Can we Inventory/Patch machines outside of our Firewall, without opening the user/admin web UIs?
Similar to the question at https://www.itninja.com/question/k1000-inventorying-remote-machines, which leads me to believe the answer to my question is "No", but I'd like that to be confirmed if possible.
Can we do inventories and patches to remote machines that are outside of our network, without opening up the user and admin web UIs to the world?
We've found the ACL option to restrict access per IP, but we're not confident that will stand up to IP-spoofing.
The article linked above indicates that we'd need to open ports 443 and 52230, but it's also a 7-year-old article, and when I look at https://support.quest.com/kb/111775/which-network-ports-and-urls-are-required-for-the-kace-sma-appliance-to-function-, I see no indication of needing port 52230 opened. That document makes me suspect that the AMP agent, when it changed a few versions back, stopped using 52230 and started using 443, sharing the same access as the web UIs. I think what I'm asking is to have the old functionality, where I could open 52230 for AMP, and leave 443 closed for the web UIs.
Any enlightenment would be appreciated. Thanks!
--
Kent
-
I heard from support that this dual port functionality is coming back in the next release. For me, I'd want to open up the agent and user portal to the outside but not the admin area. Not sure if that's possible. - glong 4 years ago
Answers (1)
Top Answer
short answer: no
long answer: yes, but you need to modify your firewall or you use the appliance unencrypted (not suggested!)
The agent communication is running over port 443 (SSL) so the access to this port needs to be given. See here: https://support.quest.com/kb/111775
If you allow access to this port also the interfaces are open to the internet which also go over 80 (default without SSL) or 443. But to secure the access you can use Two Factor Authentication (2FA) inside the appliance.
Comments:
-
Once port 443 is opened, will the K1 be able to get inventory, install software (from both internal and external Samba shares), modify system settings via scripts, install patches, etc? Thanks! - kentwest 4 years ago
-
KACE's tech support (Max Wong) wrote to me:
For the SMA publicly facing you will need port 80 and 443 as a minimal requirements, please also review the following KB.
I asked for clarification:
I need to know what "minimal" means;
does that mean *only* web access and *only* a "heartbeat" signal? Does it mean inventorying capability? Does it mean pushing a Managed Install? Does it mean running a script to tweak a registry entry? Or do these things require other ports to be opened at the firewall?
He responded back:
Yes, it means that the agent will be able to fully communicate, send and receive all data, run scripting, managed installs, patching, alerts. In summary, anything the appliance and the agent needs. ... port 443 is going to be the main in which agents will be communicating with the SMA. - kentwest 4 years ago