Some users may have issues creating a community account. For more information, please click here.

Frank07
Active participant

How to connect to beacon(s) from Flexera agent two ways via secure access and via internet

Sometimes it takes a days weeks or months when a client device (laptop) is able to send his inventory because it needs to be connected to internet and have access to a beacon.

In most of the cases the user is connecting through a secure access application from home towards his office environment in the client network. The beacon is also placed in the client network so office users can reach the the beacon and also home users via the secure connection.

But the are also users who not  connect via secure access to office environment if it is not needed for their work. This means these devices cannot send it towards the beacon in client network.

I want to solve this and I'm thinking about setting up a second beacon in the DMZ which is reachable via internet access and via a firewall it is connected to the beacon in the client network or the FNMS servers in the server network.

Any idea how it works or how you have solved this ?

Thanks in advance for your replies.

Frank07

 

 

8 Replies
mfranz
Trusted advisor

Hi Frank,

You need to limit external access to this DMZ Beacon somehow (a firewall, specific external IPs that will access, specific ports). Without that, I really wouldn't open a Windows machine to the internet. Consider using a reverse proxy. If anything, run this only via SSL.

Have you thought about alternatives? Are these clients managed somehow? Can you deploy scripts to them?

Best regards,

Markward

Softline Group is Europe's leading independent expert in Software Asset Management.
Frank07
Active participant

Hello Markward,

Yes the clients are managed remote like installing new software, updates, etc.

When working at home it is not really needed to setup a secure connection to the work environment if you don't have to access specific application you need or files on file-servers in the network.  I.e  webmail, community flexera or other applications can be reachable via internet and do not have the need to make first a secure connection.

Because of this situation I'm looking for a solution for the wish I have mentioned in my post. This to have always an inventory of these devices.

i don't know if my described solution via DMS is the solution. I hope some of you have experience in this and have a best practice solution.

In the mean time I'll ask my technician about your suggestion reverse proxy / SSL. 

Best regards, Frank07

 

Hi, 

did you manage to solve the case? In my organization we have similar situation and we are trying to set up a solution for this. 

Any suggestions? Lessons learned? 

KR
Justyna

We are working on the same thing. 

Erick Hacking, CSAM, CHAMP
IT Software Asset Manager, Lead Sr.
stefange
Active participant

Hi Frank,

I agree with Markward, we implemented several customer beacons with a interface facing the internet using a reverse proxy. The reverse proxy forwards all the traffic regarding the agents to the beacon behind it. You may place restrictions on the Reverse proxy or even do SSL offloading. Some customers have configured a DNS record which points to the internal address of the beacon when located on the internal network and point to the external (reverse proxy) address when located outside the network.

Stefan

 

 

jeff_ziegler
Occasional contributor

How does this look to the agents and FNMS configuration? Does it appear as two different beacons?

Hi,

I guess it depends on what you want to achieve. The official way (https://community.flexera.com/t5/FlexNet-Manager-Knowledge-Base/How-to-enable-Beacon-Reverse-Proxy-S...) would leave only one entry for this beacon in the Beacon_MT table resulting in the agents only knowing this.

You *could* add a 2nd entry to the table manually, let's say if you wanted the beacon to be reachable via an internal name AND an external IP address.

Best regards,

Markward

 

Softline Group is Europe's leading independent expert in Software Asset Management.

Hi Jeff, if you are allowed to use the same beacon for internal and external (via reverse proxy), you only need one beacon running IIS on the alias. Please note, not all environments support DNS records difference for internal and external use.

Stefan