junaid_vengadan
Level 7

Deploying Beacon

Hi All,

We are working on a project where we need to make use of a single DMZ beacon to connect to agents within the DMZ machines as well as publishing the DMZ beacon to internet to gather inventory from roaming systems.

below are the few challenges we have in this setup,

  • The DMZ beacon server and the servers in DMZ are part of a workgroup.
  • There will be a Web Application Firewall (WAF) in between the inventory systems at the internet and the DMZ beacon itself.
  • Customer has a preference to have two URLs for the same beacon , one for internal access and one for external access .
    For Example :  internal DMZ system will connect to beacon via internalbeacon.mydomain.com
    where the external systems will connect to DMZ beacon via  externalbeacon.mydomain.com

We have following concerns 

  1.  Can we use two dns names for the same beacon ?
  2.  Can we bind two URLs to single beacon ?
  3. Is there any better way to achieve this ?

regards,

Junaid Vengadan

This thread has been automatically locked due to inactivity.

To continue the discussion, please start a new thread.

10 Replies
erwinlindemann
Level 8 Champion
Level 8 Champion

Hi Juanid,

Quick feedback:

  • The DMZ beacon server and the servers in DMZ are part of a workgroup.

This will not matter as long as the FNMS Inventory server and the SQL Server used for FNMS are on the same Windows domain. There is no need for a Beacon to be on any Windows Domain. Beacons authenticate to their parent Beacon or to the FNMS Inventory server by configuring a valid FNMS user account for the 'parent connection' on the Beacon.

  • There will be a Web Application Firewall (WAF) in between the inventory systems at the internet and the DMZ beacon itself.

A firewall between a Beacon and the FNMS Inventory server will not be a problem as long as the firewall allows HTTP or HTTPS requests triggered by the Beacon to the Inventory server. For using a proxy server, configuration settings can be configured in the Windows registry on a Beacon.

  • Customer has a preference to have two URLs for the same beacon , one for internal access and one for external access.

You can use more than one DNS name for the same Beacon, and Flexera Agents will be able to use any of the DNS names for uploading their Inventory data.

However, when Flexera agents download the 'policy' that contains information about all Beacons available on the network, each Beacon will be identified by a single DNS name/URL only. The name to be used can be configured using a file named 'BeaconEngine.config' on the Beacon.

The best practice approach would be installing two Beacons within the DMZ: One Beacon for the communication with internal systems, and the other Beacon for communicating with external systems.

As an alternative, you can tweak Flexera agents running on devices within the DMZ for using a static Beacon URL - using the 'internalbeacon.mydomain.com' DNS name in your case - as described in the Gathering FlexNet Inventory documentation. Any roaming system outside of the DNS can use the 'externalbeacon.mydomain.com' DNS name for the Beacon.

However, this requires manual tweaking of the settings on any device inside of the DMZ and is generally is not recommended as a best practice approach.

Hi,

I would like to add 2 things:

  1. You can point as many DNS aliases to the same IP (and therefore Beacon) as you like. You might even give the Beacon multiple IP addresses and/or multiple network interfaces, but that shouln't be necessary.
  2. Regarding the agents "knowing" targets: You could also manually add entries to the Beacon table, e.g. with alternate DNS names. These deatails are used to build the policy and stuff and are ultimately tranferred down to the  agents. I have successfully tested this with IPs as an alternative to DNS.

Best regards,

Markward

Softline Group is Europe's leading independent expert in Software Asset Management.

Hi,

I have the same issue with installing an internet facing beacon, our main concern is how to trust a connection from a agent that is coming via Internet. The problem is that if some one know the beacon server, and have a correctly formatted package, he can poison our database, because every body from internet can send inventory files, and the beacon server will happily take it and process it. The problem is that the beacon server can't check mutually the certificate, to accept only inventory from a trusted source.

May be somebody have some idea how to solve this problem.

Use a VPN 😄

Softline Group is Europe's leading independent expert in Software Asset Management.
0 Kudos

Yes, but the problem is that the user not all the time are connecting to company network via VPN, they are working from home, and the tools do not require a connection to company VPN, so that we are investigating SFTP for example, SFTP support authentication with certificate for example.

Hi

 

As user is working from home & they must be using Client to side VPN like Cisco any connect or Pulse secure/Juniper.

You can discuss with team who is managing VPN firewall , They may allow beacon URL from VPN firewall. This will solve your problem as Agent will not use much bandwidth for sending inventory.

 

So this could not be a problem for Network side.

0 Kudos

I know what you are saying, but in this company they can work from home with no VPN connection to company network, some people can work for months whit out a VPN connection, if  they connect regularly to VPN, then yes this should be a problem.  

0 Kudos

In that case, You can plan move beacon server on DMZ and NAT with public IP & open specfic secure port like 443. So that agent can talk over internet.
0 Kudos

thanks a lot for your feedback @erwinlindemann @mfranz ,

we are working on this , will keep you posted about the process.

 

Regarding the security concerns, i think the WAF\Firewall \ any other gateway level  security device should be configured to check for malwares .

or what about raising an RFE with Flexera products team to enforce malware scan for all incoming files (same as the way FNMS do scanning for uploaded documents)

@mfranz @erwinlindemann @adrian_ritz1  ?

 

Regards,

Junaid Vengadan

 

You may refer this. 

 

The beacon software itself does not have built-in anti-malware/anti-virus functionality. I would suggest relying on commercial anti-malware/anti-virus software to provide this capability.

https://community.flexera.com/t5/FlexNet-Manager-Forum/FNMS-Security-Malware/td-p/95626

0 Kudos