports: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
As for 2 and 3, I do not understand what you are trying to ask, sorry.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Valeri,
Thanks for the port details.
As of now,there is no public IP assigned for the DMZ policy server.
The server list 'epsNetwork.xml' file will contain only private IP of the DMZ policy server(No public IP).
We have installed the Endpoint Client on some of the systems which are in LAN.These system will try to reach private IP of DMZ policy server.
Now the LAN machines are moved to home(internet) and there is no connectivity to DMZ policy server.
Now we are configuring the NAT for the DMZ policy server,server list 'epsNetwork.xml' will be updated with the public IP.
My question here is ,how the Endpoint Client will try to reach the public IP of DMZ policy server as the Endpoint Client is disconnected from the Policy server/Endpoint Server.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are two possibilities here:
1. Policy server is accessible via its public IP address, with or without VPN connected
2. You create "disconnected" policy, which is enforced if the Policy Server is not available.
I believe this is thoroughly documented in the admin guide.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Valeri,
Thanks for the information.
We want Policy Server to be accessible with its public IP address.
But the Endpoint Client is not connected to policy server,so it will not have public IP in the server list.
As per my understanding,we have two options here,please correct me if I am wrong:
1)Bring the machine from internet to the LAN and update the policy so that it will update the Server List 'epsNetwork.xml' with public IP of the policy server.
2)Export new endpoint client from the Endpoint Server and install on remote users,so that it will try to reach the public IP of the policy server which is in the 'epsNetwork.xml'
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, if your policy server has public IP address, all you need is to get the new endpoint policy on the client. The simplest way is to push policy to your RAS VPN GW and get clients connected. Upon connection, they should receive the new IP address of your policy server.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Valeri,
Thanks for the info.
I have already exported and installed the EP Client on the machine(This client has private IP information of policy server).
There was no public IP configured during the EP client export.This client doesn't contain any public IP information as there is no NAT configuration.
After installing the EP Client on endpoint machine,I have configured NAT on Policy Server.
Now to connect EP Client with public IP,I have connected the remote machine through VPN and updated the policy.
Then disconnected the VPN and checked the status,it shows 'Disconnected' instead it should connect to public IP of the policy server.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you sure the config you are using is compliant with the white paper, and there are no configuration issues that you can spot, please rase the case to TAC for further troubleshooting
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Val,
Is there an option to exclude the EPS server in the DMZ (or better said the public IP) from acting as an "FDE Pre-boot bypass server"?
If I use the option "Bypass Pre-boot user when connected to LAN" in the FDE settings, the Pre-Boot will be bypassed from anywhere in the internet :-(.
Thanks a lot in advance.
Karl-Hermann
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Valeri Loukine,
Our environment was build like in manual you provided.
We have Policy server in DMZ and there is a probability of changing external IP translating to local interface in near future.
How to get external endpoint clients not disconnected?
Could you please give advise or corresponding SK if exist.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is best to reach out to TAC for official recommendations.
