This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

A new Flexera Community experience is coming on November 25th. Click here for more information.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Deploying Beacon

emtmeta
By
Level 7

Hi All,

We are working on a project where we need to make use of a single DMZ beacon to connect to agents within the DMZ machines as well as publishing the DMZ beacon to internet to gather inventory from roaming systems.

below are the few challenges we have in this setup,

  • The DMZ beacon server and the servers in DMZ are part of a workgroup.
  • There will be a Web Application Firewall (WAF) in between the inventory systems at the internet and the DMZ beacon itself.
  • Customer has a preference to have two URLs for the same beacon , one for internal access and one for external access .
    For Example :  internal DMZ system will connect to beacon via internalbeacon.mydomain.com
    where the external systems will connect to DMZ beacon via  externalbeacon.mydomain.com

We have following concerns 

  1.  Can we use two dns names for the same beacon ?
  2.  Can we bind two URLs to single beacon ?
  3. Is there any better way to achieve this ?

regards,

Junaid Vengadan

‎Feb 14, 2021 08:23 AM

(10) Replies

erwinlindemann
By Level 9 Champion
Level 9 Champion

Hi Juanid,

Quick feedback:

  • The DMZ beacon server and the servers in DMZ are part of a workgroup.

This will not matter as long as the FNMS Inventory server and the SQL Server used for FNMS are on the same Windows domain. There is no need for a Beacon to be on any Windows Domain. Beacons authenticate to their parent Beacon or to the FNMS Inventory server by configuring a valid FNMS user account for the 'parent connection' on the Beacon.

  • There will be a Web Application Firewall (WAF) in between the inventory systems at the internet and the DMZ beacon itself.

A firewall between a Beacon and the FNMS Inventory server will not be a problem as long as the firewall allows HTTP or HTTPS requests triggered by the Beacon to the Inventory server. For using a proxy server, configuration settings can be configured in the Windows registry on a Beacon.

  • Customer has a preference to have two URLs for the same beacon , one for internal access and one for external access.

You can use more than one DNS name for the same Beacon, and Flexera Agents will be able to use any of the DNS names for uploading their Inventory data.

However, when Flexera agents download the 'policy' that contains information about all Beacons available on the network, each Beacon will be identified by a single DNS name/URL only. The name to be used can be configured using a file named 'BeaconEngine.config' on the Beacon.

The best practice approach would be installing two Beacons within the DMZ: One Beacon for the communication with internal systems, and the other Beacon for communicating with external systems.

As an alternative, you can tweak Flexera agents running on devices within the DMZ for using a static Beacon URL - using the 'internalbeacon.mydomain.com' DNS name in your case - as described in the Gathering FlexNet Inventory documentation. Any roaming system outside of the DNS can use the 'externalbeacon.mydomain.com' DNS name for the Beacon.

However, this requires manual tweaking of the settings on any device inside of the DMZ and is generally is not recommended as a best practice approach.

‎Feb 14, 2021 03:12 PM - edited ‎Feb 14, 2021 03:13 PM

mfranz
By Level 17 Champion
Level 17 Champion
In response to erwinlindemann

Hi,

I would like to add 2 things:

  1. You can point as many DNS aliases to the same IP (and therefore Beacon) as you like. You might even give the Beacon multiple IP addresses and/or multiple network interfaces, but that shouln't be necessary.
  2. Regarding the agents "knowing" targets: You could also manually add entries to the Beacon table, e.g. with alternate DNS names. These deatails are used to build the policy and stuff and are ultimately tranferred down to the  agents. I have successfully tested this with IPs as an alternative to DNS.

Best regards,

Markward

‎Feb 15, 2021 02:14 AM - edited ‎Feb 15, 2021 02:18 AM

adrian_ritz1
By
Level 10
In response to mfranz

Hi,

I have the same issue with installing an internet facing beacon, our main concern is how to trust a connection from a agent that is coming via Internet. The problem is that if some one know the beacon server, and have a correctly formatted package, he can poison our database, because every body from internet can send inventory files, and the beacon server will happily take it and process it. The problem is that the beacon server can't check mutually the certificate, to accept only inventory from a trusted source.

May be somebody have some idea how to solve this problem.

‎Feb 18, 2021 12:52 PM

mfranz
By Level 17 Champion
Level 17 Champion
In response to adrian_ritz1

Use a VPN 😄

‎Feb 19, 2021 01:18 AM

0 Kudos

adrian_ritz1
By
Level 10
In response to mfranz

Yes, but the problem is that the user not all the time are connecting to company network via VPN, they are working from home, and the tools do not require a connection to company VPN, so that we are investigating SFTP for example, SFTP support authentication with certificate for example.

‎Feb 19, 2021 03:47 AM

durgeshsingh
By
Level 10
In response to adrian_ritz1

Hi

 

As user is working from home & they must be using Client to side VPN like Cisco any connect or Pulse secure/Juniper.

You can discuss with team who is managing VPN firewall , They may allow beacon URL from VPN firewall. This will solve your problem as Agent will not use much bandwidth for sending inventory.

 

So this could not be a problem for Network side.

‎Feb 19, 2021 03:57 AM

0 Kudos

adrian_ritz1
By
Level 10
In response to durgeshsingh

I know what you are saying, but in this company they can work from home with no VPN connection to company network, some people can work for months whit out a VPN connection, if  they connect regularly to VPN, then yes this should be a problem.  

‎Feb 19, 2021 04:47 AM

0 Kudos

durgeshsingh
By
Level 10
In response to adrian_ritz1
In that case, You can plan move beacon server on DMZ and NAT with public IP & open specfic secure port like 443. So that agent can talk over internet.

‎Feb 19, 2021 05:11 AM

0 Kudos

emtmeta
By
Level 7
In response to erwinlindemann

thanks a lot for your feedback @erwinlindemann @mfranz ,

we are working on this , will keep you posted about the process.

 

Regarding the security concerns, i think the WAF\Firewall \ any other gateway level  security device should be configured to check for malwares .

or what about raising an RFE with Flexera products team to enforce malware scan for all incoming files (same as the way FNMS do scanning for uploaded documents)

@mfranz @erwinlindemann @adrian_ritz1  ?

 

Regards,

Junaid Vengadan

 

‎Feb 21, 2021 03:29 AM

durgeshsingh
By
Level 10
In response to emtmeta

You may refer this. 

 

The beacon software itself does not have built-in anti-malware/anti-virus functionality. I would suggest relying on commercial anti-malware/anti-virus software to provide this capability.

https://community.flexera.com/t5/FlexNet-Manager-Forum/FNMS-Security-Malware/td-p/95626

‎Feb 21, 2021 05:48 AM

0 Kudos