Obtain AntiVirus Updates for Disconnected Endpoints

Endpoints obtain AntiVirus definition and engine updates from the Endpoint Security Server. As this server is not accessible outside of the corporate network, endpoints will generally only receive updates when they are connected to the network, either in a corporate office or connected via VPN.

However, it is possible to leverage HTTPS and HTTP protocols which allows IT Administrators to easily manage endpoints over the intranet and internet (no VPN tunnel required).

This section will guide IT Administrators on how to distribute AntiVirus Definitions to endpoints over the internet without publishing or exposing the Endpoint Security Server to the internet.

Network Diagram

The diagram below provides a high-level overview on how the solution will work. In this example, there will be two static IP Addresses:

  • 10.10.10.10 – IP Address for Ivanti Caching Proxy.
  • 10.10.10.11 – IP Address for the Endpoint Security Server.

Steps

  1. Install a Ivanti Caching Proxy inside your demilitarized zone (DMZ)
    The goal is to designate a caching server that will act as a “middle-man” between the Endpoint Security Server and managed endpoints. Ivanti recommends leveraging your existing caching solution that is internet facing or install the Ivanti Caching Proxy.

    Installing a caching proxy will also reduce the workload on the Endpoint Security Server during large deployments or security update rollouts.
  2. Create Firewall Rule
    Create a firewall rule that allows the static IP Address for the Caching Proxy inbound access to the Endpoint Security Server. These rules are going to be explicit to allow TCP traffic from the Caching Proxy inside your DMZ to the Endpoint Security Server that is inside your enterprise network. See table below on recommended rules.

    3. Direction

    TCP Port Number

    Description

    Inbound

    25253

    This is the default port number for the Ivanti Caching Proxy.

    Inbound

    443

    This is the default port number for the Endpoint Security Agent and is used for basic communication.

    Inbound

    80

    This is the default port number for the Endpoint Security Agent and is used for http downloads.

    Test these firewall rules from outside the enterprise network to make sure proper connectivity is allowed to the Endpoint Security Server address.

  3. Create Agent Policy for Mobile Computers
    In this task, we need to create a dedicated policy for your mobile computers so we can activate the FastPath Servers feature. This feature will configure the Agent to communicate to the Caching Proxy when the computer is not connected to the enterprise network.
    1. Log onto the Endpoint Security Console. Select Manage > Agent Policy Sets. Click the Create button to create a new agent policy.
    2. Name the policy Mobile Computer Policy.
    3. Under FastPath Servers section, click the Modify button to define the values.
    4. Add the following URLs to this page:

      5. Address

      Port

      Description

      http://10.10.10.10

      25253

      This setting will auto configure the Endpoint Security Agent to communicate with a Caching Server located inside the DMZ.

      Ivanti recommends using a DNS Record for 10.10.10.10 IP Address.

      http://10.10.10.11

      80

      This setting will auto configure the Endpoint Security Agent to communicate to the Endpoint Security Server when the laptop is connected to the enterprise network.

    5. Configure the Interval to 60 minutes and click save.
  4. Create a new Custom Group for Mobile Computers.
    We need to create a new group for your Mobile Computers so we can assign the Mobile Computer Policy with the FastPath Server settings.
    1. Select Manage > Groups. Right-click Custom Group and select create group.
    2. For the Group Name, type Mobile Computers Group and click save.
    3. Change the view settings to Endpoint Membership and add at least a single endpoint to the group so we can test the settings.
    4. Change the view setting to Agent Policy Sets and assign the Mobile Computer Policy to the Mobile Computer Group. This will assign the FastPath settings to all members of the Mobile Computer Group.
  5. Test the settings
    If possible, if you have a Guest Wi-Fi Router that does not have access to the enterprise network, configure the computer to connect to the Guest Wi-Fi. Make sure this computer is the same computer is that a member of the Mobile Computers Group.

    If you leverage Squid Proxy Server or our Ivanti Caching Proxy as your caching appliance you can monitor the traffic by review the access.log located in <installpath>\CachingProxy\var\logs.
  6. Add all mobile computers to the Mobile Computers Group.
    Once you are satisfied with the testing results, now you can add all of your mobile computers being managed by the Endpoint Security Server to the Mobile Computers Group. This will activate the FastPath Settings and now you can manage endpoints over the Internet with the Endpoint Security Server being inside enterprise network.