Print Download PDF Send Feedback

Previous

Next

Server and Client Communication

In This Section:

Overview of Server and Client Communication

SHA-256 Certificate Support

TLSv1.2 Support

Overview of Server and Client Communication

Endpoint Security functionality is based on secure communication between all Endpoint Security servers and clients.

For example, the Endpoint Security Management Server enforces and updates policies on the Endpoint Security clients. Endpoint Security clients computers send "heartbeat" messages to the Endpoint Security Management Server to make sure that all connections are active and that all policies are up to date.

Endpoint Security Management Servers can communicate with Endpoint Policy Servers to distribute the load of client-server communication between multiple servers.

All Endpoint Security and other Check Point severs communicate with each other through internal SIC secure communication that uses certificate authentication. By default the certificates use SHA-1 encryption, but you can also configure SHA-256 encryption.

Endpoint Security Servers and clients communicate through TLSv1 and TLSv1.2 encryption.

SHA-256 Certificate Support

For R80 and higher clean installations, the management certificate is encrypted with SHA-256 encryption by default . In existing R77.x and lower environments, or upgrades from those versions, SHA-256 is not supported for the Root CA. You can use SHA-256 for renewed certificates after the previous certificate expires. See sk103840 for more information.

To configure a renewed certificate to use SHA-256:

On the Endpoint Security Management Server, run: cpca_client set_sign_hash sha256

After the management certificate expires, the renewed certificate will be signed with SHA-256 encryption.

TLSv1.2 Support

By default, the Endpoint Security servers in this release support TLSv1.2 and TLSv1 for communication between clients and servers.

To configure servers to support TLSv1.2 only:

  1. On each Endpoint Security server, open $UEPMDIR/apache22/conf/ssl.conf.
  2. Run: cpstop
  3. Change the attribute SSLProtocol +TLSv1 +TLSv1.2 to: SSLProtocol TLSv1.2
  4. Save changes.
  5. Run: cpstart