junaid_vengadan
Intrepid explorer

Deploying Beacon

Hi All,

We are working on a project where we need to make use of a single DMZ beacon to connect to agents within the DMZ machines as well as publishing the DMZ beacon to internet to gather inventory from roaming systems.

below are the few challenges we have in this setup,

  • The DMZ beacon server and the servers in DMZ are part of a workgroup.
  • There will be a Web Application Firewall (WAF) in between the inventory systems at the internet and the DMZ beacon itself.
  • Customer has a preference to have two URLs for the same beacon , one for internal access and one for external access .
    For Example :  internal DMZ system will connect to beacon via internalbeacon.mydomain.com
    where the external systems will connect to DMZ beacon via  externalbeacon.mydomain.com

We have following concerns 

  1.  Can we use two dns names for the same beacon ?
  2.  Can we bind two URLs to single beacon ?
  3. Is there any better way to achieve this ?

regards,

Junaid Vengadan

10 Replies
erwinlindemann
Consultant

Re: Deploying Beacon

Hi Juanid,

Quick feedback:

  • The DMZ beacon server and the servers in DMZ are part of a workgroup.

This will not matter as long as the FNMS Inventory server and the SQL Server used for FNMS are on the same Windows domain. There is no need for a Beacon to be on any Windows Domain. Beacons authenticate to their parent Beacon or to the FNMS Inventory server by configuring a valid FNMS user account for the 'parent connection' on the Beacon.

  • There will be a Web Application Firewall (WAF) in between the inventory systems at the internet and the DMZ beacon itself.

A firewall between a Beacon and the FNMS Inventory server will not be a problem as long as the firewall allows HTTP or HTTPS requests triggered by the Beacon to the Inventory server. For using a proxy server, configuration settings can be configured in the Windows registry on a Beacon.

  • Customer has a preference to have two URLs for the same beacon , one for internal access and one for external access.

You can use more than one DNS name for the same Beacon, and Flexera Agents will be able to use any of the DNS names for uploading their Inventory data.

However, when Flexera agents download the 'policy' that contains information about all Beacons available on the network, each Beacon will be identified by a single DNS name/URL only. The name to be used can be configured using a file named 'BeaconEngine.config' on the Beacon.

The best practice approach would be installing two Beacons within the DMZ: One Beacon for the communication with internal systems, and the other Beacon for communicating with external systems.

As an alternative, you can tweak Flexera agents running on devices within the DMZ for using a static Beacon URL - using the 'internalbeacon.mydomain.com' DNS name in your case - as described in the Gathering FlexNet Inventory documentation. Any roaming system outside of the DNS can use the 'externalbeacon.mydomain.com' DNS name for the Beacon.

However, this requires manual tweaking of the settings on any device inside of the DMZ and is generally is not recommended as a best practice approach.

mfranz
Shining star

Re: Deploying Beacon

Hi,

I would like to add 2 things:

  1. You can point as many DNS aliases to the same IP (and therefore Beacon) as you like. You might even give the Beacon multiple IP addresses and/or multiple network interfaces, but that shouln't be necessary.
  2. Regarding the agents "knowing" targets: You could also manually add entries to the Beacon table, e.g. with alternate DNS names. These deatails are used to build the policy and stuff and are ultimately tranferred down to the  agents. I have successfully tested this with IPs as an alternative to DNS.

Best regards,

Markward

Softline Group is Europe's leading independent expert in Software Asset Management.
adrian_ritz1
Consultant

Re: Deploying Beacon

Hi,

I have the same issue with installing an internet facing beacon, our main concern is how to trust a connection from a agent that is coming via Internet. The problem is that if some one know the beacon server, and have a correctly formatted package, he can poison our database, because every body from internet can send inventory files, and the beacon server will happily take it and process it. The problem is that the beacon server can't check mutually the certificate, to accept only inventory from a trusted source.

May be somebody have some idea how to solve this problem.

mfranz
Shining star

Re: Deploying Beacon

Use a VPN 😄

Softline Group is Europe's leading independent expert in Software Asset Management.
0 Kudos