I have a few branch offices that do not have site to site VPN back to HQ. I have a VPN client installed on the machines at these locations to allow them to connect when needed, which allows SEP clients to update as well.
I would like to allow the client machine at the remote locations to connect to my Endpoint Protection Manager over the internet. By this, I mean connect over the public internet to my specific domain server, not to connect and download updates from Live Update. I want the clients to connect directly to my company server.
From what I understand, I would simply need to create a firewall rule to route to my server, then point the remote offices to that address. Example, create a firewall entry to point traffic from symantec.mycompany.com to the private IP address of my management server. I would then need to point the clients to symantec.mycompany.com instead of the FQDN of the local server.
My question is, are there some sort of security peices in place to prevent non-SEP traffic from using port 8014? I know that I can just open the port on the internet firewall, but if someone sniffs or injects on that port, is there a way that non-Symantec traffic will be rejected...
I known where we deploy a new install, the management server builds an install package. I am wondering if there is a security control within the package creation where it inserts a certificate or alpha-numeric string that is passed from client to server while the TCP connection is negotiated. Even if its using an HTTPS connection from client to server over the public internet, what safeguards are available to verify only valid traffic between a SEP client and manager are allowed through?