Configuring Policy Server Settings

The primary aspects of working with Endpoint Policy Servers that you can configure are:

• The interval after which the clients do an analysis to choose which Endpoint Policy Server Endpoint Policy Server improves performance in large environments by managing most communication with the Endpoint Security clients. Managing the Endpoint Security client communication decreases the load on the Endpoint Security Management Server, and reduces the bandwidth required between sites. The Endpoint Policy Server handles heartbeat and synchronization requests, Policy downloads, Anti-Malware updates, and Endpoint Security client logs. to connect to.

• If the Endpoint Security Management Server A Security Management Server that manages your Endpoint Security environment. Includes the Endpoint Security policy management and databases. It communicates with endpoint clients to update their components, policies, and protection data. also behaves as an Endpoint Policy Server or not.

Endpoint Policy Server Proximity Analysis

In a large network, multiple Endpoint Policy Servers can be available for an endpoint client. In such an environment, the client does an analysis from a list of Endpoint Policy Servers to find the server closest to it. The client sends a specified HTTP request to all Endpoint Policy Servers on the list. The server that replies the fastest is considered to be closest.

The server list is an XML file named epsNetwork.xml. It is located at $UEPMDIR/engine/conf/ on the Endpoint Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server.. It contains:

• The topology of Endpoint Policy Servers on the network that Endpoint Security clients can connect to.

• Protocols, authentication schemes, and ports for each message passed between client and server.

How the proximity analysis works:

1. The Endpoint Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. creates a list of Endpoint Policy Servers based on the servers configured in the SmartEndpoint A Check Point GUI application which connects to the Endpoint Security Management Server, to manage your Endpoint Security environment - to deploy, monitor and configure Endpoint Security clients and policies..

2. The Endpoint Security Management Server pushes the list to the clients.

3. The Device Agent on the client does a proximity analysis after a specified interval to find the Endpoint Policy Server 'closest' to it. Some events in the system can also cause a new proximity analysis. Proximity is based on the response time of a specified HTTP request sent to all servers on the list.

   Note - Proximity is not based on the physical location of the server. A client in New York will connect to the California Endpoint Policy Server if the California Endpoint Policy Server replies before the New York Endpoint Policy Server.

4. The client tries to connect to the closest Endpoint Policy Server.

5. If a server is unavailable, the Device Agent tries the next closest server on the list until it makes a connection.

6. Based on data contained in the shared list, the client and Endpoint Policy Server create connection URLs.

Clients continue to connect to the closest Endpoint Policy Server until the next proximity analysis.

Note - You cannot figure which particular Endpoint Policy Servers a client should use, only a list of servers for the client to choose from.

Configuring Endpoint Policy Server Connections

To configure Endpoint Policy Server connections:

1. From SmartEndpoint menu, select Manage > Endpoint Connection Settings.

2. Enter or select the Interval between client heartbeats value (Default = 60 seconds). See The Heartbeat Interval.

3. Enter or select the Client will re-evaluate the nearest Policy Server after value (default = 120 minutes).

   This value is the interval, in minutes, after which endpoint clients search for the closest available Endpoint Policy Server.

4. Optional: Select Enable Endpoint Security Management Server to be the Endpoint Policy Server.

   This option includes Endpoint Security Management Servers in the search for the closest Endpoint Policy Server.

5. Enter or select the Client will restrict non-compliant endpoint after value (default = 5 heartbeats). See The Heartbeat Interval.

6. Click OK.

7. Install policies to endpoint computers.

Enabling the Management Server to be an Endpoint Policy Server

Configure if the Endpoint Security Management Server behaves as an Endpoint Policy Server along with the other Endpoint Policy Servers.

The default is that the Endpoint Security Management Server does behave as an Endpoint Policy Server.

Note - If you do not explicitly enable the Endpoint Security Management Server to behave as an Endpoint Policy Server, it is still in the proximity analysis list. If no other Endpoint Policy Servers can reply to a client, the Endpoint Security Management Server replies.

To configure the Endpoint Security Management Server to behave as an Endpoint Policy Server only if all Endpoint Policy Servers do not respond:

1. In SmartEndpoint, select Manage > Endpoint Connection Settings.

2. Clear Enable Endpoint Management Server to be Endpoint Policy Server.

3. Click OK.

4. Select File > Install Policies or click the Install Policies icon.

Policy Server and Management Server Communication

The communication between the Endpoint Security Management Server and the Endpoint Policy Servers includes:

• Endpoint Policy Servers get from the Endpoint Security Management Server:

  • Policies and installation packages.

  • All files that it needs for synchronization.

• Endpoint Policy Servers send a heartbeat Endpoint clients send "heartbeat" messages to the Endpoint Security Management Server to check the connectivity status and report updates. message to the Endpoint Security Management Server at 60 second intervals.

  You can change this in the $UEPMDIR/engine/conf/global.properties file on the Endpoint Security Management Server. The property name is connectionpoint.hb.interval.secs.

• Endpoint Policy Servers send sync messages to the Endpoint Security Management Server when synchronization is necessary.

• Endpoint Policy Servers send Reporting events to the Endpoint Security Management Server at 60 second intervals or when there are more than 1000 events in the queue.

  You can change this in the $UEPMDIR/engine/conf/global.properties file on the Endpoint Security Management Server. The property names are:

  • connectionpoint.emon.events.until.flush=1000

  • connectionpoint.emon.seconds.until.flush=60

• Endpoint Policy Servers send all database related messages directly to the Endpoint Security Management Server.

Notes on the First Synchronization

After you create the Endpoint Policy Server and install the policy in SmartEndpoint, the first synchronization between the Endpoint Policy Server and Endpoint Security Management Server occurs. During the first synchronization, the Endpoint Policy Server does not handle endpoint requests and shows as Not Active in the Reporting tab.

The first synchronization can take a long time, based on the amount of policies and installation packages that the Endpoint Policy Server must download from the Endpoint Security Management Server.

When the first synchronization is complete, the Endpoint Policy Server will show as Active in the Reporting tab.