Sometimes it takes a days weeks or months when a client device (laptop) is able to send his inventory because it needs to be connected to internet and have access to a beacon.
In most of the cases the user is connecting through a secure access application from home towards his office environment in the client network. The beacon is also placed in the client network so office users can reach the the beacon and also home users via the secure connection.
But the are also users who not connect via secure access to office environment if it is not needed for their work. This means these devices cannot send it towards the beacon in client network.
I want to solve this and I'm thinking about setting up a second beacon in the DMZ which is reachable via internet access and via a firewall it is connected to the beacon in the client network or the FNMS servers in the server network.
Any idea how it works or how you have solved this ?
Thanks in advance for your replies.
Frank07
‎Apr 29, 2020 04:35 AM
Hi Frank,
You need to limit external access to this DMZ Beacon somehow (a firewall, specific external IPs that will access, specific ports). Without that, I really wouldn't open a Windows machine to the internet. Consider using a reverse proxy. If anything, run this only via SSL.
Have you thought about alternatives? Are these clients managed somehow? Can you deploy scripts to them?
Best regards,
Markward
‎Apr 29, 2020 07:03 AM
Hello Markward,
Yes the clients are managed remote like installing new software, updates, etc.
When working at home it is not really needed to setup a secure connection to the work environment if you don't have to access specific application you need or files on file-servers in the network. I.e webmail, community flexera or other applications can be reachable via internet and do not have the need to make first a secure connection.
Because of this situation I'm looking for a solution for the wish I have mentioned in my post. This to have always an inventory of these devices.
i don't know if my described solution via DMS is the solution. I hope some of you have experience in this and have a best practice solution.
In the mean time I'll ask my technician about your suggestion reverse proxy / SSL.
Best regards, Frank07
‎Apr 30, 2020 03:44 AM
Hi,
did you manage to solve the case? In my organization we have similar situation and we are trying to set up a solution for this.
Any suggestions? Lessons learned?
KR
Justyna
‎Nov 25, 2020 02:27 AM
We are working on the same thing.
‎Nov 25, 2020 08:21 AM
Hi Frank,
I agree with Markward, we implemented several customer beacons with a interface facing the internet using a reverse proxy. The reverse proxy forwards all the traffic regarding the agents to the beacon behind it. You may place restrictions on the Reverse proxy or even do SSL offloading. Some customers have configured a DNS record which points to the internal address of the beacon when located on the internal network and point to the external (reverse proxy) address when located outside the network.
Stefan
‎Nov 25, 2020 09:23 AM
How does this look to the agents and FNMS configuration? Does it appear as two different beacons?
‎Nov 30, 2020 07:52 AM
Hi,
I guess it depends on what you want to achieve. The official way (https://community.flexera.com/t5/FlexNet-Manager-Knowledge-Base/How-to-enable-Beacon-Reverse-Proxy-Setup/ta-p/152864) would leave only one entry for this beacon in the Beacon_MT table resulting in the agents only knowing this.
You *could* add a 2nd entry to the table manually, let's say if you wanted the beacon to be reachable via an internal name AND an external IP address.
Best regards,
Markward
‎Nov 30, 2020 08:19 AM
‎Nov 30, 2020 08:20 AM