Endpoint Security Server and Client Communication

Endpoint Security functionality is based on secure communication between all Endpoint Security servers and clients.

Endpoint Security operations are implemented by different services on the Endpoint Security Management Server, Endpoint Policy Servers, SmartEndpoint console, and Endpoint Security clients.

Important - Make sure that

  • HTTP (TCP/80) and HTTPS (TCP/443) services and ports are allowed by Firewall or Application Control rules.

  • There is routing between the Endpoint Security elements.

SmartEndpoint Console and Server to Server Communication

Communication between these elements uses the Check Point Secure Internal Communication (SIC) service. The elements authenticate each other using certificates. HTTPS (TCP/443) is used for sending events, for SmartEvent Views and Reports, from the Endpoint Policy Server to Primary Management.

Service (Protocol/Port)

Communication

Notes

SIC (TCP/18190 - 18193)

SmartEndpoint console to Endpoint Security Management Servers

 

 

Endpoint Policy Server to Endpoint Security Management Servers

Endpoint Policy Server distribute and reduce the load of client-server communication between the clients and the Endpoint Security Management Server.

SIC (TCP/18221)

Endpoint Secondary to Primary Management

 

HTTPS (TCP/443)

Endpoint Policy Server to Primary Management

Used for sending monitoring events.

Client to Server Communication

These services are used by the client to communicate with the Endpoint Policy Server or the Endpoint Security Management Server.

The client is always the initiator of the connections.

Service (Protocol/Port)

Communication

Notes

HTTPS (TCP/443)

Most communication is over HTTPS TLSv1.2 encryption.

These are two examples:

  • Endpoint registration

  • New file encryption key retrieval

 

Policy downloads

The policy files themselves are encrypted with AES.

 

Heartbeat

A periodic client connection to the server. The client uses this connection to inform the server about changes in the policy status and compliance. You can configure the Heartbeat interval. See The Heartbeat Interval

 

Application Control queries

These are queries for the reputation of unknown applications.

 

Log uploads

These connections send logs to the server.

 

For more sensitive services, the payload is encrypted using a proprietary Check Point protocol.

These are the encrypted sensitive services:

  • Full Disk Encryption Recovery Data Upload

  • Media Encryption & Port Protection Key Exchange

  • Full Disk Encryption User Acquisition & User credentials.

HTTPS (TCP/80)

Anti-Malware signature updates

Verification is done by the engine before loading the signatures, and during the update process.

HTTPS (TCP/443)

Client package downloads

The packages are signed and verified on the client before being installed.

The Heartbeat Interval

Endpoint clients send "heartbeat" messages to the Endpoint Security Management Server to check the connectivity status and report updates. The time between heartbeat messages is known as the heartbeat interval.

Note - The default heartbeat interval is 60 seconds.
A shorter heartbeat interval can cause additional load on the management. A longer heartbeat interval may lead to less up-to-date logs and reports.

The endpoint computer Compliance state is updated at each heartbeat. The heartbeat interval also controls the time that an endpoint client is in the About to be restricted state before it is restricted.

It is possible to create restricted policies that will automatically be enforced once the endpoint client enters a restricted state

To configure the heartbeat interval and out-of-compliance settings:

  1. Click Manage > Endpoint Connection Settings.

    The Connection Settings Properties window opens.

  2. In the Connection Settings section, set the Interval between client heartbeats.

  3. In the Out-Of-Compliance section, configure when a client is restricted. Configure the number of heartbeats in Client will restrict non compliant endpoint after. The default is 5 heartbeats.

  4. Click OK.

SHA-256 Certificate Support

For R80 and higher clean installations, the management certificate is encrypted with SHA-256 encryption by default. In R77.X and lower environments, or upgrades from those versions, SHA-256 is not supported for the Root CA. You can use SHA-256 for renewed certificates after the previous certificate expires. See sk103840 for more information.

To configure a renewed certificate to use SHA-256:

On the Endpoint Security Management Server, run: cpca_client set_sign_hash sha256

After the management certificate expires, the renewed certificate will be signed with SHA-256 encryption.

TLSv1.2 Support

By default, the Endpoint Security servers in this release support TLSv1.2 and TLSv1 for communication between clients and servers.

To configure servers to support TLSv1.2 only:

On each Endpoint Security server:

  1. Run:

    cpstop

  2. Edit:

    $UEPMDIR/apache/conf/ssl.conf

  3. Change the value of the SSLProtocol attribute

    from:

    SSLProtocol +TLSv1 +TLSv1.2

    to:

    SSLProtocol TLSv1.2

  4. Save the changes.

  5. Run:

    cpstart