In This Section: |
Endpoint Security functionality is based on secure communication between all Endpoint Security servers and clients.
For example, the Endpoint Security Management Server enforces and updates policies on the Endpoint Security clients. Endpoint Security clients computers send "heartbeat" messages to the Endpoint Security Management Server to make sure that all connections are active and that all policies are up to date.
Endpoint Security Management Servers can communicate with Endpoint Policy Servers to distribute the load of client-server communication between multiple servers.
All Endpoint Security and other Check Point severs communicate with each other through internal SIC secure communication that uses certificate authentication. Endpoint Security Servers and clients communicate through TLSv1 and TLSv1.2 encryption.
For R80 and higher clean installations, the management certificate is encrypted with SHA-256 encryption by default. In R77.x and lower environments, or upgrades from those versions, SHA-256 is not supported for the Root CA. You can use SHA-256 for renewed certificates after the previous certificate expires. See sk103840 for more information.
To configure a renewed certificate to use SHA-256:
On the Endpoint Security Management Server, run: cpca_client set_sign_hash sha256
After the management certificate expires, the renewed certificate will be signed with SHA-256 encryption.
By default, the Endpoint Security servers in this release support TLSv1.2 and TLSv1 for communication between clients and servers.
To configure servers to support TLSv1.2 only:
$UEPMDIR/apache/conf/ssl.conf.
cpstop
SSLProtocol +TLSv1 +TLSv1.2
to: SSLProtocol TLSv1.2
cpstart