ITMS Administrator Group

Expand all | Collapse all

Peer-to-peer downloading feature / disable outside of the internal network

  • 1.  Peer-to-peer downloading feature / disable outside of the internal network

    Posted 05-17-2017 08:22 AM

    Hi all,

    The article "How to configure peer-to-peer downloading? (Windows only)" ( https://support.symantec.com/en_US/article.DOC9473.html)

    describes the configuration of the P2P download feature. I have configured this for testing purpose. Before rollout this out on all computers some concerns came up from our IT Security team. They would like that P2P is not available if a computer is outside the company network.

    This is described in the document named earlier:

    Don't use peer-to-peer downloading

    In certain cases, you can disable using the peer-to-peer downloading.

    For example, if the computers are outside of the internal network and use Cloud-enabled Management for communicating with Notification Server.

     

    There does not seem to be a setting saying "disable on external network". Or maybe I just haven't found it? Does anyone know how to configure this?

    Thanks.

    Stefan

     



  • 2.  RE: Peer-to-peer downloading feature / disable outside of the internal network

    Posted 05-18-2017 06:45 AM

    If I activate P2P on SMA the agent starts a HTTP-Webserver listening on port 56118. So what I would like is that if I use my laptop for example on a public hotspot that the HTTP-Webserver is not running and listening on port 56118. In case somebody would try to hack into my computer...

    Or to ask the other way round. What are the security measures that nobody untrusted can browse to the HTTP-server?

     

    HTTP server stores the list of packages.

     

    The HTTP server is part of the Symantec Management Agent process. It starts automatically after you enable peer-to-peer downloading.

    The HTTP server stores the list of package GUID-s with their associated states.

    The Package Delivery component on Symantec Management Agent informs the HTTP server about the folder where the downloaded packages are stored and about the state of each package.

     



  • 3.  RE: Peer-to-peer downloading feature / disable outside of the internal network

    Posted 05-18-2017 05:15 AM

    Nope. We are not using CEM.

    I was hoping there was a swith for "normal" mode as well when client is not on the internal network (no communication to the NS).

    Seems like I have to raise a feature request here. Or do you see any workaround?



  • 4.  RE: Peer-to-peer downloading feature / disable outside of the internal network

    Broadcom Employee
    Posted 05-18-2017 06:30 AM

    Stefan, can you please define what is a "local" network?
    The Agent work with the SMP. When in the same network as SMP, it will be able to download packages. If moved to the other network, where SMP is not reachable, then no package download will be available any way, since every package download want to receive the package information from SMP.

    Using CEM alows agents to connect to the SMP through the gateway, so package download is also possible. Future release will contain the check-box (mentioned earlier) to turn-off p2p when CEM mode is active.
     



  • 5.  RE: Peer-to-peer downloading feature / disable outside of the internal network

    Posted 05-17-2017 01:07 PM

    Hi Stefan S.

    Are you using CEM?

    In a upcoming release there will be a new checkbox called: Don´t use peer-to-peer downloading -> When CEM mode is active...
                                                                                                                                                           -> In Wi-Fi network
                                                                                                                                                           -> When Package Server is available in the same subnet

    If you are using CEM you can disable it when the agent switches into CEM Mode (disable on external network....)

     

    Hope this helps..

    Network23

     



  • 6.  RE: Peer-to-peer downloading feature / disable outside of the internal network

    Broadcom Employee
    Posted 05-18-2017 08:54 AM

    The HTTP-Webserver on Agent does not allow any writes to the system resources. It only allows to read the specific files (packages which are participating in P2P) and this access is done through the authentication with secure data, provided by particular SMP. Means even the agents from different SMP will not gain any access to your machine.