search cancel

Symantec Endpoint Protection Manager , clients and NAT (Network Address Translations) Frequently Asked Questions.


Article ID: 243491


Updated On:


Endpoint Protection


You have questions with SEP deployments in a NATed environment.


1/ My SEP clients are behind a NAT router, is there any impact to communication with the SEPM

   No, the clients will connect correctly to the SEPM and will download policies and content as normal. The SEPM will see the clients connecting from the NAT router IP but this is normal and has no functional impact, it is similar to clients connecting through a web proxy.
The clients will still forward their network status, including local IP addresses and other network configuration to the SEPM when sending their opstate.


2/ My SEP Manager is behind a NAT router,  what is the impact to client communication?

   In case your SEP Manager is behind a NAT router, it is necessary to understand and address a few things:

- First, it is necessary to create a new Management Server List (MSL) containing the NAT router address and the port assigned to the SEPM client port. This MSL will need to be assigned to the client groups or locations that need to go through the NAT router to connect to the SEPM.

- When using HTTPS for client communication, there may be a connection problem due to the fact the SEPM certificate subject names do no match the NAT router DNS Name or IP.
In this case, you will need to either switch to HTTP communication or generate a new certificate with the NAT router DNS Name or IP address in the Subject Alternative Names property of the certificate and install it on your SEPM server.
See: Update the server certificate on the management server without breaking communications with the client

3/ My SEP Manager is behind a NAT router, can we use the NAT IP and port to manage the SEPM through the Web or remote java console.

  Yes, it is possible to connect to the web console when the SEPM is behind a NAT router, with one caveat however, some of the reporting pages use redirect to the local SEPM hostname / addresses, these page will not load if connecting through NAT.
This will mostly impact the monitors and reports page, all other functionality should work as expected.
It is important to note that the SEPM console uses a different port (default 8443) than the client communication ports, so both ports should be translated separately for both to work.