To have visibility of the Endpoint Encryption agent while it connects from Internet, deploying the Endpoint Encryption proxy in DMZ is the solution provided by Trend Micro. But some users may have security concerns about installing the Windows server in DMZ.
This article provides the steps to harden the Windows system to improve security without impairing the Endpoint Encryption proxy functionality.
This guide is based on the following assumptions:
- Only Endpoint Encryption 5.0 / 6.0 agents are connected to the PolicyServer, it does not support legacy agents (3.1.3 or earlier version).
- Only Endpoint Encryption Proxy is installed in the Windows system. If not, some Windows components cannot be removed, otherwise, other services may be affected.
- The Windows server 2016 standard edition is suggested.
Hardening the Windows system
Ensure the Windows Firewall is turned on, Allow TMEEForward to communicate through Windows Firewall.
Reject PolicyServer MMC or TMCM to connect to PolicyServer via Endpoint Encryption proxy by adding the following registry:
In the "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Trend Micro\TMEEForward" key, create a string value with the name "filter" and for the data, name it "admin".
Restart TMEEForward service
Use PolicyServer MMC to connect to the PolicyServer via Endpoint Encryption proxy, the result should be "Unable to connect to PolicyServer"
An error event is generated on the Endpoint Encryption proxy when PolicyServer MMC or TMCM connects to the PolicyServer via Endpoint Encryption proxy.
- Configure the firewall between DMZ and Intranet, only allow traffic from Endpoint Encryption proxy to the PolicyServer (port 8080) located in the Intranet. Other traffic should be blocked.
Use a network discovery and security auditing tool (such as nmap) to confirm that only port 8080 and port 5985 (default port for WS-Management and PowerShell remoting) are open.
- Confirm if FDE can now connect to the PolicyServer via Endpoint Encryption proxy.