There are various Data Flow Considerations; below, you will find the most commonly discussed in the past.
NOTE: Not all Data Flow Considerations are located here, and more are being added often.
Two Way Communication
Since all components communicate with each other, there needs to be two-way communication between each component. Especially Agent to Beacon and Beacon to Inventory/Batch server.
Assuming that HTTP/Port 80 is configured, then the agent will initiate anHTTP PUTto upload inventory filesTOthe beacon. This uploads inventory files from the endpoint to the beacon.
The agent downloads policiesFROMthe beacon, the agent will initiate anHTTP GET. This downloads policy files from the beacon to the endpoint.
Therefore, the direction is 2-ways, even though the Agent is initiating all communication.
And when secure communication is configured, the agent will initiateHTTPS PUTandHTTPS GET.
For configuring the firewall as long as the Firewall is set for Stateful. The firewall is intelligent enough to return the data back to the original request IP. So you would only need to submit a firewall request one one way.
So it would look like this >
If you had a Stateless Firewall as communications are technically bi-directional, those type of firewalls would refuse the connection back to the source or to the destination so you would have to firewall both ways for agent connectivity to work correctly.
It is a consideration you will have to undertake; whether you use the regular ports of 80 and 443 or non-common ports is up to you. As stated above, you will need to make sure that whatever port you choose needs to be opened in both directions.
There are various layouts when configuring an FNMS environment:
Multiple Level Beacon
Below is a deep dive into all the Setup Types listed above.
NOTE: All setups listed below cover having Application, Batch, Inventory, and Database Servers.
Single Server Setup
It is the most common setup, requires fewer servers to be configured, and is the easiest to configure. However, since all the components are installed on a single server, this request requires the most processing power and resources on a single machine. You could change this setup to have the database on a separate server than with the FNMS components, and that way would be more optimal and not that hard to configure.
Two Server Setup
Two Server Setup sees that the batch and inventory are sitting on the same server, and the application is on its own. This configuration is the second most effortless way to set up FNMS and probably the most optimal. It requires fewer servers to be set up than the three-server setup and is less complicated to set up.
Three Server Setup
As you can see from the image below, each component sits on its own individual server. This setup carries the best performance but can be slightly more complex to set up. If not configured correctly during installation.
Multi-level beacon setup
This is where you have multiple beacons in a parent-child setup. This setup is for customers with complex environments that need different beacons in different regions around the world. It can also be used as a sort of load balancing or, in some instances, a DMZ setup.
Setting up a Child Beacon
Setting up a Child Beacon is similar to setting up a Parent Beacon; however, when configuring the beacon from within the FNMS UI, you would select the beacon that it would report to as the Parent Beacon.
Although we cannot tell you what you need to secure your DMZ, we can advise setting up FNMS. You can take a few approaches; two of them are similar in your steps to configure the beacon. However, depending on what you have set up within your estate will alter which approach to take.
This approach would be to set up a proxy in which your user's laptops would access that would forward to your beacon.