Beacon servers on the internet
Our business will be implementing an FNMS solution shortly. One question that came up though was having the beacon server publicly accessibly - that way even devices not on our network/VPN would be able to report back.
It was asked what security there was to ensure that nobody could upload random data to our beacon. The consultant said it would only accept information from computers there were already in our Active Directory. Is this accurate?
We are planning on integrating it with our Active Directory but it was difficult for me to find information regarding security measures for publicly accessible beacon servers. There was a few forum posts but seemed like there was nothing specific.
If it does only accept computers from our Active Directory how can it tell? By the name or some other property? Thanks.
Using a certificate-based authentication (mTLS) between FlexNet inventory agents and beacons like @adrian_ritz1 suggested is a good option.
Another option is to have the FlexNet inventory agent authenticate to Internet-accessible beacons using a username & password. However managing the credentials involved in this sort of configuration can be operationally difficult, particularly if/when you want to update a password.
I took the liberty of checking in with the consultant you have been working with, and I think there may have been a little misunderstanding around the idea that "[FNMS] would only accept information from computers there were already in our Active Directory". FNMS won't restrict information it accepts in this way. However if an inventory device record created in FNMS based on data gathered by the FlexNet agent is associated with an Active Directory computer record, then the inventory device record will be deleted when the Active Directory computer record is deleted or disabled.
Assuming FNMS on-prem, one might change the ManageSoft inventory adapter to join the inventory to AD data and avoid importing inventory without an AD counterpart. While this would not prevent anyone from uploading stuff to the beacon, but it would prevent this data from being imported into FNMSCompliance.
Or, perhaps, disabling direct import at the inventory server and using a PowerShell script to filter stuff. Then import.
If the Beacon is located within the network, then you have an option to map the Beacon FQDN name to Alias name on DNS.
These FQDN and Alias name should have to create the SSL certificate and then bind in the IIS.
This Beacon IP should NAT to the public IP and open the port 443. Through this port agent will upload the data to Beacon.
This scenario already I did for Salespersons devices, these people are working out of office through internet. It’s working fine for me.
While installing the agent need to give Upload URL as Alias name.