cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Establish communication between 2 different domains where there is no trust relationship

Hi All,

We have a scenario with FNMS on prem setupon xyz domain with 2 Beacon's, Beacon 1 in xyz domain and other Beacon2 is in a DMZ zone in wxyz domain and there is no trust relationship between these domains.

Beacon 2 unable to download the policies as there is no trust relationship between xyz and wxyz domains.

I need help in resolving this issue and establish connectivity between the Beacon 2(wxyz domain) and the FNMS Main setup(xyz domain) so that it can download the policies and function normally. 

Wondering if any one have worked on this kind of setup and please suggest.

 

Regards,

(11) Replies

Hi Winvarma,

In FNMS, there is no need for Beacons to be on the same domain, or even to be on any Windows domain.

A Beacon is trusted by the Inventory server it connects to (or by another Beacon) because in the configuration of the parent connection on your Beacon, you have to enter a user name and its credentials.

To be able to connect to the Inventory server, that user - format typically is domain\user - needs to be configured as an account in FNMS. Preferably, the user should have the FNMS 'Administrator' role assigned.

As long as your Beacon 2 has an account configured that is trusted on the FNMS Inventory server and HTTPS communication can be established from the Beacon to the FNMS inventory server, the Beacon will be able to download the Policy as well as business adapter configuration settings and agent installation packages.

 

Hi ,

Thanks for the inputs may be the Subject note is not apt for my issue, the issue is that Beacon 2 it not able to access the inventory server to download the policies even though we supply the required credentials as its unable to validate credentials even though the account is given an administrator role in FNMS where in the same credentials were working fine in the Beacon 1. 

Regards,

Winvarma

Hi,

Why don't you connect the Beacon 2 to Beacon 1 as a child beacon. I have such an implementation with 3 layer beacon and it's working. 

 

Hi @adrian_ritz1 ,

Thanks for the inputs,  how to validate if this is how its initially setup (child to parent)and where can we verify the logs if there were any child beacons configured earlier and if the connectivity is missing now. Later if that cannot be done what will be the impact on the Parent beacon server if we are pointing the Beacon2 from DMZ to contact Beacon 1(network requirements, prerequisites)

 

Regards,

Winvarma

Hi,

You can see how the beacons are set up going to WebUI -> Discovery & Inventory -> Beacons.

There you see the beacon infrastructure.

I don't known how to validate how is the initial setup, also I don't thing that you will find that information in log file, eventually you can ask the person who did the implementation.

Moving the beacon 2 from reporting to app server to reporting to beacon 1, I see no issues, you need how ever to open the flow from from beacon 2 to beacon 1, also you should keep in mind the beacon communication is always from beacon up, like beacon 2-> beacon 1-> app server, or beacon 2 -> app server, depends of your implementation.

I would proceed in the following way:

Test communication from beacon 2 -> beacon 1 (powershell with test-netconnection) on port 443, I assume you want to communicate securely

If communication work, modify in webUI, the beacon 02 to report to beacon 01

On beacon 02 open the beacon software, and modify the parent connection to point to beacon 01

And if the ports are open it should work.

Also you should check how IIS is configured on beacon 01 

Hi @adrian_ritz1 ,

Thanks for the detailed info,  tried to check the connectivity from the Beacon 2 to beacon1 and its connecting via IP address on port 443 and unable to communicate via FQDN on 443. when i tried to configure the parent connection settings in the Beacon manual configuration page its giving multiple errors at times

1. The connection to FNMP succeeded, but the server did not respond to the test correctly,

2. 401 error unauthorised authentication

Please help.

Regards,

Winvarma

Hi,

To solve the issue where the FQDN is not resolved, this is due to DNS is not resolving the FQDN.

You can modify the hosts file on beacon 02 and put manually there the FQDN and the corresponding IP address.

The hosts file should be in C:\Windows\System32\drivers\etc

Related to 401 error is due to IIS on the app server, if you want to connect to that server, probably you should use a service account that have access there.,

Hi @adrian_ritz1 ,

Tried that as well and spoke to the wintel support team and somehow the FQDN is not getting resolved even though its being added in hosts manually.

 

Regards,

Winvarma

Hi Forum,

Any other thoughts/Suggestions/Guidance on this issue?

 

Regards,

Winvarma

@winvarma 

If you still haven't got this issue resolved I would suggest you raise a support case to get assistance troubleshooting the issue.

Thanks,

 Hi @JohnSorensenDK ,

Appreciate your inputs, already raised a service request and its been 40days.

 

Regards,

winvarma