We are working on a project where we need to make use of a single DMZ beacon to connect to agents within the DMZ machines as well as publishing the DMZ beacon to internet to gather inventory from roaming systems.
below are the few challenges we have in this setup,
We have following concerns
Feb 14, 2021 08:23 AM
This will not matter as long as the FNMS Inventory server and the SQL Server used for FNMS are on the same Windows domain. There is no need for a Beacon to be on any Windows Domain. Beacons authenticate to their parent Beacon or to the FNMS Inventory server by configuring a valid FNMS user account for the 'parent connection' on the Beacon.
A firewall between a Beacon and the FNMS Inventory server will not be a problem as long as the firewall allows HTTP or HTTPS requests triggered by the Beacon to the Inventory server. For using a proxy server, configuration settings can be configured in the Windows registry on a Beacon.
You can use more than one DNS name for the same Beacon, and Flexera Agents will be able to use any of the DNS names for uploading their Inventory data.
However, when Flexera agents download the 'policy' that contains information about all Beacons available on the network, each Beacon will be identified by a single DNS name/URL only. The name to be used can be configured using a file named 'BeaconEngine.config' on the Beacon.
The best practice approach would be installing two Beacons within the DMZ: One Beacon for the communication with internal systems, and the other Beacon for communicating with external systems.
As an alternative, you can tweak Flexera agents running on devices within the DMZ for using a static Beacon URL - using the 'internalbeacon.mydomain.com' DNS name in your case - as described in the Gathering FlexNet Inventory documentation. Any roaming system outside of the DNS can use the 'externalbeacon.mydomain.com' DNS name for the Beacon.
However, this requires manual tweaking of the settings on any device inside of the DMZ and is generally is not recommended as a best practice approach.
Feb 14, 2021 03:12 PM - edited Feb 14, 2021 03:13 PM
I would like to add 2 things:
Feb 15, 2021 02:14 AM - edited Feb 15, 2021 02:18 AM
I have the same issue with installing an internet facing beacon, our main concern is how to trust a connection from a agent that is coming via Internet. The problem is that if some one know the beacon server, and have a correctly formatted package, he can poison our database, because every body from internet can send inventory files, and the beacon server will happily take it and process it. The problem is that the beacon server can't check mutually the certificate, to accept only inventory from a trusted source.
May be somebody have some idea how to solve this problem.
Feb 18, 2021 12:52 PM
Yes, but the problem is that the user not all the time are connecting to company network via VPN, they are working from home, and the tools do not require a connection to company VPN, so that we are investigating SFTP for example, SFTP support authentication with certificate for example.
Feb 19, 2021 03:47 AM
As user is working from home & they must be using Client to side VPN like Cisco any connect or Pulse secure/Juniper.
You can discuss with team who is managing VPN firewall , They may allow beacon URL from VPN firewall. This will solve your problem as Agent will not use much bandwidth for sending inventory.
So this could not be a problem for Network side.
Feb 19, 2021 03:57 AM
I know what you are saying, but in this company they can work from home with no VPN connection to company network, some people can work for months whit out a VPN connection, if they connect regularly to VPN, then yes this should be a problem.
Feb 19, 2021 04:47 AM
Regarding the security concerns, i think the WAF\Firewall \ any other gateway level security device should be configured to check for malwares .
or what about raising an RFE with Flexera products team to enforce malware scan for all incoming files (same as the way FNMS do scanning for uploaded documents)
Feb 21, 2021 03:29 AM
You may refer this.
The beacon software itself does not have built-in anti-malware/anti-virus functionality. I would suggest relying on commercial anti-malware/anti-virus software to provide this capability.
Feb 21, 2021 05:48 AM