I have tried searching. Anytime I mention Cisco, I get references to UCS or ACS. If I mention firewall, I get Windows and SEP Firewall.
Here's what we're doing: We are creating a new DMZ architecture, with Cisco ASA's in between the LAN and the DMZ. The DMZ servers will be in their own AD domain. Since the SEP services will vary greatly, I also created a new Domain in the SEPM. I need to determine the best SEP and firewall configuration for this. Primarily, I'm talking about being able to manage the SEP clients in the DMZ using SEPM inside the LAN. So...
On the SEP side, we created the domain, and an install packge for it, saved on a server designated a DMZ management server. SEP has that management server designated as a GUP.
So on the firewall side, that GUP needs what rules on the ASA in order to communicate with the SEPM? I think it needs TCP 8014, for SEP/SEPM communications. TCP and UDP 2967 for SEPM/GUP communications. TCP 443 to the SEPM. LiveUpdate will not permit access to Symantec. Only via the SEPM.
Is that right for the GUP? What permissions do SEP clients in the DMZ domain need in order to have full functionality? Do they need any permissions direct to the SEPM? It seems to me that the SEP clients need 8014 to the SEPM so that they can register with the SEPM and download the polices, like the GUP setting. Or have I misread, and that's included in the install package I created on the SEPM?
My fellows on the Security team who concentrate on the ASA firewalls complain that opening these ports for all DMZ servers to allow SEP communication are breaking the whole reason for having the servers in the DMZ. Am I misunderstanding? Is there a document that can give me better guidance on what I absolutely need, and what I can tighten down when it comes to the interaction between these DMZ servers and the SEPM?