Day1 02 E80 Architecture

E80 Architecture
Check Point Endpoint Security E80

Pre-sales Training
Endpoint SE Team – Europe – 2012
©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
©2012 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and
Objective
 To provide an overview of architectural components and

technologies
 To provide an overview of client-server and management
communications
 To provide guidance for Architecture definition and sizing
©2012 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and 2
Agenda
1 E80 Architecture Overview
2 Communication Architecture
3 Sizing & Scalability
E80 Architecture Overview
©2012 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties | 4
Architecture Overview – E80.40
Endpoint Security
Management
Directory
server
Endpoint
Clients
Endpoint Security
Management
Directory Endpoint Database

Security
server Management
Contains Endpoint
policies,
users/computers,
licenses, and
management data
Apache
Endpoint Web service and
Clients
content hosting
environment
Tomcat
Application
environment &
Management Server
Logic
AD Scanner
Used to obtain AD
structure for directory-
©2012 Check Point Software Technologies Ltd.
based policy
| [Confidential] For Check Point users and 6
Endpoint Security
Endpoint
Management
Blades
Directory
server Endpoint Security
modules (FDE, ME,
Policies Firewall, etc…)
Anti Malware Each blade is

independent,
WebCheck modular and
Endpoint Endpoint centrally managed
VPN Client
Clients Blades
Compliance The blade
configuration on
Network the endpoint is
Protection dynamic – blades
FDE may be added or
removed from
ME central
management by
E80 Agent assigning a
Software
©2012 Check Point Software Technologies Ltd.
Deployment Rule
| [Confidential] For Check Point users and 7
Endpoint Security Secondary
Management Management
Directory
Sync over SIC
server
Endpoint Endpoint
Clients Blades
Directory
Sync over SIC
server
Secondary
Endpoint Endpoint Management
Clients Blades
Provides management
availability in case Primary
Endpoint Management is
unavailable
Synchronizes with the Primary

EP Management to maintain a
replica of system configuration
and database
Directory
Sync over SIC
server
Endpoint Endpoint
Clients Blades
Endpoint Policy
Servers
Directory
Sync over SIC
server
Endpoint Endpoint
Clients Blades
Endpoint Policy Endpoint Policy

Servers Servers
Provides connection scalability

by accepting remote client
connections and
communications
Directory
Sync over SIC
server
Endpoint Endpoint
Clients Blades
Endpoint Policy
Servers
Endpoint Management Components
R75.40 Management
Runs on appliances, open servers, and virtual servers

Management
R75.40 Management
Secure, distributed architecture, allowing administration

of multiple servers from a single management platform
Modular security architecture, allowing addition of

security, management, and logging features
R75.40
This version of management supports the add-on

installation of E80.40 Endpoint Security Server and
Management
Endpoint Management Componentss
Software Blades
R75.40 Management
In R75.40, Software Blades provide

protection and/or management
Blades
Software Blades
capability. Examples include

SmartEvent, SmartLog, etc.
Software
Not all blade combinations may be

possible on a particular server,
depending on management and
hardware limitations.
Software Blades
R75.40 Management
E80.40
Endpoint E80.40 is a Management

add-on to R75.40. It provides
configuration and administration of all
E80.40
E80.40
Endpoint client features except VPN
It is integrated into the Check Point

management and logging architecture
Software Blades
R75.40
R75.40 Management
SmartConsole
E80.40
SmartConsole
R75.40 SmartConsole
Windows-based GUI tools for

administering Check Point servers
R75.40
Software Blades
E80.40
SmartEndpoint
R75.40
R75.40 Management
SmartConsole
E80.40
SmartEndpoint
E80.40 SmartEndpoint
A component of R75.40 SmartConsole,

a Windows-based GUI tool to
administer E80.40 Endpoint
E80.40
Software Blades
E80.40
SmartEndpoint
R75.40
R75.40 Management
SmartConsole
E80.40
Server System Requirements
 Supported Operating Systems:

– GAIA R75.40
– SecurePlatform (SPLAT) R75.40
– Windows:
– 2003/2008 (all editions)
– 2003 R2 / 2008 R2 (all editions)
– VMWare
– VSphere 4.0, 4.1, 5.0
– ESXi 4.1.0, 5.0
 Minimum Hardware Requirements for installation:

– Intel 2GHz processor
– 2GB RAM
– 4GB disk
Important reminders
 E80.40 add-on can only be installed on top of R75.40

Management
– Installation on top of Management+GW or GW is not supported
 E80.40 add-on doesn't support R75.45

– If E80.40 is already installed on top of R75.40, you can't
upgrade to R75.45
– R&D will released specific E80.40 add-on to support R75.45
(no ETA yet)
 Upgrade to E80.40 are only supported from E80.30

– If you need to upgrade from R80, R80.10 or E80.20, upgrade
first to E80.30
– Upgrade to E80.40 requires additional steps (Policy conversion
export and import) – read the installation guide carefully
Communication Architecture
Server to Server Communication
Endpoint Policy
Servers SIC (TCP/18193)
Endpoint Security
Management
Secondary
Management
SIC (TCP/18221)
Note that installation packages must be manually replicated to

Secondary servers
Refer to Management Installation module
Management to Server Communication
SmartEndpoint
Endpoint Security
SIC (TCP/18190) Management
Direct management access not Endpoint Policy

possible Servers
SIC (TCP/18190) for Read-Only Secondary

access or Server promotion to
Management
Primary
Client to Server Communication
Endpoint Endpoint Security

Client Management
TCP/80 and TCP/443
Endpoint Policy
Servers
TCP/80 and TCP/443
Communication not accepted until Secondary

Secondary Server is promoted to Management
Primary
Client-Server Communication
 2 mechanisms are used for client-server communication

– Heartbeat
– Synchronization
Heartbeat
Sync
 Heartbeat is periodic client connection to the server

– Establishes a keep alive session and detects updates to
download
– By default, every 60 seconds
 Synchronization will update client policies and provide

status, blades updates and logs to the server
Connected / Disconnected Policies
 When an endpoint establishes sync with a server, the client

establishes itself in a Connected state as long as the
heartbeats that follow are able to reach the server
– This will result in Connected Policies being applied
 If Disconnected Policies have been created for one or more

blades, a Disconnected state will take effect after the client
loses connection to the server
– Examples: no connection to server, change in network
interface
– This will result in Disconnected Policies being applied if no
other server can be reached
Scalability & Sizing
E80.40 Scalability and Sizing Guide
 Scalability and Sizing Guide is available from sk82100
 Make sure to download and read this document

 Information presented here is based on content of the guide
E80 Sizing
 Sizing of E80 Architecture is driven by 2 main factors

– Number of Endpoints and Blades to manage
– Number of AD objects scanned
 Number of Endpoints to manage will have an impact on:

– Management Servers Sizing
– Policy Servers Sizing
 Number of AD objects scanned will have an impact on:

– Management Servers Sizing
AD Size Considerations
 Warning = We do not import all objects from Active Directory

– "AD scanned objects" refers to successfully imported objects,
not the actual size of the AD being scanned
 What gets scanned from AD:

– Organizational units (including “Users”, “Computers” and “Built-
in” containers).
– Users that are not contacts.
– Computers.
– Groups that are security groups (not distribution groups).
 An external tool (ADFind) can be used to query the object

count
– Scripts to use ADFind are available in the Scalability and
Sizing guide
Hardware Server Sizing
 The table below lists the different configurations tested and

validated with GAIA appliances
How to use the Hardware Table sizing
 Estimate the number of Endpoints and the AD "scanned

objects" size
 Find the row with clients and AD values closest to your
environment, but not less than your environment.
– This will give your the minimum requirements for the
Management Server and Policy Servers
 Policy Servers
– Up to 25 Policy Servers are supported
– Smart-1 5 as a policy server can handle up to 5000 clients
– Smart-1 25 as a policy server can handle up to 27000 clients
High-Scale (20K+ seats) Configuration
 The Endpoint Security Management Server should not be

configured as an Endpoint Policy Server.
– Additional External Policy Servers should be installed to
handle Endpoint Security clients’ requests and distribute load
 Endpoint Security Management Server should be 64-bit.

– GAIA: follow procedure in SK83640 to convert system to 64-bits.
 For more than 80K Endpoint Security clients deployed, the

Heartbeat Interval should be increased to 2 minutes.
 Log forwarding (transferring logs from one Log Server to
another) should not be configured.
Sizing Example 1
 3000 Endpoint Total Security, 18000 AD scanned objects
Endpoint Security
Management
Sizing Example 2
 9000 Endpoint Total Security, 22000 AD scanned objects
Endpoint Security Endpoint Policy

Management Server
Sizing Example 3
 17000 Endpoint Total Security, 150 000 AD scanned objects
Endpoint Security Endpoint Policy

Management Server
Windows Server Sizing
 As guidance, Windows hardware of equivalent spec to the

CP appliances will achieve similar scalability
 Maximum number of seats tested in a Windows
configuration is 60K seats Total Security, with 300K scanned
AD objects
Disk Space
 Disk space consumption:
 Calculation Assumptions:
– Calculations based on AD size of 5x the number of clients
 Calculation for other quantities:

– Scalability figures are approximately linear
 Client logging to server:

– 240KB per client per day, assuming:
– 50 logs / hour, 200 bytes per log entry
Deployments
 Server Supports up to:

– 300 concurrent package downloads
– 1000 simultaneous client deployments
 Bandwidth per deployment:

– Packaging: ~10 to 200 MB per client depending on blade
– Initial Anti-malware Updates : ~145MB / endpoint
Q&A ?
©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
©2012 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and

Day1 02 E80 Architecture

Uploaded by

Copyright:

Available Formats

Day1 02 E80 Architecture

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Day1 02 E80 Architecture

Uploaded by

Copyright:

Available Formats

E80 Architecture

Check Point Endpoint Security E80

 To provide an overview of architectural components and

1 E80 Architecture Overview

3 Sizing & Scalability

Directory Endpoint Database

Anti Malware Each blade is

Synchronizes with the Primary

Endpoint Policy Endpoint Policy

Provides connection scalability

Runs on appliances, open servers, and virtual servers

Secure, distributed architecture, allowing administration

Modular security architecture, allowing addition of

This version of management supports the add-on

In R75.40, Software Blades provide

capability. Examples include

Not all blade combinations may be

Endpoint E80.40 is a Management

Endpoint client features except VPN

It is integrated into the Check Point

Windows-based GUI tools for

A component of R75.40 SmartConsole,

 Supported Operating Systems:

 Minimum Hardware Requirements for installation:

 E80.40 add-on can only be installed on top of R75.40

 E80.40 add-on doesn't support R75.45

 Upgrade to E80.40 are only supported from E80.30

Note that installation packages must be manually replicated to

Direct management access not Endpoint Policy

SIC (TCP/18190) for Read-Only Secondary

Endpoint Endpoint Security

Communication not accepted until Secondary

 2 mechanisms are used for client-server communication

 Heartbeat is periodic client connection to the server

 Synchronization will update client policies and provide

 When an endpoint establishes sync with a server, the client

 If Disconnected Policies have been created for one or more

 Scalability and Sizing Guide is available from sk82100

 Make sure to download and read this document

 Sizing of E80 Architecture is driven by 2 main factors

 Number of Endpoints to manage will have an impact on:

 Number of AD objects scanned will have an impact on:

 Warning = We do not import all objects from Active Directory

 What gets scanned from AD:

 An external tool (ADFind) can be used to query the object

 The table below lists the different configurations tested and

 Estimate the number of Endpoints and the AD "scanned

 The Endpoint Security Management Server should not be

 Endpoint Security Management Server should be 64-bit.

 For more than 80K Endpoint Security clients deployed, the

 3000 Endpoint Total Security, 18000 AD scanned objects

 9000 Endpoint Total Security, 22000 AD scanned objects

Endpoint Security Endpoint Policy

 17000 Endpoint Total Security, 150 000 AD scanned objects

Endpoint Security Endpoint Policy

 As guidance, Windows hardware of equivalent spec to the

 Disk space consumption:

 Calculation for other quantities:

 Client logging to server:

 Server Supports up to: