Data Loss Prevention

Hello, I hope everyone is doing well.

We are currently implementing Symantec DLP for a customer.

• The Enforce Server and Network Prevent for Email have been installed in the core network.
• Two Endpoint Servers have been installed in the DMZ.

During the setup, we used only the default ports, as per the guidelines. The only exception is that we configured the hostname of the DMZ Endpoint Servers using their FQDN instead of their IP addresses.

According to Symantec Broadcom, the default ports are as follows:
Symantec DLP Port Reference

We have configured the firewall rules to allow the following connections as specified in the documentation:

1. Client → Endpoint (DMZ Located): Port 10443
2. Endpoint (DMZ Located) → Enforce Server: Port 8100

However, when we configure these ports as uni-directional, as recommended by Symantec Broadcom, no incidents are generated.

All services on the Enforce Server, Endpoint Servers, and clients appear to be running fine.
We are 100% sure that the policy is correct.

Do you think there could be an issue here where the clients are successfully sending all information to the Endpoint Servers and then to the Enforce Server, but no policies are reaching the clients?

We would greatly appreciate your support. Has anyone set up Endpoint Servers in the DMZ before?

Looking forward to your insights.

Best regards,
Mustafa

To configure a DMZ endpoint server for DLP follow some additional steps:

Recreate the agent Package: recreate the agent package to include both the Primary Endpoint server IP address or FQDN and the DMZ endpoint server IP address or FQDN. If you Using load balancer use Common name or SAN method.

Client Communication : Client will communicate with both servers, attempting to connect to the Primary Server first. if fail attempt to secondary endpoint server.

Customize attempt Interval : According to your traffic you can change the default interval time to fail attempt to Primary server.

For more detail: https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/data-loss-prevention/16-0/Install-DLP/dlp-agent-installation-overview-v97265296-d294e23138/about-endpoint-server-redundancy-v19466120-d294e14955.html

Hello, I hope everyone is doing well.

We are currently implementing Symantec DLP for a customer.

• The Enforce Server and Network Prevent for Email have been installed in the core network.
• Two Endpoint Servers have been installed in the DMZ.

During the setup, we used only the default ports, as per the guidelines. The only exception is that we configured the hostname of the DMZ Endpoint Servers using their FQDN instead of their IP addresses.

According to Symantec Broadcom, the default ports are as follows:
Symantec DLP Port Reference

We have configured the firewall rules to allow the following connections as specified in the documentation:

1. Client → Endpoint (DMZ Located): Port 10443
2. Endpoint (DMZ Located) → Enforce Server: Port 8100

However, when we configure these ports as uni-directional, as recommended by Symantec Broadcom, no incidents are generated.

All services on the Enforce Server, Endpoint Servers, and clients appear to be running fine.
We are 100% sure that the policy is correct.

Do you think there could be an issue here where the clients are successfully sending all information to the Endpoint Servers and then to the Enforce Server, but no policies are reaching the clients?

We would greatly appreciate your support. Has anyone set up Endpoint Servers in the DMZ before?

Looking forward to your insights.

Best regards,
Mustafa