Endpoint Protection

Expand all | Collapse all

Firewall ports for push deployment

Jump to Best Answer
  • 1.  Firewall ports for push deployment

    Broadcom Employee
    Posted 06-07-2013 05:32 AM

    hello,

    I am currently deploying SEP client to DMZ from another network. There is a hardware firewall between DMZ and network of SEPM.

    I read from Symantec Articles of the required port 8014 and 445 in firewall.However it does not work because the search client fail to find any computer.

    Is it required to allow icmp in hardware firewall?

     

    Thank you very much



  • 2.  RE: Firewall ports for push deployment

    Posted 06-07-2013 05:40 AM

    check this

    About firewalls and communication ports

     
    Only these are enough for push install

    unction

    Component

    Protocol and port

    Push deployment

    Management server and client

    TCP 139 and 445 on management servers and clients

    UDP 137 and 138 on management servers and clients

    TCP ephemeral ports on management servers and clients

     



  • 3.  RE: Firewall ports for push deployment

    Broadcom Employee
    Posted 06-07-2013 05:48 AM

    Yes I have checked this.

    In fact I have allowed port 445,137,138,139 in the hardware firewall but search client will fail to find any computer in remote push.

    The SEPM cannot ping the clients so do I need to allow SEPM to ping clients in order to deploy?



  • 4.  RE: Firewall ports for push deployment
    Best Answer

    Posted 06-07-2013 05:57 AM

    Oh Yes, Wizard uses ping resoponse to determine if the client is Alive.

    Enable ICMP during the push deployment .

     



  • 5.  RE: Firewall ports for push deployment

    Posted 06-07-2013 06:01 AM

    Alternatively, You can copy the package and the client deployment wizard to any one server in DMZ

    run the push deployment wizard from DMZ. Since you have already opened the port for communication once the installation is complete it will talk to SEPM 

    https://www-secure.symantec.com/connect/articles/overview-push-deployment-wizard-symantec-endpoint-protection-121



  • 6.  RE: Firewall ports for push deployment

    Posted 06-07-2013 06:58 AM

    See here:

    Preparing Windows operating systems for remote deployment

    Article:HOWTO80805  |  Created: 2012-10-24  |  Updated: 2013-06-06  |  Article URL http://www.symantec.com/docs/HOWTO80805

     



  • 7.  RE: Firewall ports for push deployment

    Posted 06-07-2013 07:08 AM

    HI, 

    Role Server Port Client Port 
    Cient Deployment Wizard TCP/ 139, UDP/137, TCP 138, TCP 445 TCP/ 139, UDP/137, TCP 138, TCP 445

    Regards

    Ajin



  • 8.  RE: Firewall ports for push deployment

    Broadcom Employee
    Posted 06-07-2013 07:49 AM

    Hi,

    Thank you for posting in Symantec Connect.
     
    I would be glad to answer your question.
     
    You need to open few more ports.

    Best Practices: Configuring a Symantec Endpoint Protection environment in a DMZ

    http://www.symantec.com/docs/TECH178325

    How to allow Symantec Endpoint Protection clients in a remote location to be managed by a Symantec Endpoint Protection Manager that's behind a NAT device

    http://www.symantec.com/docs/TECH93033 

    Communication issues with SEP client installed in DMZ while the SEP Manager is outside DMZ

    http://www.symantec.com/docs/TECH146736



  • 9.  RE: Firewall ports for push deployment

    Broadcom Employee
    Posted 06-09-2013 09:43 PM

    Hi

    I have disabled windows firewall on both SEPM and  clients in DMZ. So the problem is likely on the hardware firewall.

    Chetan, I have allowed port 8014, 80, 7070, 445 and the communication is ok but the problem I had is in remote push, new deployment of SEP client. The search client will fail to find any computer in remote push.

    SEP articles do not state icmp, is it compulsory to allow icmp in firewall for remote push?

     

    Thank you all for your help



  • 10.  RE: Firewall ports for push deployment

    Posted 06-10-2013 01:32 AM

    You should be able to ping them. 

    Allow ping for few machines, if the scan finds it out , you can then Enable on the rest

    if allowing ping requires approval then you can consider placing the depolyment wizard in the DMZ and start a push from DMZ as I explained earlier.



  • 11.  RE: Firewall ports for push deployment

    Broadcom Employee
    Posted 06-10-2013 04:27 AM

    Hi

    Please refer the link below

    http://www.symantec.com/business/support/index?page=content&id=HOWTO81103&actp=search&viewlocale=en_US&searchid=1370852804788

    Regards