South Africa Security and Compliance User Group

 View Only
  • 1.  How to configure a GUP if SEPM is hosted with public IP

    Posted Sep 16, 2016 02:31 AM

    A customer has purchased a hosted SEPM with public facing IP at a cloud service provider. The customer has 3 sites of which, 2 will require a GUP (200+ users) . How does one configure a GUP to talk back to the hosted SEPM if the GUP has an internal IP address? Can this be done? If so, what needs to be
    done at customer and what needs to be done at cloud service provider?



  • 2.  RE: How to configure a GUP if SEPM is hosted with public IP
    Best Answer

    Posted Sep 16, 2016 03:53 AM

    The GUP talks to the hosted SEPM the same as any other SEP client in the estate.  This typically just involves:

    1. Create MSL with the SEPM's externally accessible IP and/or name
    2. Ensure this MSL is in the deplyed client packages
    3. Make sure the routing, name resolution, and ports work from all clients (including the GUPs) to the SEPM's external address
    4. Make sure the routing, name resolution, and ports work from the clients to the GUP(s)
    5. Use hostnames or internal IP addresses in the LU Policy to define the GUPs

    Obviously, it's recommended to enable and use HTTPS comms on this external SEPM, and to lock down console access.

     

    Essentially, there's nothing really different in hosting a SEPM externally to having it placed inside your network.  The client heartbeats all use their sylink.xml files to determine how they should contact the SEPM (name/IP address/etc), and after that it's just making sure the client can resolve the name, and route to the IP address over the port defined.  Nothing special is required for the GUPs either, as they grab defs from the SEPM over the same heartbeat port, and the GUP port is used between the other SEP clients and the GUP, which is usually internal to your network.