/build/static/layout/Breadcrumb_cap_w.png

KBOX in the DMZ: Best Practices

I know from conversations at the Konference that a lot of admins have experience placing their KBOX in the DMZ to help support remote users. The business I work for is 85% remote users and I am not getting the persistent AMP connections I need, nor for the length of time I need them, to properly manage our computers. I am thinking the best way for us to get the persistent connections we need is to point to our KBOX from a public IP address so that the machines will hit the kbox whether they are on our NW (VPN) or not.


I'd love some feedback regarding y'alls opinion on Best Practices, any real world experience stories, etc. as I evaluate the best way to make this transition.

We are a 99% Microsoft shop if that plays into anyone's thoughts on the subject.

0 Comments   [ + ] Show comments

Answers (5)

Posted by: KRN 12 years ago
Senior Yellow Belt
1

Will Dell Updates and security patches also go via the AMP port? Or would I need to enable SMB traffic to and from the box as well?

 


Comments:
  • I'm also wondering this. It does seem like SMB would have to be available to pick up files, but I'd much rather see them go through an encrypted connection. - flickerfly 12 years ago
Posted by: airwolf 14 years ago
Red Belt
1
If you want to allow connections whether they are connected out in the wild, you'll have to either port forward 52230 (AMP) to the KBOX (and point clients to the public IP where the KBOX is hosted) or put the KBOX in the DMZ. If you do decide on the DMZ solution, I don't think there are any special precautions you need to take. It is a supported practice. However, I would suggest using SSL. I'd block all ports on the firewall to the KBOX except 443 and 52230. If you use LDAP authentication, then you'll have to allow the KBOX back in to your domain controllers on port 389.

Also, AMP is just the status protocol... you won't get inventory data unless you forward 80/443 traffic to the KBOX as well - if you go with port forwarding. Obviously this doesn't matter if you go with the DMZ solution.
Posted by: dchristian 14 years ago
Red Belt
1
dyehardfan,

I think this article will help.

[link]http://www.kace.com/support/kb/index.php?action=artikel&cat=1&id=589&artlang=en[/link]

Make sure you apply ssl.

These 3 ports are gonna be your big ones.

443 - admin port, and client check in
52230 - client heartbeat
636 - LDAPS

Comments:
  • Since the link format added some extra, here's a quick cut & paste version that'll work. http://www.kace.com/support/kb/index.php?action=artikel&cat=1&id=589&artlang=en - flickerfly 12 years ago
Posted by: cblake 14 years ago
Red Belt
0
Note that AMP is also required for other tools like Online Scripts, Patching, and items like force check-in and run-now scripts. If those are important to you (I know they are for dyehardfan) you'll want to allow AMP traffic also. There's an option in the AMP settings to enable SSL for AMP also. Enable this only if your KBOX is already in SSL mode.
Posted by: dyehardfan 14 years ago
Second Degree Blue Belt
0
Thanks guys, this gives me some stuff to chew on. We're trying to decide between going this route or having all users automatically connect to the VPN whenever they hit the internet.
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ