Solved: Deploy App Broker in a DMZ

a_cutler2 · ‎Sep 09, 2020

Do customers ever deploy App Broker within their DMZ's? Would that be recommended or even possible certain scenarios? Is there any documentation around how to do so?

jdempsey · ‎Oct 26, 2020

Unfortunately, there must be at least a one-way trust in place between the domain where App Broker resides and the domain where SCCM resides. The App Broker service account must be trusted by the SCCM environment for the integration to work. I just hit this not long ago with another customer, and they ended up rebuilding their App Broker server in the same domain as SCCM.

Anything expressed here is my own view and not necessarily that of my employer, Flexera. If my reply answers a question you have raised, please click "ACCEPT AS SOLUTION".

View solution in original post

jdempsey · ‎Sep 21, 2020

There is no specific documentation on how to do so, but it's certainly possible. For what it's worth, I believe we do have some customers that are hosting App Broker in AWS/Azure, which would present similar challenges/concerns. Some things you would want to take into account are:

Where is your FNMS instance located? Does App Broker have the necessary network access? Will there be a performance hit (e.g. if your FNMS instance is in a datacenter on the other side of the country from your DMZ)?
Where is your SCCM (or other deployment system) instance located? Does App Broker have the necessary network access? Will there be a performance hit (e.g. if your deployment system is in a datacenter on the other side of the country from your DMZ)?
Does your deployment system have the ability to manage devices that aren't connected to your corporate network? If not, will users get frustrated that they can request software without connecting to VPN but they can't receive the software without connecting to VPN (and potentially end up timing out and raising failures in App Broker or your ticketing system)?
Will your security team be concerned about housing a copy of all of your user information and device information in a SQL database in the DMZ?

Depending on your situation, a potentially better approach may be to have an edge device in the DMZ that can reverse proxy requests into your App Broker server that resides on the intranet.

Anything expressed here is my own view and not necessarily that of my employer, Flexera. If my reply answers a question you have raised, please click "ACCEPT AS SOLUTION".

a_cutler2 · ‎Oct 22, 2020

Thank you Jim this is helpful. The specific situation I was asking about is no longer a concern as they decided not to deploy in a DMZ, but I have another situation that came up that is similar that I wanted to run by you as well - a different customer has AB deployed and wants to connect the dev AB instance to their dev SCCM which resides in a DMZ. We tried just installing the web service and setting up the connection like we normally would just to see what would happen and it doesn't connect because there isn't any trust built between the two. I'm wondering what the best way to deal with this would be - we could perhaps set up an edge/proxy device like you mentioned in your previous response that could facilitate the communication between the two systems? Or maybe just setting up a local account in the DMZ with the same permissions as the domain, AB service account would do it? Any advice here would be appreciated!

jdempsey · ‎Oct 26, 2020

Unfortunately, there must be at least a one-way trust in place between the domain where App Broker resides and the domain where SCCM resides. The App Broker service account must be trusted by the SCCM environment for the integration to work. I just hit this not long ago with another customer, and they ended up rebuilding their App Broker server in the same domain as SCCM.

Anything expressed here is my own view and not necessarily that of my employer, Flexera. If my reply answers a question you have raised, please click "ACCEPT AS SOLUTION".