R77.30.02 and R77.30.03 are supported on the Azure cloud platform.
In order to deploy these server versions on Azure, proceed as follows:
- Deploy a new machine in Azure with the 'Check Point vSEC Security Management' package from the Azure marketplace.
Show / Hide screenshots
- Reset the admin password for SmartDashboard after deployment via cpconfig.
- Download R77.30 Jumbo Hotfix.
- Important - Install R77_30_JHF_T143_ERB you downloaded in step 3 with the -NOCRS flag: ./UnixInstallScript -NOCRS
- Install the R77.30.02 / R77.30.03 Hotfix.
- Configure a Network Address Translation (NAT) rule in SmartDashboard in order to add the public IP address of the deployed machine to the supported servers list. This step is needed in order to make the Endpoint Security Server available outside the Azure network environment.
- Continue with the Client deployment according to the relevant Admin Guide.
- When connecting with SmartConsole to the server, the public IP address of the deployed machine should be used.
- Before uploading the Endpoint Security Client, verify that there is sufficient disk space on lv_current partition. In case the partition needs resizing, follow sk111089.
- In order to connect to an Active Directory Server, the domain controller and Endpoint Management Server should be on the same network (for example use site-to-site VPN or ExpressRoute service).
- When connecting a Policy Server to a Management Server in an Azure environment, the internal IP address of the Policy Server should be used.
Additional guidelines to take into consideration in case of a customer's requirement:
We should start with a Management object that will use one internal IP (DO NOT change the object's IP address)
This object should represent a R77.30.03 Server
Configure a NAT rule
Configure a NAT rule in SmartDashboard in order to add the public IP address of the deployed machine (End-user) to the supported Server list (Endpoint Server\s), should be performed as follows:
- In SmartDashboard, double-click the Management Object (which has the EP software blade enabled on it).
- The Check Point Host General Properties window will open. There we can see its IP address and SIC status. Confirm that SIC is initialized and trust is established, and that our IP address is what it originally was.
- Navigate to the NAT section on the left side of the window.
- Select the checkbox that says "Add Automatic Address Translation rules".
- Select 'Hide' Translation Method.
- Under 'Hide behind IP Address', set 'IPv4 Address' to your valid Public IP address, which you want to be translated to our internal IP address (this means that whoever will try to access the Public IP address, will be directed to our EP Server's IP address).
- Select the Gateways this rule should be installed on.
- Leave the last checkbox ("Apply for Security Gateway control connections") unchecked.
- Click "OK".
- Save and install database in SmartDashboard.
Once the above was correctly performed and we've successfully configured our object to have a Public IP address that will be translated, we should proceed with installing this on the Endpoint Server\s, exactly as it is described above.
Step 6 states we should deploy Clients and verify everything works (see R77.30.03 Admin Guide)
- Login to the SmartEndpoint Console
- Click the menu on the top left of the window, and select 'File > Manage > Endpoint Servers'.
- Highlight the NATed object and select "Edit".
- Click "Next" and "Next" again (In the second window, verify we have SIC, and we're communicating ['Trust Established']).
- At this point (in the third window), make sure the "Install Database Checkmarks" are all selected, and click "Finish"
- After the Install Database completes, you should install policy (still in SmartEndpoint).
- Download initial client again. Recreate exported packages, if you have it (remember to install policy after it) and use them for deploying.
- Already deployed running clients will receive new server IP address if they have connection to EP server.
You should see that your 'General Properties' has updated and that the Server list is updated in the install policy window.
The above should be treated as a clarification in case of need.