I am currently deploying SEP client to DMZ from another network. There is a hardware firewall between DMZ and network of SEPM.
I read from Symantec Articles of the required port 8014 and 445 in firewall.However it does not work because the search client fail to find any computer.
Is it required to allow icmp in hardware firewall?
Thank you very much
Protocol and port
Management server and client
TCP 139 and 445 on management servers and clients
UDP 137 and 138 on management servers and clients
TCP ephemeral ports on management servers and clients
Yes I have checked this.
In fact I have allowed port 445,137,138,139 in the hardware firewall but search client will fail to find any computer in remote push.
The SEPM cannot ping the clients so do I need to allow SEPM to ping clients in order to deploy?
Oh Yes, Wizard uses ping resoponse to determine if the client is Alive.
Enable ICMP during the push deployment .
Alternatively, You can copy the package and the client deployment wizard to any one server in DMZ
run the push deployment wizard from DMZ. Since you have already opened the port for communication once the installation is complete it will talk to SEPM
Preparing Windows operating systems for remote deployment
Best Practices: Configuring a Symantec Endpoint Protection environment in a DMZ
How to allow Symantec Endpoint Protection clients in a remote location to be managed by a Symantec Endpoint Protection Manager that's behind a NAT device
Communication issues with SEP client installed in DMZ while the SEP Manager is outside DMZ
I have disabled windows firewall on both SEPM and clients in DMZ. So the problem is likely on the hardware firewall.
Chetan, I have allowed port 8014, 80, 7070, 445 and the communication is ok but the problem I had is in remote push, new deployment of SEP client. The search client will fail to find any computer in remote push.
SEP articles do not state icmp, is it compulsory to allow icmp in firewall for remote push?
Thank you all for your help
You should be able to ping them.
Allow ping for few machines, if the scan finds it out , you can then Enable on the rest
if allowing ping requires approval then you can consider placing the depolyment wizard in the DMZ and start a push from DMZ as I explained earlier.
Please refer the link below