You need to know the best practices for exposing a Symantec Endpoint Protection Manager (SEPM) to the Internet in a Demilitarized Zone (DMZ) or as a Bastion host.
To prevent possible exploitation of the SEPM, Symantec does not recommend directly connecting a SEPM to the Internet without first taking the appropriate measures
to secure and/or harden the SEPM and its underlying operating system.
If you require an Internet accessible SEPM, you can minimize your exposure to attack by taking the following actions:
Configure Firewall Rules
To minimize exposure to exploitation attempts, only allow incoming connections over the ports you absolutely need. For example:
SEPM replication takes place over the SEPM communications port (default: TCP 8443). To limit exposure to attacks, do not directly connect your replication partner SEPM to the Internet. If you must replicate with a SEPM in the DMZ, you must allow communications between the replication partner SEPM servers over the SEPM communications port.