When endpoints are connected to the UGMC, the administrator can centrally manage a large number of endpoints, flexibly configure security policies using firewall rules, and perform endpoint compliance checks.
Port 4045 is used to register an endpoint device on the UGMC; devices are registered using a pin code. After registration, the endpoint device is assigned a unique ID to communicate with the server in the future.
Once registered, the endpoint requests configuration from the UGMC every 10 seconds. UGMC sends to the endpoint the firewall and VPN settings, general template settings, element libraries, HIP objects, and profiles if they are used in firewall rules. The configuration is sent to the endpoint device if it is changed on the UGMC.
The endpoint sends telemetry (CPU load, disk information, system uptime, etc.) to UGMC, as well as configuration that is used for HIP validation: the information about the system security level (status of antivirus, firewall, automatic system update, BitLocker), the list of running processes and services, list of installed updates, and the information about installed software. We'll discuss compliance checking in more detail later. The configuration will only be sent in case of changes.
An additional block of information is transmitted to UGMC when the window with information about the endpoint is opened (Realm management desktop, Endpoints ➜ Devices section). This block contains information about the current time and boot time of the endpoint device (including time zone), USB devices connected to the device, startup items, restore points, processes, services, performance (CPU utilization, memory, disk size and type, UserGate Client status), installed system updates and registry keys (if search was used in the respective tab).
If UserGate Log Analyzer is used: for each active LogAn server, a port in the range of 22000--22711 is opened. This port receives telemetry, Windows logs and other endpoint security data sent to LogAn in transit through UGMC. The received data can be used to analyze and automatically respond to security threats.
HIP Checking in UGMC
UserGate it allows to check if an endpoint device complies with the security requirements. Compliance checking is based on HIP profiles (see the respective section of the Administrator's Guide for details) and follows this procedure:
The endpoint sends the following data to UGMC:
-
the user information;
-
the system data (version, edition, netbios name);
-
the list of running processes;
-
the list of running services;
-
the list of installed software (name, vendor, version);
-
the registry keys;
-
the list of system updates;
-
the startup items;
-
the information about system security (antimalware, firewall, BitLocker, etc.);
-
the information about system restore points.
Only HIP profiles specified in the firewall rules as one of the filtering conditions are used to check compliance. The check result is displayed in UGMCenter console in the Realm Management under Endpoints ➜ Devices. If case of success, the rule is sent to the endpoint device.