/build/static/layout/Breadcrumb_cap_w.png

KACE SMA in DMZ

Is anyone running their appliance in a DMZ? It makes me paranoid, but I find it tedious to log in to the VPN from my phone, to access the mobile app to check on tickets, etc. 

Asked 5 years ago 935 views
1 Comment   [ + ] Show comment
  • If you're going to do this (I wouldn't), please enable 2FA on all administrator accounts. Attackers are increasingly targeting organizations using RMM tools like KACE to spread ransomware. By simply putting your box on the outside, all it takes is one weak/compromised password to give away the keys to your whole infrastructure. - knickelbineb 5 years ago

Answers (2)

Posted by: Nico_K 5 years ago
Red Belt
1

Endorsed by Nick The Ninja

this is an usual setup. Just make sure the right ports are open or forwarded (for check in and using the webui port 80 and 443 are needed, if you put the SMA outside of your intranet you should invest into a SSL certificate and use 443 only)

Comments:
  • Does this not make you nervous in any way? Seeing as to how the appliance can communicate with every device on the network. - rruhl 5 years ago
  • no, I have this setup since 2013 like that (just the domain has been changed due to a move and a different contract, and yes, it is not really a DMZ setup just a port forwarding to a host)
    I forward only port 443 and 80 to the machine and all others are closed.
    The users on the device have 2FA. I see in the firewall logs that some nice people try to access but they are "IP blocked" for 90min if they try from outside.
    Had an issue once with 5.5 where a security flaw was found and not reported to the vendor which simply let me check when it happened, closed the firewall, setup and restore (does not need long) and wait for a fix from KACE and then was all good. - Nico_K 5 years ago
Posted by: ondrar 5 years ago
Black Belt
1

I had used Quest's KACE as a Service, where they host it for you, for 5 years.  While not in the DMZ exactly, it's completely outside of the network, and you have to have a VPN tunnel to connect internally to do things like LDAP authentication.  We did not had any problems with it, but we also have almost all the security options checked.  2FA was not one of them, but only one person had admin rights, and they were good about their password.  That was me.

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ