KBOX in the DMZ: Best Practices
I know from conversations at the Konference that a lot of admins have experience placing their KBOX in the DMZ to help support remote users. The business I work for is 85% remote users and I am not getting the persistent AMP connections I need, nor for the length of time I need them, to properly manage our computers. I am thinking the best way for us to get the persistent connections we need is to point to our KBOX from a public IP address so that the machines will hit the kbox whether they are on our NW (VPN) or not.
I'd love some feedback regarding y'alls opinion on Best Practices, any real world experience stories, etc. as I evaluate the best way to make this transition.
We are a 99% Microsoft shop if that plays into anyone's thoughts on the subject.
I'd love some feedback regarding y'alls opinion on Best Practices, any real world experience stories, etc. as I evaluate the best way to make this transition.
We are a 99% Microsoft shop if that plays into anyone's thoughts on the subject.
0 Comments
[ + ] Show comments
Answers (5)
Please log in to answer
Posted by:
KRN
12 years ago
Will Dell Updates and security patches also go via the AMP port? Or would I need to enable SMB traffic to and from the box as well?
Comments:
-
I'm also wondering this. It does seem like SMB would have to be available to pick up files, but I'd much rather see them go through an encrypted connection. - flickerfly 12 years ago
Posted by:
airwolf
13 years ago
If you want to allow connections whether they are connected out in the wild, you'll have to either port forward 52230 (AMP) to the KBOX (and point clients to the public IP where the KBOX is hosted) or put the KBOX in the DMZ. If you do decide on the DMZ solution, I don't think there are any special precautions you need to take. It is a supported practice. However, I would suggest using SSL. I'd block all ports on the firewall to the KBOX except 443 and 52230. If you use LDAP authentication, then you'll have to allow the KBOX back in to your domain controllers on port 389.
Also, AMP is just the status protocol... you won't get inventory data unless you forward 80/443 traffic to the KBOX as well - if you go with port forwarding. Obviously this doesn't matter if you go with the DMZ solution.
Also, AMP is just the status protocol... you won't get inventory data unless you forward 80/443 traffic to the KBOX as well - if you go with port forwarding. Obviously this doesn't matter if you go with the DMZ solution.
Posted by:
dchristian
13 years ago
dyehardfan,
I think this article will help.
[link]http://www.kace.com/support/kb/index.php?action=artikel&cat=1&id=589&artlang=en[/link]
Make sure you apply ssl.
These 3 ports are gonna be your big ones.
443 - admin port, and client check in
52230 - client heartbeat
636 - LDAPS
I think this article will help.
[link]http://www.kace.com/support/kb/index.php?action=artikel&cat=1&id=589&artlang=en[/link]
Make sure you apply ssl.
These 3 ports are gonna be your big ones.
443 - admin port, and client check in
52230 - client heartbeat
636 - LDAPS
Comments:
-
Since the link format added some extra, here's a quick cut & paste version that'll work. http://www.kace.com/support/kb/index.php?action=artikel&cat=1&id=589&artlang=en - flickerfly 12 years ago
Posted by:
cblake
13 years ago
Note that AMP is also required for other tools like Online Scripts, Patching, and items like force check-in and run-now scripts. If those are important to you (I know they are for dyehardfan
Posted by:
dyehardfan
13 years ago
Thanks guys, this gives me some stuff to chew on. We're trying to decide between going this route or having all users automatically connect to the VPN whenever they hit the internet.
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.