Support Center > Search Results > SecureKnowledge Details
How to deploy a Check Point Endpoint Security Management Server in AWS Technical Level

Endpoint Security Management Server is supported on the Amazon Web Services cloud platform (AWS).

Click Here to Show the Entire Article

Follow these steps to deploy this server in AWS:

  1. Deploy a new machine in AWS using the Check Point Security Management template from the sk111013.

    Show / Hide this section
    1. Launch the stack:

    2. Specify the details:

    3. Select the desired Check Point Security Management Version (R80.X - BYOL) *:

    4. For Instant Type we recommend to use m5.large and above.
    5. Configure the template:

  2. Install the required SmartConsole for Endpoint Security Server from the sk117536.

  3. Activate the Endpoint Policy Management blade in SmartConsole

  4. Configure a NAT rule

    Configure a NAT rule in SmartConsole in order to add the public IP address of the deployed machine (End-user) to the supported Server list (Endpoint Server\s), should be performed as follows:

      1. In SmartConsole, double-click the Management Object (which has the EP software blade enabled on it).
      2. The Check Point Host General Properties window will open. There we can see its IP address and SIC status. Confirm that SIC is initialized and trust is established, and that our IP address is what it originally was.
      3. Navigate to the NAT section on the left side of the window.
      4. Select the check box that says "Add Automatic Address Translation rules".
      5. Select 'Hide' Translation Method.
      6. Under 'Hide behind IP Address', set 'IPv4 Address' to your valid Public IP address, which you want to be translated to our internal IP address (this means that whoever will try to access the Public IP address, will be directed to our EP Server's IP address).
      7. Select the Gateways this rule should be installed on.
      8. Leave the last check box ("Apply for Security Gateway control connections") unchecked.
      9. Click "OK".

      10. Save and install database in SmartConsole.
        Once the above was correctly performed and we've successfully configured our object to have a Public IP address that will be translated, we should proceed with installing this on the Endpoint Server\s, exactly as it is described above.

      11. Login to the SmartEndpoint Console
      12. Click the menu on the top left of the window, and select 'File > Manage > Endpoint Servers'.

      13. Highlight the NATed object and select "Edit".
      14. Click "Next" and "Next" again (In the second window, verify we have SIC, and we're communicating ['Trust Established']).

      15. At this point (in the third window), make sure the "Install Database Checkmarks" are all selected, and click "Finish"

      1. After the Install Database completes, you should install policy (still in SmartEndpoint).

    1. Download initial client again. Recreate exported packages, if you have it (remember to install policy after it) and use them for deploying.
  5. Edit the exiting Inbound AWS management Security Group. Add the Port 80/443.


  • * For Check Point Security Management R80.30 BYOL an hotfix is required, contact Check Point Support.

  • When connecting with SmartEndpoint GUI to the Endpoint Security Server, the public IP address of the deployed Endpoint Security Server machine should be used.

  • Before uploading the Endpoint Security Client, verify that there is sufficient disk space on lv_current partition.

    If the partition needs to be resized, then refer to sk111089 or sk106242 to increase the disk size of a Check Point instance in AWS.

  • To deploy a Policy Server, use the Security Management Server (BYOL) template from the AWS marketplace, in the First Time Wizard select Log Server.

  • In order to connect to an Active Directory Server, the domain controller and Endpoint Security Management Server should be on the same network (for example, use Site-to-Site VPN or DirectConnect service).

  • When connecting a Policy Server to a Endpoint Security Management Server in an AWS environment, the internal IP address of the Policy Server should be used.

  • Security Groups should allow traffic through ports that are used by Endpoint Security Management Server (refer to sk52421).

Give us Feedback
Please rate this document