Securing Port 2222 on Sonicwall Firewall to allow remote connections to ESMC Server On Premise

[Abram Kaufman 0]

I am looking to see if anyone has any details on best approach to secure Port 2222 on a Sonicwall Firewall to allow remote connections to ESMC Server that is located on premise.  I am assisting with a Company that has many remote users that do not connect to work via VPN as they can do their jobs without VPN, but this presents an issue because I cannot push out policy changes nor can I get back agent information as to the state of these computers.  KB6870 (https://support.eset.com/en/kb6870) addresses how to open Port 2222 on your Firewall to allow for Agent checkin remotely, but it does not address any securty concerns about doing so.  I spoke to ESET looking for further information and none was available.  I know I can list IPs that are allowed to connect via that port, but the list is too large and that is a burden on the networking staff.  I am curious if there is a way to limit communications on that port to only agent exe communications, but not sure how to do that.  Any ideas is appreciated.  Thanks

[MartinK 378]

Not sure how deep in inspection of traffic would you like to go, but it will be necessary in case filtering based on IP address is not enough.
As AGENT->ESMC communication uses standard TLS protocol, where both endpoint are authenticated using certificate (i.e. it is mutually authenticated TLS connection), first filtering layer might just check this and prevent TLS connections (or even non-TLS connections) that are not using trusted certificate.
More advanced way would be to use some kind of proxy, that would do TLS introspection and analyze also content of traffic, which is actually HTTP2 protocol.  This would enable you to filter on this layer, but configuration would be much more complicated, as it requires understanding of TLS/PKI certificates.

In case you would like to just limit connections to ESMC directly, commonly used solution is to use HTTP proxy in DMZ part of the network, that will be forwarding communication from outside networks. This won't prevent possible attackers to open connections to ESMC, but there will be at least one more layer to detect or prevent possible DoS attacks.