The Community is now in read-only mode to prepare for the launch of the new Flexera Community. During this time, you will be unable to register, log in, or access customer resources. Click here for more information.
Do customers ever deploy App Broker within their DMZ's? Would that be recommended or even possible certain scenarios? Is there any documentation around how to do so?
Sep 09, 2020 11:53 AM
Unfortunately, there must be at least a one-way trust in place between the domain where App Broker resides and the domain where SCCM resides. The App Broker service account must be trusted by the SCCM environment for the integration to work. I just hit this not long ago with another customer, and they ended up rebuilding their App Broker server in the same domain as SCCM.
Oct 26, 2020 11:35 AM
There is no specific documentation on how to do so, but it's certainly possible. For what it's worth, I believe we do have some customers that are hosting App Broker in AWS/Azure, which would present similar challenges/concerns. Some things you would want to take into account are:
Depending on your situation, a potentially better approach may be to have an edge device in the DMZ that can reverse proxy requests into your App Broker server that resides on the intranet.
Sep 21, 2020 01:00 PM
Thank you Jim this is helpful. The specific situation I was asking about is no longer a concern as they decided not to deploy in a DMZ, but I have another situation that came up that is similar that I wanted to run by you as well - a different customer has AB deployed and wants to connect the dev AB instance to their dev SCCM which resides in a DMZ. We tried just installing the web service and setting up the connection like we normally would just to see what would happen and it doesn't connect because there isn't any trust built between the two. I'm wondering what the best way to deal with this would be - we could perhaps set up an edge/proxy device like you mentioned in your previous response that could facilitate the communication between the two systems? Or maybe just setting up a local account in the DMZ with the same permissions as the domain, AB service account would do it? Any advice here would be appreciated!
Oct 22, 2020 09:19 AM
Unfortunately, there must be at least a one-way trust in place between the domain where App Broker resides and the domain where SCCM resides. The App Broker service account must be trusted by the SCCM environment for the integration to work. I just hit this not long ago with another customer, and they ended up rebuilding their App Broker server in the same domain as SCCM.
Oct 26, 2020 11:35 AM