
Establishing a site-to-site VPN tunnel is the best option. It allows the SEP clients to be managed like any other clients on the internal network. However, site-to-site VPN tunnel may not always be possible and sometimes, the risk of passing SEP traffic through external network may be acceptable.
This document explains how to achieve this without a site-to-site VPN tunnel.
- Add a client group for the clients in the remote location.
- Add a management server list with the external IP address of the NAT device, the port SEPM uses for client communication.
- Assign the management server list to the client group. Change communication mode to pull mode and set the heartbeat interval appropriately.
- Configure the NAT device to redirect traffic arriving on its external IP address and the port specified in task 2 to SEPM's internal IP address and the same port.
- Copy sylink.xml of the client group to existing clients or export client install package for the group, deploy it to the computers.
- We recommended you switch communication between SEPM and clients to https communication.
Task 1: Add a client group for the clients in the remote location
- In the SEPM console, click Clients.
- Under View Clients, select the group to which you want to add a new subgroup.
- On the Clients tab, under Tasks, click Add Group.
- In the Add Group for group name dialog box, type the group name and a description.
- Click OK.
Task 2: Add a management server list
- In the console, click Policies.
- In the Policies page, under View Policies, click Policy Components > Management Server Lists.
- Under Tasks, click Add a Management Server List.
- In the Management Server Lists dialog box, in the Name text field, type a name for the management server list and an optional description.
- To specify which communication protocol to use between the management servers and the clients, select one of the following options:
- Use HTTP protocol
- Use HTTPS protocol. Use this option if you want management servers to communicate by using HTTPS and if the server is running Secure Sockets Layer (SSL).
- If you require verification of a certificate with a trusted third-party certificate authority, check Verify certificate when using HTTPS protocol.
- To add a server, click Add > New Server.
- In the Add Management Server dialog box, in the Server address text field, type the external IP address of the NAT device.
- If you are using a non-default port number for either the HTTP or HTTPS protocol for this server, do one of the following tasks:
- Check Customize HTTP port number and enter a new port number. The default port number for the HTTP protocol is 8014 for MR3 and later.
- Check Customize HTTPS port number and enter a new port number. The default port number for the HTTPS protocol is 443.
- Click OK.
Task 3: Assign the management server list to the group
- In the console, click Policies.
- In the Policies page, under View Policies, click Policy Components > Management Server Lists.
- In the Management Server Lists pane, select the management server list you created in task 2.
- Under Tasks, click Assign the List.
- In the Apply Management Server List dialog box, check the group you created in task 1.
- Click Assign.
- When you are prompted, click Yes.
Task 4: Configure the NAT device to redirect traffic
Please consult your NAT device manual on how to perform this task.
Task 5: Copy sylink.xml
- In the Console, click Clients.
- In the View Clients column, select the group you created in task 1.
- Right-click the selected group, then click Export Communication Settings at the bottom of the drop-down menu.
- In Export Communication Settings, in the group name dialog box, click Browse. The default selection is My Documents.
- In the Select Export File dialog, locate the folder to which you want to export the sylink.xml file, and click OK.
- In the Export Group Registration Setting for group name dialog box, select one of the following options:
- To apply the policies from the group from which the computer is a member, click Computer Mode.
- To apply the policies from the group from which the user is a member, click User Mode.
- Click Export.
If the file name already exists, click OK to overwrite it, or Cancel to save the file with a new file name.
- Copy the file to the desktop of the computers in the remote location.
- Open the client interface on the computers in remote location.
- Click on Help and Support and select Troubleshooting.
- Click Import, browse to the .xml file exported from the Manager, and click OK.
Task 6: Enabling SSL communications between a Symantec Endpoint Protection Manager and its clients
Read and follow the steps in Enable SSL communications between Endpoint Protection Manager and clients