Endpoint Security Server and Client Communication
Endpoint Security functionality is based on secure communication between all Endpoint Security servers and clients.
Endpoint Security operations are implemented by different services on the Endpoint Security Management Server, Endpoint Policy Servers, SmartEndpoint console, and Endpoint Security clients.
|
Important - Make sure that
|
SmartEndpoint Console and Server to Server Communication
Communication between these elements uses the Check Point Secure Internal Communication (SIC) service. The elements authenticate each other using certificates. HTTPS (TCP/443) is used for sending events, for SmartEvent Views and Reports, from the Endpoint Policy Server to Primary Management.
Service (Protocol/Port) |
Communication |
Notes |
---|---|---|
SIC (TCP/18190 - 18193) |
SmartEndpoint console to Endpoint Security Management Servers |
|
|
Endpoint Policy Server to Endpoint Security Management Servers |
Endpoint Policy Server distribute and reduce the load of client-server communication between the clients and the Endpoint Security Management Server. |
SIC (TCP/18221) |
Endpoint Secondary to Primary Management |
|
HTTPS (TCP/443) |
Endpoint Policy Server to Primary Management |
Used for sending monitoring events. |
Client to Server Communication
These services are used by the client to communicate with the Endpoint Policy Server or the Endpoint Security Management Server.
The client is always the initiator of the connections.
Service (Protocol/Port) |
Communication |
Notes |
---|---|---|
HTTPS (TCP/443) |
Most communication is over HTTPS TLSv1.2 encryption. |
These are two examples:
|
|
Policy downloads |
The policy files themselves are encrypted with AES. |
|
Heartbeat |
A periodic client connection to the server. The client uses this connection to inform the server about changes in the policy status and compliance. You can configure the Heartbeat interval. See The Heartbeat Interval |
|
Application Control queries |
These are queries for the reputation of unknown applications. |
|
Log uploads |
These connections send logs to the server. |
|
For more sensitive services, the payload is encrypted using a proprietary Check Point protocol. |
These are the encrypted sensitive services:
|
HTTPS (TCP/ |
Anti-Malware signature updates |
Verification is done by the engine before loading the signatures, and during the update process. |
HTTPS (TCP/443) |
Client package downloads |
The packages are signed and verified on the client before being installed. |
The Heartbeat Interval
Endpoint clients send "heartbeat" messages to the Endpoint Security Management Server to check the connectivity status and report updates. The time between heartbeat messages is known as the heartbeat interval.
|
Note - The default heartbeat interval is 60 seconds. |
The endpoint computer Compliance state is updated at each heartbeat. The heartbeat interval also controls the time that an endpoint client is in the About to be restricted state before it is restricted.
It is possible to create restricted policies that will automatically be enforced once the endpoint client enters a restricted state
To configure the heartbeat interval and out-of-compliance settings:
-
Click Manage > Endpoint Connection Settings.
The Connection Settings Properties window opens.
-
In the Connection Settings section, set the Interval between client heartbeats.
-
In the Out-Of-Compliance section, configure when a client is restricted. Configure the number of heartbeats in Client will restrict non compliant endpoint after. The default is 5 heartbeats.
-
Click OK.
SHA-256 Certificate Support
For R80 and higher clean installations, the management certificate is encrypted with SHA-256 encryption by default. In R77.X and lower environments, or upgrades from those versions, SHA-256 is not supported for the Root CA. You can use SHA-256 for renewed certificates after the previous certificate expires. See sk103840 for more information.
To configure a renewed certificate to use SHA-256:
On the Endpoint Security Management Server, run: cpca_client set_sign_hash sha256
After the management certificate expires, the renewed certificate will be signed with SHA-256 encryption.
TLSv1.2 Support
By default, the Endpoint Security servers in this release support TLSv1.2 and TLSv1 for communication between clients and servers.
To configure servers to support TLSv1.2 only:
On each Endpoint Security server:
-
Run:
cpstop
-
Edit:
$UEPMDIR/apache/conf/ssl.conf
-
Change the value of the
SSLProtocol
attributefrom:
SSLProtocol +TLSv1 +TLSv1.2
to:
SSLProtocol TLSv1.2
-
Save the changes.
-
Run:
cpstart