Endpoint Encryption Management Server In DMZ Guidelines

book

Article ID: 151058

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

 

Resolution

Some situations may require external users to check in to an Symantec Endpoint Encryption Management Server (SEEMS). An example of this situation would be remote users who do not have VPN access. In this, and similar instances, a user may want to have a SEEMS in a DMZ or environment which accepts external connections with minimal filtering. Having a SEEMS in either of these environments is strongly discouraged and is not supported by Symantec.

These servers are designed to be placed inside of a highly secure environment, behind firewalls and other security measures. Placing SEEMS in an external facing environment introduces a major security risk into an environment as the server has been been hardened against malicious attacks. An attacker could gain access to the SEEMS and gain unauthorized access to the internal server, read or modify confidential information on the external server or the SQL database it is connected to, and cause harm in a multitude of other ways.

Alternatives to having a SEEMS in a DMZ is to use either a proxy or a load balancer. Both of these methods remove the need of having a SEEMS in an external-facing environment and forward necessary traffic to an internal SEEMS in a safe and secure way.