Messaging Gateway

Hi everyone. Just a quick question, if the control center only role doesn't have internet access what will happen? Is the license going to be suspended?

Or once a license is registered on Control Center after deployment it is never checked again with the Symantec licensing server?

Appreciate your response thanks

------------------------------
Symantec Enthusiast
------------------------------

Anyone? Thanks

------------------------------
Symantec Enthusiast
------------------------------

Original Message:
Sent: 01-27-2021 04:07 PM
From: sulman mushaq
Subject: Offline Control Center

Hi everyone. Just a quick question, if the control center only role doesn't have internet access what will happen? Is the license going to be suspended?

Or once a license is registered on Control Center after deployment it is never checked again with the Symantec licensing server?

Appreciate your response thanks

------------------------------
Symantec Enthusiast
------------------------------

The control center don’t really need internet. The license is verified only once after registering the cc.


Original Message:
Sent: 1/27/2021 4:27:00 PM
From: SymSpec
Subject: RE: Offline Control Center

Anyone? Thanks

------------------------------
Symantec Enthusiast
------------------------------

Original Message:
Sent: 01-27-2021 04:07 PM
From: sulman mushaq
Subject: Offline Control Center

Hi everyone. Just a quick question, if the control center only role doesn't have internet access what will happen? Is the license going to be suspended?

Or once a license is registered on Control Center after deployment it is never checked again with the Symantec licensing server?

Appreciate your response thanks

------------------------------
Symantec Enthusiast
------------------------------

If you register a CC and then remove its ability to communicate with the SYMC/BRCM back end servers, you will, at a minimum, be plagued with a plethera of error messages in the log.  Probably more impactiful will be the loss of the ability to automatically receive notifications of software updates and your ability to use the CC to kick off software updates on the attached scanners, etc. 

Think carefully about the adminitrative burden you are taking on here:  Without the BCC in contact with the back-end software repositories, it will fall to "you" to regularly login to each scanner, check for updates/patches, and use the CLI to install them.  We provide you the tools to do these things (ssh keys, etc, so you can leverage your own scripts), but is the tradeoff worth YOUR time and effort?

There are specific interfaces provided for customers who intend to run the product on a network that has no access to "the internet" (e.g. SIPRNET).  Depending on your needs/reasons for taking the CC offline, you may want to investigate things like "localinstall", and "offline registration".   (Strong warning about off-line registration:  it's a one-way trip, so if you do it and don't like it, you will have to re-install).

One more warning:  in earlier releases, the collection of telemetry data (no PII, just configuration elements, etc.) was optional.  In later releases (10.7.4 for certain), this was changed from optional to mandatory, so there is a possiblity of violating the (I assume) updated EULA and/or your support contract. 
(Someone else may be able to verify this, to paraphrase Dr. McCoy in the old Star Trek series "I'm just a bit-pounder,  Jim, NOT a lawyer")

You didn't ask about off-line scanners, so I'll assume you are alrady aware of THOSE concequences. 

Final note:  could you post more details on your use case?  The more we know about how customers are using the product the better the chances that we can continue to evolve the product in a way that is most useful/relevant to YOUR needs.
Original Message:
Sent: 01-27-2021 04:26 PM
From: sulman mushaq
Subject: Offline Control Center

Anyone? Thanks

------------------------------
Symantec Enthusiast

Original Message:
Sent: 01-27-2021 04:07 PM
From: sulman mushaq
Subject: Offline Control Center

Hi everyone. Just a quick question, if the control center only role doesn't have internet access what will happen? Is the license going to be suspended?

Or once a license is registered on Control Center after deployment it is never checked again with the Symantec licensing server?

Appreciate your response thanks

------------------------------
Symantec Enthusiast
------------------------------

@tpa thanks for the reply. I appreciate that.

Actually the customer wants to move CC in a segment which doesn't have internet access at all because of some internal requirements. Scanners already have internet access which is managed by CC

CC license is already. They want just want to know if CC is not connected to internet apart from Software and patches download and install which they can do via local-install and except the errors in the logs about connectivity, what other main features of CC they will miss which requires internet access ?

Thanks​

------------------------------
Symantec Enthusiast
------------------------------

Original Message:
Sent: 01-27-2021 05:20 PM
From: Thomas Anderson
Subject: Offline Control Center

If you register a CC and then remove its ability to communicate with the SYMC/BRCM back end servers, you will, at a minimum, be plagued with a plethera of error messages in the log.  Probably more impactiful will be the loss of the ability to automatically receive notifications of software updates and your ability to use the CC to kick off software updates on the attached scanners, etc.

Think carefully about the adminitrative burden you are taking on here:  Without the BCC in contact with the back-end software repositories, it will fall to "you" to regularly login to each scanner, check for updates/patches, and use the CLI to install them.  We provide you the tools to do these things (ssh keys, etc, so you can leverage your own scripts), but is the tradeoff worth YOUR time and effort?

There are specific interfaces provided for customers who intend to run the product on a network that has no access to "the internet" (e.g. SIPRNET).  Depending on your needs/reasons for taking the CC offline, you may want to investigate things like "localinstall", and "offline registration".   (Strong warning about off-line registration:  it's a one-way trip, so if you do it and don't like it, you will have to re-install).

One more warning:  in earlier releases, the collection of telemetry data (no PII, just configuration elements, etc.) was optional.  In later releases (10.7.4 for certain), this was changed from optional to mandatory, so there is a possiblity of violating the (I assume) updated EULA and/or your support contract.
(Someone else may be able to verify this, to paraphrase Dr. McCoy in the old Star Trek series "I'm just a bit-pounder,  Jim, NOT a lawyer")

You didn't ask about off-line scanners, so I'll assume you are alrady aware of THOSE concequences.

Final note:  could you post more details on your use case?  The more we know about how customers are using the product the better the chances that we can continue to evolve the product in a way that is most useful/relevant to YOUR needs.
Original Message:
Sent: 01-27-2021 04:26 PM
From: sulman mushaq
Subject: Offline Control Center

Anyone? Thanks

------------------------------
Symantec Enthusiast

Original Message:
Sent: 01-27-2021 04:07 PM
From: sulman mushaq
Subject: Offline Control Center

Hi everyone. Just a quick question, if the control center only role doesn't have internet access what will happen? Is the license going to be suspended?

Or once a license is registered on Control Center after deployment it is never checked again with the Symantec licensing server?

Appreciate your response thanks

------------------------------
Symantec Enthusiast
------------------------------

Understood and thanks for the clarification.
Forgot to mention potential disruption in access to the spam quarantine:  IF they are using message digests and the end-user wants to take action on the quarantined message from "the outside", isolating the CC will disrupt that feature.

Anyway, barring the above exception, I should think they should be fairly safe, but I believe the more traditional approach to this is to ensure that the BCC has an outbound "path" to the internet (i.e. it CAN open connections to swupdate.brightmail.com), but no "inbound" path (i.e. incomming  connection requests are blocked/filtered), thereby providing the customer with the security they are looking for without lmiting product features.
Original Message:
Sent: 01-27-2021 05:32 PM
From: sulman mushaq
Subject: Offline Control Center

@tpa thanks for the reply. I appreciate that.

Actually the customer wants to move CC in a segment which doesn't have internet access at all because of some internal requirements. Scanners already have internet access which is managed by CC

CC license is already. They want just want to know if CC is not connected to internet apart from Software and patches download and install which they can do via local-install and except the errors in the logs about connectivity, what other main features of CC they will miss which requires internet access ?

Thanks​

------------------------------
Symantec Enthusiast

Original Message:
Sent: 01-27-2021 05:20 PM
From: Thomas Anderson
Subject: Offline Control Center

If you register a CC and then remove its ability to communicate with the SYMC/BRCM back end servers, you will, at a minimum, be plagued with a plethera of error messages in the log.  Probably more impactiful will be the loss of the ability to automatically receive notifications of software updates and your ability to use the CC to kick off software updates on the attached scanners, etc.

Think carefully about the adminitrative burden you are taking on here:  Without the BCC in contact with the back-end software repositories, it will fall to "you" to regularly login to each scanner, check for updates/patches, and use the CLI to install them.  We provide you the tools to do these things (ssh keys, etc, so you can leverage your own scripts), but is the tradeoff worth YOUR time and effort?

There are specific interfaces provided for customers who intend to run the product on a network that has no access to "the internet" (e.g. SIPRNET).  Depending on your needs/reasons for taking the CC offline, you may want to investigate things like "localinstall", and "offline registration".   (Strong warning about off-line registration:  it's a one-way trip, so if you do it and don't like it, you will have to re-install).

One more warning:  in earlier releases, the collection of telemetry data (no PII, just configuration elements, etc.) was optional.  In later releases (10.7.4 for certain), this was changed from optional to mandatory, so there is a possiblity of violating the (I assume) updated EULA and/or your support contract.
(Someone else may be able to verify this, to paraphrase Dr. McCoy in the old Star Trek series "I'm just a bit-pounder,  Jim, NOT a lawyer")

You didn't ask about off-line scanners, so I'll assume you are alrady aware of THOSE concequences.

Final note:  could you post more details on your use case?  The more we know about how customers are using the product the better the chances that we can continue to evolve the product in a way that is most useful/relevant to YOUR needs.
Original Message:
Sent: 01-27-2021 04:26 PM
From: sulman mushaq
Subject: Offline Control Center

Anyone? Thanks

------------------------------
Symantec Enthusiast

Original Message:
Sent: 01-27-2021 04:07 PM
From: sulman mushaq
Subject: Offline Control Center

Hi everyone. Just a quick question, if the control center only role doesn't have internet access what will happen? Is the license going to be suspended?

Or once a license is registered on Control Center after deployment it is never checked again with the Symantec licensing server?

Appreciate your response thanks

------------------------------
Symantec Enthusiast
------------------------------

@ tpa thanks for the reply, I really appreciate it.

My customer is completely aware of all the things which will not be available if the CC doesn't have internet access.

Now the challenge is they want to place CC in a segment which doesn't have internet access at all and license registration is not done. ​

Is there any offline license which I can use on the CC for registration as it doesn't have internet access to validate it?​

Customer insists on the CC not to have internet access at all.​

------------------------------
Symantec Enthusiast
------------------------------

Original Message:
Sent: 01-27-2021 06:00 PM
From: Thomas Anderson
Subject: Offline Control Center

Understood and thanks for the clarification.
Forgot to mention potential disruption in access to the spam quarantine:  IF they are using message digests and the end-user wants to take action on the quarantined message from "the outside", isolating the CC will disrupt that feature.

Anyway, barring the above exception, I should think they should be fairly safe, but I believe the more traditional approach to this is to ensure that the BCC has an outbound "path" to the internet (i.e. it CAN open connections to swupdate.brightmail.com), but no "inbound" path (i.e. incomming  connection requests are blocked/filtered), thereby providing the customer with the security they are looking for without lmiting product features.
Original Message:
Sent: 01-27-2021 05:32 PM
From: sulman mushaq
Subject: Offline Control Center

@tpa thanks for the reply. I appreciate that.

Actually the customer wants to move CC in a segment which doesn't have internet access at all because of some internal requirements. Scanners already have internet access which is managed by CC

CC license is already. They want just want to know if CC is not connected to internet apart from Software and patches download and install which they can do via local-install and except the errors in the logs about connectivity, what other main features of CC they will miss which requires internet access ?

Thanks​

------------------------------
Symantec Enthusiast

Original Message:
Sent: 01-27-2021 05:20 PM
From: Thomas Anderson
Subject: Offline Control Center

If you register a CC and then remove its ability to communicate with the SYMC/BRCM back end servers, you will, at a minimum, be plagued with a plethera of error messages in the log.  Probably more impactiful will be the loss of the ability to automatically receive notifications of software updates and your ability to use the CC to kick off software updates on the attached scanners, etc.

Think carefully about the adminitrative burden you are taking on here:  Without the BCC in contact with the back-end software repositories, it will fall to "you" to regularly login to each scanner, check for updates/patches, and use the CLI to install them.  We provide you the tools to do these things (ssh keys, etc, so you can leverage your own scripts), but is the tradeoff worth YOUR time and effort?

There are specific interfaces provided for customers who intend to run the product on a network that has no access to "the internet" (e.g. SIPRNET).  Depending on your needs/reasons for taking the CC offline, you may want to investigate things like "localinstall", and "offline registration".   (Strong warning about off-line registration:  it's a one-way trip, so if you do it and don't like it, you will have to re-install).

One more warning:  in earlier releases, the collection of telemetry data (no PII, just configuration elements, etc.) was optional.  In later releases (10.7.4 for certain), this was changed from optional to mandatory, so there is a possiblity of violating the (I assume) updated EULA and/or your support contract.
(Someone else may be able to verify this, to paraphrase Dr. McCoy in the old Star Trek series "I'm just a bit-pounder,  Jim, NOT a lawyer")

You didn't ask about off-line scanners, so I'll assume you are alrady aware of THOSE concequences.

Final note:  could you post more details on your use case?  The more we know about how customers are using the product the better the chances that we can continue to evolve the product in a way that is most useful/relevant to YOUR needs.
Original Message:
Sent: 01-27-2021 04:26 PM
From: sulman mushaq
Subject: Offline Control Center

Anyone? Thanks

------------------------------
Symantec Enthusiast

Original Message:
Sent: 01-27-2021 04:07 PM
From: sulman mushaq
Subject: Offline Control Center

Hi everyone. Just a quick question, if the control center only role doesn't have internet access what will happen? Is the license going to be suspended?

Or once a license is registered on Control Center after deployment it is never checked again with the Symantec licensing server?

Appreciate your response thanks

------------------------------
Symantec Enthusiast
------------------------------

Anyone?

------------------------------
Symantec Enthusiast
------------------------------

Original Message:
Sent: 01-28-2021 12:48 PM
From: sulman mushaq
Subject: Offline Control Center

@ tpa thanks for the reply, I really appreciate it.

My customer is completely aware of all the things which will not be available if the CC doesn't have internet access.

Now the challenge is they want to place CC in a segment which doesn't have internet access at all and license registration is not done. ​

Is there any offline license which I can use on the CC for registration as it doesn't have internet access to validate it?​

Customer insists on the CC not to have internet access at all.​

------------------------------
Symantec Enthusiast

Original Message:
Sent: 01-27-2021 06:00 PM
From: Thomas Anderson
Subject: Offline Control Center

Understood and thanks for the clarification.
Forgot to mention potential disruption in access to the spam quarantine:  IF they are using message digests and the end-user wants to take action on the quarantined message from "the outside", isolating the CC will disrupt that feature.

Anyway, barring the above exception, I should think they should be fairly safe, but I believe the more traditional approach to this is to ensure that the BCC has an outbound "path" to the internet (i.e. it CAN open connections to swupdate.brightmail.com), but no "inbound" path (i.e. incomming  connection requests are blocked/filtered), thereby providing the customer with the security they are looking for without lmiting product features.
Original Message:
Sent: 01-27-2021 05:32 PM
From: sulman mushaq
Subject: Offline Control Center

@tpa thanks for the reply. I appreciate that.

Actually the customer wants to move CC in a segment which doesn't have internet access at all because of some internal requirements. Scanners already have internet access which is managed by CC

CC license is already. They want just want to know if CC is not connected to internet apart from Software and patches download and install which they can do via local-install and except the errors in the logs about connectivity, what other main features of CC they will miss which requires internet access ?

Thanks​

------------------------------
Symantec Enthusiast

Original Message:
Sent: 01-27-2021 05:20 PM
From: Thomas Anderson
Subject: Offline Control Center

If you register a CC and then remove its ability to communicate with the SYMC/BRCM back end servers, you will, at a minimum, be plagued with a plethera of error messages in the log.  Probably more impactiful will be the loss of the ability to automatically receive notifications of software updates and your ability to use the CC to kick off software updates on the attached scanners, etc.

Think carefully about the adminitrative burden you are taking on here:  Without the BCC in contact with the back-end software repositories, it will fall to "you" to regularly login to each scanner, check for updates/patches, and use the CLI to install them.  We provide you the tools to do these things (ssh keys, etc, so you can leverage your own scripts), but is the tradeoff worth YOUR time and effort?

There are specific interfaces provided for customers who intend to run the product on a network that has no access to "the internet" (e.g. SIPRNET).  Depending on your needs/reasons for taking the CC offline, you may want to investigate things like "localinstall", and "offline registration".   (Strong warning about off-line registration:  it's a one-way trip, so if you do it and don't like it, you will have to re-install).

One more warning:  in earlier releases, the collection of telemetry data (no PII, just configuration elements, etc.) was optional.  In later releases (10.7.4 for certain), this was changed from optional to mandatory, so there is a possiblity of violating the (I assume) updated EULA and/or your support contract.
(Someone else may be able to verify this, to paraphrase Dr. McCoy in the old Star Trek series "I'm just a bit-pounder,  Jim, NOT a lawyer")

You didn't ask about off-line scanners, so I'll assume you are alrady aware of THOSE concequences.

Final note:  could you post more details on your use case?  The more we know about how customers are using the product the better the chances that we can continue to evolve the product in a way that is most useful/relevant to YOUR needs.
Original Message:
Sent: 01-27-2021 04:26 PM
From: sulman mushaq
Subject: Offline Control Center

Anyone? Thanks

------------------------------
Symantec Enthusiast

Original Message:
Sent: 01-27-2021 04:07 PM
From: sulman mushaq
Subject: Offline Control Center

Hi everyone. Just a quick question, if the control center only role doesn't have internet access what will happen? Is the license going to be suspended?

Or once a license is registered on Control Center after deployment it is never checked again with the Symantec licensing server?

Appreciate your response thanks

------------------------------
Symantec Enthusiast
------------------------------

Original Message:
Sent: 1/28/2021 3:36:00 PM
From: SymSpec
Subject: RE: Offline Control Center

Anyone?

------------------------------
Symantec Enthusiast
------------------------------

Original Message:
Sent: 01-28-2021 12:48 PM
From: sulman mushaq
Subject: Offline Control Center

@ tpa thanks for the reply, I really appreciate it.

My customer is completely aware of all the things which will not be available if the CC doesn't have internet access.

Now the challenge is they want to place CC in a segment which doesn't have internet access at all and license registration is not done. ​

Is there any offline license which I can use on the CC for registration as it doesn't have internet access to validate it?​

Customer insists on the CC not to have internet access at all.​

------------------------------
Symantec Enthusiast

Original Message:
Sent: 01-27-2021 06:00 PM
From: Thomas Anderson
Subject: Offline Control Center

Understood and thanks for the clarification.
Forgot to mention potential disruption in access to the spam quarantine:  IF they are using message digests and the end-user wants to take action on the quarantined message from "the outside", isolating the CC will disrupt that feature.

Anyway, barring the above exception, I should think they should be fairly safe, but I believe the more traditional approach to this is to ensure that the BCC has an outbound "path" to the internet (i.e. it CAN open connections to swupdate.brightmail.com), but no "inbound" path (i.e. incomming  connection requests are blocked/filtered), thereby providing the customer with the security they are looking for without lmiting product features.
Original Message:
Sent: 01-27-2021 05:32 PM
From: sulman mushaq
Subject: Offline Control Center

@tpa thanks for the reply. I appreciate that.

Actually the customer wants to move CC in a segment which doesn't have internet access at all because of some internal requirements. Scanners already have internet access which is managed by CC

CC license is already. They want just want to know if CC is not connected to internet apart from Software and patches download and install which they can do via local-install and except the errors in the logs about connectivity, what other main features of CC they will miss which requires internet access ?

Thanks​

------------------------------
Symantec Enthusiast

Original Message:
Sent: 01-27-2021 05:20 PM
From: Thomas Anderson
Subject: Offline Control Center

If you register a CC and then remove its ability to communicate with the SYMC/BRCM back end servers, you will, at a minimum, be plagued with a plethera of error messages in the log.  Probably more impactiful will be the loss of the ability to automatically receive notifications of software updates and your ability to use the CC to kick off software updates on the attached scanners, etc.

Think carefully about the adminitrative burden you are taking on here:  Without the BCC in contact with the back-end software repositories, it will fall to "you" to regularly login to each scanner, check for updates/patches, and use the CLI to install them.  We provide you the tools to do these things (ssh keys, etc, so you can leverage your own scripts), but is the tradeoff worth YOUR time and effort?

There are specific interfaces provided for customers who intend to run the product on a network that has no access to "the internet" (e.g. SIPRNET).  Depending on your needs/reasons for taking the CC offline, you may want to investigate things like "localinstall", and "offline registration".   (Strong warning about off-line registration:  it's a one-way trip, so if you do it and don't like it, you will have to re-install).

One more warning:  in earlier releases, the collection of telemetry data (no PII, just configuration elements, etc.) was optional.  In later releases (10.7.4 for certain), this was changed from optional to mandatory, so there is a possiblity of violating the (I assume) updated EULA and/or your support contract.
(Someone else may be able to verify this, to paraphrase Dr. McCoy in the old Star Trek series "I'm just a bit-pounder,  Jim, NOT a lawyer")

You didn't ask about off-line scanners, so I'll assume you are alrady aware of THOSE concequences.

Final note:  could you post more details on your use case?  The more we know about how customers are using the product the better the chances that we can continue to evolve the product in a way that is most useful/relevant to YOUR needs.
Original Message:
Sent: 01-27-2021 04:26 PM
From: sulman mushaq
Subject: Offline Control Center

Anyone? Thanks

------------------------------
Symantec Enthusiast

Original Message:
Sent: 01-27-2021 04:07 PM
From: sulman mushaq
Subject: Offline Control Center

Hi everyone. Just a quick question, if the control center only role doesn't have internet access what will happen? Is the license going to be suspended?

Or once a license is registered on Control Center after deployment it is never checked again with the Symantec licensing server?

Appreciate your response thanks

------------------------------
Symantec Enthusiast
------------------------------

not an option. 

How to do offline license registration for CC?

------------------------------
Symantec Enthusiast
------------------------------

Original Message:
Sent: 01-28-2021 03:39 PM
From: alexander sanita
Subject: Offline Control Center

Don't do that.  Put the CC with proxy access to the internet.

Original Message:
Sent: 1/28/2021 3:36:00 PM
From: SymSpec
Subject: RE: Offline Control Center

Anyone?

------------------------------
Symantec Enthusiast

Original Message:
Sent: 01-28-2021 12:48 PM
From: sulman mushaq
Subject: Offline Control Center

@ tpa thanks for the reply, I really appreciate it.

My customer is completely aware of all the things which will not be available if the CC doesn't have internet access.

Now the challenge is they want to place CC in a segment which doesn't have internet access at all and license registration is not done. ​

Is there any offline license which I can use on the CC for registration as it doesn't have internet access to validate it?​

Customer insists on the CC not to have internet access at all.​

------------------------------
Symantec Enthusiast

Original Message:
Sent: 01-27-2021 06:00 PM
From: Thomas Anderson
Subject: Offline Control Center

Understood and thanks for the clarification.
Forgot to mention potential disruption in access to the spam quarantine:  IF they are using message digests and the end-user wants to take action on the quarantined message from "the outside", isolating the CC will disrupt that feature.

Anyway, barring the above exception, I should think they should be fairly safe, but I believe the more traditional approach to this is to ensure that the BCC has an outbound "path" to the internet (i.e. it CAN open connections to swupdate.brightmail.com), but no "inbound" path (i.e. incomming  connection requests are blocked/filtered), thereby providing the customer with the security they are looking for without lmiting product features.
Original Message:
Sent: 01-27-2021 05:32 PM
From: sulman mushaq
Subject: Offline Control Center

@tpa thanks for the reply. I appreciate that.

Actually the customer wants to move CC in a segment which doesn't have internet access at all because of some internal requirements. Scanners already have internet access which is managed by CC

CC license is already. They want just want to know if CC is not connected to internet apart from Software and patches download and install which they can do via local-install and except the errors in the logs about connectivity, what other main features of CC they will miss which requires internet access ?

Thanks​

------------------------------
Symantec Enthusiast

Original Message:
Sent: 01-27-2021 05:20 PM
From: Thomas Anderson
Subject: Offline Control Center

If you register a CC and then remove its ability to communicate with the SYMC/BRCM back end servers, you will, at a minimum, be plagued with a plethera of error messages in the log.  Probably more impactiful will be the loss of the ability to automatically receive notifications of software updates and your ability to use the CC to kick off software updates on the attached scanners, etc.

Think carefully about the adminitrative burden you are taking on here:  Without the BCC in contact with the back-end software repositories, it will fall to "you" to regularly login to each scanner, check for updates/patches, and use the CLI to install them.  We provide you the tools to do these things (ssh keys, etc, so you can leverage your own scripts), but is the tradeoff worth YOUR time and effort?

There are specific interfaces provided for customers who intend to run the product on a network that has no access to "the internet" (e.g. SIPRNET).  Depending on your needs/reasons for taking the CC offline, you may want to investigate things like "localinstall", and "offline registration".   (Strong warning about off-line registration:  it's a one-way trip, so if you do it and don't like it, you will have to re-install).

One more warning:  in earlier releases, the collection of telemetry data (no PII, just configuration elements, etc.) was optional.  In later releases (10.7.4 for certain), this was changed from optional to mandatory, so there is a possiblity of violating the (I assume) updated EULA and/or your support contract.
(Someone else may be able to verify this, to paraphrase Dr. McCoy in the old Star Trek series "I'm just a bit-pounder,  Jim, NOT a lawyer")

You didn't ask about off-line scanners, so I'll assume you are alrady aware of THOSE concequences.

Final note:  could you post more details on your use case?  The more we know about how customers are using the product the better the chances that we can continue to evolve the product in a way that is most useful/relevant to YOUR needs.
Original Message:
Sent: 01-27-2021 04:26 PM
From: sulman mushaq
Subject: Offline Control Center

Anyone? Thanks

------------------------------
Symantec Enthusiast

Original Message:
Sent: 01-27-2021 04:07 PM
From: sulman mushaq
Subject: Offline Control Center

Hi everyone. Just a quick question, if the control center only role doesn't have internet access what will happen? Is the license going to be suspended?

Or once a license is registered on Control Center after deployment it is never checked again with the Symantec licensing server?

Appreciate your response thanks

------------------------------
Symantec Enthusiast
------------------------------

U don’t


Original Message:
Sent: 1/28/2021 3:45:00 PM
From: SymSpec
Subject: RE: Offline Control Center

not an option. 

How to do offline license registration for CC?

------------------------------
Symantec Enthusiast
------------------------------

Original Message:
Sent: 01-28-2021 03:39 PM
From: alexander sanita
Subject: Offline Control Center

Don't do that.  Put the CC with proxy access to the internet.

Original Message:
Sent: 1/28/2021 3:36:00 PM
From: SymSpec
Subject: RE: Offline Control Center

Anyone?

------------------------------
Symantec Enthusiast

Original Message:
Sent: 01-28-2021 12:48 PM
From: sulman mushaq
Subject: Offline Control Center

@ tpa thanks for the reply, I really appreciate it.

My customer is completely aware of all the things which will not be available if the CC doesn't have internet access.

Now the challenge is they want to place CC in a segment which doesn't have internet access at all and license registration is not done. ​

Is there any offline license which I can use on the CC for registration as it doesn't have internet access to validate it?​

Customer insists on the CC not to have internet access at all.​

------------------------------
Symantec Enthusiast

Original Message:
Sent: 01-27-2021 06:00 PM
From: Thomas Anderson
Subject: Offline Control Center

Understood and thanks for the clarification.
Forgot to mention potential disruption in access to the spam quarantine:  IF they are using message digests and the end-user wants to take action on the quarantined message from "the outside", isolating the CC will disrupt that feature.

Anyway, barring the above exception, I should think they should be fairly safe, but I believe the more traditional approach to this is to ensure that the BCC has an outbound "path" to the internet (i.e. it CAN open connections to swupdate.brightmail.com), but no "inbound" path (i.e. incomming  connection requests are blocked/filtered), thereby providing the customer with the security they are looking for without lmiting product features.
Original Message:
Sent: 01-27-2021 05:32 PM
From: sulman mushaq
Subject: Offline Control Center

@tpa thanks for the reply. I appreciate that.

Actually the customer wants to move CC in a segment which doesn't have internet access at all because of some internal requirements. Scanners already have internet access which is managed by CC

CC license is already. They want just want to know if CC is not connected to internet apart from Software and patches download and install which they can do via local-install and except the errors in the logs about connectivity, what other main features of CC they will miss which requires internet access ?

Thanks​

------------------------------
Symantec Enthusiast

Original Message:
Sent: 01-27-2021 05:20 PM
From: Thomas Anderson
Subject: Offline Control Center

If you register a CC and then remove its ability to communicate with the SYMC/BRCM back end servers, you will, at a minimum, be plagued with a plethera of error messages in the log.  Probably more impactiful will be the loss of the ability to automatically receive notifications of software updates and your ability to use the CC to kick off software updates on the attached scanners, etc.

Think carefully about the adminitrative burden you are taking on here:  Without the BCC in contact with the back-end software repositories, it will fall to "you" to regularly login to each scanner, check for updates/patches, and use the CLI to install them.  We provide you the tools to do these things (ssh keys, etc, so you can leverage your own scripts), but is the tradeoff worth YOUR time and effort?

There are specific interfaces provided for customers who intend to run the product on a network that has no access to "the internet" (e.g. SIPRNET).  Depending on your needs/reasons for taking the CC offline, you may want to investigate things like "localinstall", and "offline registration".   (Strong warning about off-line registration:  it's a one-way trip, so if you do it and don't like it, you will have to re-install).

One more warning:  in earlier releases, the collection of telemetry data (no PII, just configuration elements, etc.) was optional.  In later releases (10.7.4 for certain), this was changed from optional to mandatory, so there is a possiblity of violating the (I assume) updated EULA and/or your support contract.
(Someone else may be able to verify this, to paraphrase Dr. McCoy in the old Star Trek series "I'm just a bit-pounder,  Jim, NOT a lawyer")

You didn't ask about off-line scanners, so I'll assume you are alrady aware of THOSE concequences.

Final note:  could you post more details on your use case?  The more we know about how customers are using the product the better the chances that we can continue to evolve the product in a way that is most useful/relevant to YOUR needs.
Original Message:
Sent: 01-27-2021 04:26 PM
From: sulman mushaq
Subject: Offline Control Center

Anyone? Thanks

------------------------------
Symantec Enthusiast

Original Message:
Sent: 01-27-2021 04:07 PM
From: sulman mushaq
Subject: Offline Control Center

Hi everyone. Just a quick question, if the control center only role doesn't have internet access what will happen? Is the license going to be suspended?

Or once a license is registered on Control Center after deployment it is never checked again with the Symantec licensing server?

Appreciate your response thanks

------------------------------
Symantec Enthusiast
------------------------------

I absolutely agree with Alex:  you don't really want to dig yourself (or your customer) into a this administrative nightmare of a hole.
Using proxies is fully supported by the product and is the best practice for achieving the kind of isolation they are trying to achieve.
Original Message:
Sent: 01-28-2021 03:39 PM
From: alexander sanita
Subject: Offline Control Center

Don't do that.  Put the CC with proxy access to the internet.

Original Message:
Sent: 1/28/2021 3:36:00 PM
From: SymSpec
Subject: RE: Offline Control Center

Anyone?

------------------------------
Symantec Enthusiast

Original Message:
Sent: 01-28-2021 12:48 PM
From: sulman mushaq
Subject: Offline Control Center

@ tpa thanks for the reply, I really appreciate it.

My customer is completely aware of all the things which will not be available if the CC doesn't have internet access.

Now the challenge is they want to place CC in a segment which doesn't have internet access at all and license registration is not done. ​

Is there any offline license which I can use on the CC for registration as it doesn't have internet access to validate it?​

Customer insists on the CC not to have internet access at all.​

------------------------------
Symantec Enthusiast

Original Message:
Sent: 01-27-2021 06:00 PM
From: Thomas Anderson
Subject: Offline Control Center

Understood and thanks for the clarification.
Forgot to mention potential disruption in access to the spam quarantine:  IF they are using message digests and the end-user wants to take action on the quarantined message from "the outside", isolating the CC will disrupt that feature.

Anyway, barring the above exception, I should think they should be fairly safe, but I believe the more traditional approach to this is to ensure that the BCC has an outbound "path" to the internet (i.e. it CAN open connections to swupdate.brightmail.com), but no "inbound" path (i.e. incomming  connection requests are blocked/filtered), thereby providing the customer with the security they are looking for without lmiting product features.
Original Message:
Sent: 01-27-2021 05:32 PM
From: sulman mushaq
Subject: Offline Control Center

@tpa thanks for the reply. I appreciate that.

Actually the customer wants to move CC in a segment which doesn't have internet access at all because of some internal requirements. Scanners already have internet access which is managed by CC

CC license is already. They want just want to know if CC is not connected to internet apart from Software and patches download and install which they can do via local-install and except the errors in the logs about connectivity, what other main features of CC they will miss which requires internet access ?

Thanks​

------------------------------
Symantec Enthusiast

Original Message:
Sent: 01-27-2021 05:20 PM
From: Thomas Anderson
Subject: Offline Control Center

If you register a CC and then remove its ability to communicate with the SYMC/BRCM back end servers, you will, at a minimum, be plagued with a plethera of error messages in the log.  Probably more impactiful will be the loss of the ability to automatically receive notifications of software updates and your ability to use the CC to kick off software updates on the attached scanners, etc.

Think carefully about the adminitrative burden you are taking on here:  Without the BCC in contact with the back-end software repositories, it will fall to "you" to regularly login to each scanner, check for updates/patches, and use the CLI to install them.  We provide you the tools to do these things (ssh keys, etc, so you can leverage your own scripts), but is the tradeoff worth YOUR time and effort?

There are specific interfaces provided for customers who intend to run the product on a network that has no access to "the internet" (e.g. SIPRNET).  Depending on your needs/reasons for taking the CC offline, you may want to investigate things like "localinstall", and "offline registration".   (Strong warning about off-line registration:  it's a one-way trip, so if you do it and don't like it, you will have to re-install).

One more warning:  in earlier releases, the collection of telemetry data (no PII, just configuration elements, etc.) was optional.  In later releases (10.7.4 for certain), this was changed from optional to mandatory, so there is a possiblity of violating the (I assume) updated EULA and/or your support contract.
(Someone else may be able to verify this, to paraphrase Dr. McCoy in the old Star Trek series "I'm just a bit-pounder,  Jim, NOT a lawyer")

You didn't ask about off-line scanners, so I'll assume you are alrady aware of THOSE concequences.

Final note:  could you post more details on your use case?  The more we know about how customers are using the product the better the chances that we can continue to evolve the product in a way that is most useful/relevant to YOUR needs.
Original Message:
Sent: 01-27-2021 04:26 PM
From: sulman mushaq
Subject: Offline Control Center

Anyone? Thanks

------------------------------
Symantec Enthusiast

Original Message:
Sent: 01-27-2021 04:07 PM
From: sulman mushaq
Subject: Offline Control Center

Hi everyone. Just a quick question, if the control center only role doesn't have internet access what will happen? Is the license going to be suspended?

Or once a license is registered on Control Center after deployment it is never checked again with the Symantec licensing server?

Appreciate your response thanks

------------------------------
Symantec Enthusiast
------------------------------

Thanks TPA for the explanation. I have Already explained everything to them, they don't want anything in their internal segment access to the internet. even through the proxy, CC is one of them. This a policy decision which they have.

Scanners are in the DMZ so they will keep on downloading the SPAM and AV signatures.

Is there a way we can do the offline license registration on the CC?

------------------------------
Symantec Enthusiast
------------------------------

Original Message:
Sent: 01-28-2021 04:20 PM
From: Thomas Anderson
Subject: Offline Control Center



I absolutely agree with Alex:  you don't really want to dig yourself (or your customer) into a this administrative nightmare of a hole.
Using proxies is fully supported by the product and is the best practice for achieving the kind of isolation they are trying to achieve.
Original Message:
Sent: 01-28-2021 03:39 PM
From: alexander sanita
Subject: Offline Control Center

Don't do that.  Put the CC with proxy access to the internet.

Original Message:
Sent: 1/28/2021 3:36:00 PM
From: SymSpec
Subject: RE: Offline Control Center

Anyone?

------------------------------
Symantec Enthusiast

Original Message:
Sent: 01-28-2021 12:48 PM
From: sulman mushaq
Subject: Offline Control Center

@ tpa thanks for the reply, I really appreciate it.

My customer is completely aware of all the things which will not be available if the CC doesn't have internet access.

Now the challenge is they want to place CC in a segment which doesn't have internet access at all and license registration is not done. ​

Is there any offline license which I can use on the CC for registration as it doesn't have internet access to validate it?​

Customer insists on the CC not to have internet access at all.​

------------------------------
Symantec Enthusiast

Original Message:
Sent: 01-27-2021 06:00 PM
From: Thomas Anderson
Subject: Offline Control Center

Understood and thanks for the clarification.
Forgot to mention potential disruption in access to the spam quarantine:  IF they are using message digests and the end-user wants to take action on the quarantined message from "the outside", isolating the CC will disrupt that feature.

Anyway, barring the above exception, I should think they should be fairly safe, but I believe the more traditional approach to this is to ensure that the BCC has an outbound "path" to the internet (i.e. it CAN open connections to swupdate.brightmail.com), but no "inbound" path (i.e. incomming  connection requests are blocked/filtered), thereby providing the customer with the security they are looking for without lmiting product features.
Original Message:
Sent: 01-27-2021 05:32 PM
From: sulman mushaq
Subject: Offline Control Center

@tpa thanks for the reply. I appreciate that.

Actually the customer wants to move CC in a segment which doesn't have internet access at all because of some internal requirements. Scanners already have internet access which is managed by CC

CC license is already. They want just want to know if CC is not connected to internet apart from Software and patches download and install which they can do via local-install and except the errors in the logs about connectivity, what other main features of CC they will miss which requires internet access ?

Thanks​

------------------------------
Symantec Enthusiast

Original Message:
Sent: 01-27-2021 05:20 PM
From: Thomas Anderson
Subject: Offline Control Center

If you register a CC and then remove its ability to communicate with the SYMC/BRCM back end servers, you will, at a minimum, be plagued with a plethera of error messages in the log.  Probably more impactiful will be the loss of the ability to automatically receive notifications of software updates and your ability to use the CC to kick off software updates on the attached scanners, etc.

Think carefully about the adminitrative burden you are taking on here:  Without the BCC in contact with the back-end software repositories, it will fall to "you" to regularly login to each scanner, check for updates/patches, and use the CLI to install them.  We provide you the tools to do these things (ssh keys, etc, so you can leverage your own scripts), but is the tradeoff worth YOUR time and effort?

There are specific interfaces provided for customers who intend to run the product on a network that has no access to "the internet" (e.g. SIPRNET).  Depending on your needs/reasons for taking the CC offline, you may want to investigate things like "localinstall", and "offline registration".   (Strong warning about off-line registration:  it's a one-way trip, so if you do it and don't like it, you will have to re-install).

One more warning:  in earlier releases, the collection of telemetry data (no PII, just configuration elements, etc.) was optional.  In later releases (10.7.4 for certain), this was changed from optional to mandatory, so there is a possiblity of violating the (I assume) updated EULA and/or your support contract.
(Someone else may be able to verify this, to paraphrase Dr. McCoy in the old Star Trek series "I'm just a bit-pounder,  Jim, NOT a lawyer")

You didn't ask about off-line scanners, so I'll assume you are alrady aware of THOSE concequences.

Final note:  could you post more details on your use case?  The more we know about how customers are using the product the better the chances that we can continue to evolve the product in a way that is most useful/relevant to YOUR needs.
Original Message:
Sent: 01-27-2021 04:26 PM
From: sulman mushaq
Subject: Offline Control Center

Anyone? Thanks

------------------------------
Symantec Enthusiast

Original Message:
Sent: 01-27-2021 04:07 PM
From: sulman mushaq
Subject: Offline Control Center

Hi everyone. Just a quick question, if the control center only role doesn't have internet access what will happen? Is the license going to be suspended?

Or once a license is registered on Control Center after deployment it is never checked again with the Symantec licensing server?

Appreciate your response thanks

------------------------------
Symantec Enthusiast
------------------------------

OK, but one last consideration:  IF you ever intend to use the customer specific rules feature, you will be SOL:  it will be broken.
Check out the "license-control" CLI command.

usage: license-control --license <url>

url:
An scp, ftp, or http url with the following syntax:
scp://'user'@host[:port]/path/file (prompt for password)
scprsa://'user'@host/path/file
ftp://'user':'password'@host[:port]/path/file
ftp://'user'@host[:port]/path/file (prompt for password)
http://host[:port]/path/file

When the user name or password are part of the URL, write them in
quotes if they have any special shell characters in them.

This works for a barnd new instance, that has never been licensed before.
I strongly suggest you create a VM with the 10.7.4 ISO image, to your required specs and then clone it before you go through bootstrap and all that.  This will give you the opportunity to walk through the process until you are comfortable with it before trying this on a production instance.  At the very least you will have a much better idea of what can happen without buring a maintenance window.

Let the customer know they are pushing you over the side of the boat, while in un-charted waters!!

Good Luck!!  


Original Message:
Sent: 01-28-2021 04:26 PM
From: sulman mushaq
Subject: Offline Control Center

Thanks TPA for the explanation. I have Already explained everything to them, they don't want anything in their internal segment access to the internet. even through the proxy, CC is one of them. This a policy decision which they have.

Scanners are in the DMZ so they will keep on downloading the SPAM and AV signatures.

Is there a way we can do the offline license registration on the CC?

------------------------------
Symantec Enthusiast

Original Message:
Sent: 01-28-2021 04:20 PM
From: Thomas Anderson
Subject: Offline Control Center



I absolutely agree with Alex:  you don't really want to dig yourself (or your customer) into a this administrative nightmare of a hole.
Using proxies is fully supported by the product and is the best practice for achieving the kind of isolation they are trying to achieve.
Original Message:
Sent: 01-28-2021 03:39 PM
From: alexander sanita
Subject: Offline Control Center

Don't do that.  Put the CC with proxy access to the internet.

Original Message:
Sent: 1/28/2021 3:36:00 PM
From: SymSpec
Subject: RE: Offline Control Center

Anyone?

------------------------------
Symantec Enthusiast

Original Message:
Sent: 01-28-2021 12:48 PM
From: sulman mushaq
Subject: Offline Control Center

@ tpa thanks for the reply, I really appreciate it.

My customer is completely aware of all the things which will not be available if the CC doesn't have internet access.

Now the challenge is they want to place CC in a segment which doesn't have internet access at all and license registration is not done. ​

Is there any offline license which I can use on the CC for registration as it doesn't have internet access to validate it?​

Customer insists on the CC not to have internet access at all.​

------------------------------
Symantec Enthusiast

Original Message:
Sent: 01-27-2021 06:00 PM
From: Thomas Anderson
Subject: Offline Control Center

Understood and thanks for the clarification.
Forgot to mention potential disruption in access to the spam quarantine:  IF they are using message digests and the end-user wants to take action on the quarantined message from "the outside", isolating the CC will disrupt that feature.

Anyway, barring the above exception, I should think they should be fairly safe, but I believe the more traditional approach to this is to ensure that the BCC has an outbound "path" to the internet (i.e. it CAN open connections to swupdate.brightmail.com), but no "inbound" path (i.e. incomming  connection requests are blocked/filtered), thereby providing the customer with the security they are looking for without lmiting product features.
Original Message:
Sent: 01-27-2021 05:32 PM
From: sulman mushaq
Subject: Offline Control Center

@tpa thanks for the reply. I appreciate that.

Actually the customer wants to move CC in a segment which doesn't have internet access at all because of some internal requirements. Scanners already have internet access which is managed by CC

CC license is already. They want just want to know if CC is not connected to internet apart from Software and patches download and install which they can do via local-install and except the errors in the logs about connectivity, what other main features of CC they will miss which requires internet access ?

Thanks​

------------------------------
Symantec Enthusiast

Original Message:
Sent: 01-27-2021 05:20 PM
From: Thomas Anderson
Subject: Offline Control Center

If you register a CC and then remove its ability to communicate with the SYMC/BRCM back end servers, you will, at a minimum, be plagued with a plethera of error messages in the log.  Probably more impactiful will be the loss of the ability to automatically receive notifications of software updates and your ability to use the CC to kick off software updates on the attached scanners, etc.

Think carefully about the adminitrative burden you are taking on here:  Without the BCC in contact with the back-end software repositories, it will fall to "you" to regularly login to each scanner, check for updates/patches, and use the CLI to install them.  We provide you the tools to do these things (ssh keys, etc, so you can leverage your own scripts), but is the tradeoff worth YOUR time and effort?

There are specific interfaces provided for customers who intend to run the product on a network that has no access to "the internet" (e.g. SIPRNET).  Depending on your needs/reasons for taking the CC offline, you may want to investigate things like "localinstall", and "offline registration".   (Strong warning about off-line registration:  it's a one-way trip, so if you do it and don't like it, you will have to re-install).

One more warning:  in earlier releases, the collection of telemetry data (no PII, just configuration elements, etc.) was optional.  In later releases (10.7.4 for certain), this was changed from optional to mandatory, so there is a possiblity of violating the (I assume) updated EULA and/or your support contract.
(Someone else may be able to verify this, to paraphrase Dr. McCoy in the old Star Trek series "I'm just a bit-pounder,  Jim, NOT a lawyer")

You didn't ask about off-line scanners, so I'll assume you are alrady aware of THOSE concequences.

Final note:  could you post more details on your use case?  The more we know about how customers are using the product the better the chances that we can continue to evolve the product in a way that is most useful/relevant to YOUR needs.
Original Message:
Sent: 01-27-2021 04:26 PM
From: sulman mushaq
Subject: Offline Control Center

Anyone? Thanks

------------------------------
Symantec Enthusiast

Original Message:
Sent: 01-27-2021 04:07 PM
From: sulman mushaq
Subject: Offline Control Center

Hi everyone. Just a quick question, if the control center only role doesn't have internet access what will happen? Is the license going to be suspended?

Or once a license is registered on Control Center after deployment it is never checked again with the Symantec licensing server?

Appreciate your response thanks

------------------------------
Symantec Enthusiast
------------------------------