Support Center > Search Results > SecureKnowledge Details
How to deploy a Check Point Endpoint Security Management Server in AWS
Solution

Endpoint Security Management Server R77.30.03 is supported on the Amazon Web Services cloud platform (AWS).

Click Here to Show the Entire Article

Follow these steps to deploy this server in AWS:

  1. Deploy a new machine in AWS using the Check Point R77.30 Security Management template from the sk111013.

    Show / Hide this section
    1. Launch the stack:

    2. Specify the details:

    3. Select the template:

    4. Configure the template:

  2. Install the required SmartConsole for Endpoint Security Server R77.30.03 from the sk115512.

  3. Download the R77.30 Jumbo Hotfix for Endpoint Security Management Server and transfer it to the deployed R77.30 Security Management machine.

  4. Install the R77.30 Jumbo Hotfix for Endpoint Security Management Server on the deployed R77.30 Security Management.

    Show / Hide this section
    1. Go to the directory, to which you have transferred the Jumbo Hotfix package.

      [Expert@HostName:0]# cd /<path_to_jumbo>/
    2. Unpack the Jumbo Hotfix:

      [Expert@HostName:0]# tar -zxvf R77.30_jhf_T143_EP.tgz
    3. Install the Jumbo Hotfix using this exact syntax:

      [Expert@HostName:0]# ./UnixInstallScript -NOCRS
    4. Reboot is required.

  5. Download the R77.30.03 Endpoint Security Server Package for Gaia OS and transfer it to the deployed R77.30 Security Management machine.

    Install the R77.30.03 Endpoint Security Server Package for Gaia OS on the deployed R77.30 Security Management.

    Show / Hide this section
    1. Go to the directory, to which you have transferred the R77.30.03 package.

      [Expert@HostName:0]# cd /<path_to_package>/
    2. Unpack the R77.30.03 package:

      [Expert@HostName:0]# tar -zxvf R77.30.03_Gaia.tgz
    3. Install the R77.30.03 using this exact syntax:

      [Expert@HostName:0]# ./UnixInstallScript -NOCRS
    4. Reboot is required.

  6. Configure a NAT rule

    Configure a NAT rule in SmartDashboard in order to add the public IP address of the deployed machine (End-user) to the supported Server list (Endpoint Server\s), should be performed as follows:

    1. In SmartDashboard, double-click the Management Object (which has the EP software blade enabled on it).
    2. The Check Point Host General Properties window will open. There we can see its IP address and SIC status. Confirm that SIC is initialized and trust is established, and that our IP address is what it originally was.

    3. Navigate to the NAT section on the left side of the window.
    4. Select the checkbox that says "Add Automatic Address Translation rules".
    5. Select 'Hide' Translation Method.
    6. Under 'Hide behind IP Address', set 'IPv4 Address' to your valid Public IP address, which you want to be translated to our internal IP address (this means that whoever will try to access the Public IP address, will be directed to our EP Server's IP address).
    7. Select the Gateways this rule should be installed on.
    8. Leave the last checkbox ("Apply for Security Gateway control connections") unchecked.
    9. Click "OK".

    10. Save and install database in SmartDashboard.
      Once the above was correctly performed and we've successfully configured our object to have a Public IP address that will be translated, we should proceed with installing this on the Endpoint Server\s, exactly as it is described above.

    11. Login to the SmartEndpoint Console
    12. Click the menu on the top left of the window, and select 'File > Manage > Endpoint Servers'.



    13. Highlight the NATed object and select "Edit".
    14. Click "Next" and "Next" again (In the second window, verify we have SIC, and we're communicating ['Trust Established']).

    15. At this point (in the third window), make sure the "Install Database Checkmarks" are all selected, and click "Finish"


    16. After the Install Database completes, you should install policy (still in SmartEndpoint).


    17. Download initial client again. Recreate exported packages, if you have it (remember to install policy after it) and use them for deploying.
  7. Edit the exiting Inbound AWS management Security Group. Add Port 80.

Notes:

  • When connecting with SmartEndpoint GUI to the Endpoint Security Server, the public IP address of the deployed Endpoint Security Server machine should be used.

  • Before uploading the Endpoint Security Client, verify that there is sufficient disk space on lv_current partition.

    If the partition needs to be resized, then refer to sk111089 or sk106242 to increase the disk size of a Check Point instance in AWS.

  • To deploy a Policy Server, use the Check Point vSEC (R77.30) Next Gen Firewall & Threat Prevention (BYOL) template from the AWS marketplace.

  • In order to connect to an Active Directory Server, the domain controller and Endpoint Security Management Server should be on the same network (for example, use Site-to-Site VPN or DirectConnect service).

  • When connecting a Policy Server to a Endpoint Security Management Server in an AWS environment, the internal IP address of the Policy Server should be used.

  • Security Groups should allow traffic through ports that are used by Endpoint Security Management Server (refer to sk52421).

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment