cancel
Showing results forĀ 
ShowĀ Ā onlyĀ  | Search instead forĀ 
Did you mean:Ā 

Internet Public Available Beacon?

Hey Everyone!

Anyone here already deployed an Internet Public Available Beacon? I ask this as on my trials the policy always update the beacon location from the internet domain to the internal network/domain location. For example: (From beacon.flexera.com.br to beacon.domain.local).

Now, I know that in the cloud version this is perfect fine, but how to do it in the on-premise version?

Thanks!!

(1) Solution

I would make the public address the only one available and block via firewall the ability to connect to HTTP (or HTTPS depending on config - but I'd expect HTTPS in the DMZ). This way it's only accepting connections from folks "outside the office" rather than "in the office". 

You will need to configure the "External" DNS entry in the Beacon Config. Instructions for that can be found in our KB here: https://community.flexera.com/t5/FlexNet-Manager-Knowledge-Base/How-to-configure-the-beacon-to-use-a-different-name-or-alias/ta-p/2064

View solution in original post

(10) Replies

For On-Premises customers that require a Beacon that is publicly available from the Internet, they install the Beacon within a DMZ.  They then define/allow a path from the Beacon Server into their network back to the Application Server, either directly or through a Parent Beacon.

Thanks Kclausen!

But a quick question. How do you make the agent connect to the public address of the beacon instead of the internal network one. Every time I change that parameters in the registry, the policy is downloaded and it changes it back making the agents lose the connection with the external beacon.

I would make the public address the only one available and block via firewall the ability to connect to HTTP (or HTTPS depending on config - but I'd expect HTTPS in the DMZ). This way it's only accepting connections from folks "outside the office" rather than "in the office". 

You will need to configure the "External" DNS entry in the Beacon Config. Instructions for that can be found in our KB here: https://community.flexera.com/t5/FlexNet-Manager-Knowledge-Base/How-to-configure-the-beacon-to-use-a-different-name-or-alias/ta-p/2064

Hi,

We are trying this configuration method to setup an external beacon like networkname="mybeacon.domain.com", after the new policy is released and the entry on the machines reflects the new networkname on the client's list of upload locations, it appears with http configured on port 80. The beacon is running on Microsoft Azure and the external interface is protected by a WAF which holds the Digital Certificate making the site externally available as https://mybeacon.domain.com/ManagesoftDL/ , that implies that the server won't have a certificate imported. Any idea in how to configure the https entry with these details?

Thanks,

CL 

The problem is the following, as soon as you made your beacon available on internet, any body with a little flexera knowledge can poison your database with data. For example, if I know your FQDN of the beacon, I can create a fake .ndi file, or 100, or 1000 of them and send it to your beacon server, which will happily accept it and process it, this is because at this moment Flexera don't have an agent with a secure authentication method.

 

Thanks Adrian. 

That's controlled by the certificate which will only be trusted by the machines joined to the client's domain, make the communication of an attacker unlikely. 

I have some question, you say that the beacon server will use an internal issued certificate that should be checked by the agents. If the agents are out on internet, how will they check the internal RootCA and CRL? From my point of view to be sure, is to use something like mTLS, the beacon should be check certificate of the agent and the agent the certificate of the beacon, which is now not supported.

Klausen,

Where I could find consolidated instructions to well harden a Child Beacon Inventory server at the Internet, in a DMZ?

- To enforce any security controls at the communication level between the Agent and the Internet Child Beacon Inventory server, up to involve an authentication;

- To protect the Internet Child Beacon Inventory server again unauthorized access, malicious access from the Internet, to only allow from the Internet communication from authorized Agent.

- To harden at the maximum the Internet Child Beacon Inventory server (Windows Server, IIS, ā€¦)

Thank you.

hi Forum,

I'm also trying to find the best practices for implementing a child beacon in DMZ as Jean asked and need some guidance on this.

 

Regards,

Any solution suggested by Flexera?