This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

A new Flexera Community experience is coming on November 25th. Click here for more information.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Internet Public Available Beacon?

Jump to solution
leogeeko
By
Level 4

Hey Everyone!

Anyone here already deployed an Internet Public Available Beacon? I ask this as on my trials the policy always update the beacon location from the internet domain to the internal network/domain location. For example: (From beacon.flexera.com.br to beacon.domain.local).

Now, I know that in the cloud version this is perfect fine, but how to do it in the on-premise version?

Thanks!!

‎Jan 14, 2020 06:24 AM

(1) Solution

Jump to solution
DAWN
By Level 5 Flexeran
Level 5 Flexeran
In response to leogeeko

I would make the public address the only one available and block via firewall the ability to connect to HTTP (or HTTPS depending on config - but I'd expect HTTPS in the DMZ). This way it's only accepting connections from folks "outside the office" rather than "in the office". 

You will need to configure the "External" DNS entry in the Beacon Config. Instructions for that can be found in our KB here: https://community.flexera.com/t5/FlexNet-Manager-Knowledge-Base/How-to-configure-the-beacon-to-use-a-different-name-or-alias/ta-p/2064

View solution in original post

‎Jan 14, 2020 12:05 PM

(10) Replies

Jump to solution
kclausen
By
Flexera Alumni

For On-Premises customers that require a Beacon that is publicly available from the Internet, they install the Beacon within a DMZ.  They then define/allow a path from the Beacon Server into their network back to the Application Server, either directly or through a Parent Beacon.

‎Jan 14, 2020 06:32 AM

Jump to solution
leogeeko
By
Level 4
In response to kclausen

Thanks Kclausen!

But a quick question. How do you make the agent connect to the public address of the beacon instead of the internal network one. Every time I change that parameters in the registry, the policy is downloaded and it changes it back making the agents lose the connection with the external beacon.

‎Jan 14, 2020 11:09 AM - edited ‎Jan 14, 2020 11:17 AM

Jump to solution
DAWN
By Level 5 Flexeran
Level 5 Flexeran
In response to leogeeko

I would make the public address the only one available and block via firewall the ability to connect to HTTP (or HTTPS depending on config - but I'd expect HTTPS in the DMZ). This way it's only accepting connections from folks "outside the office" rather than "in the office". 

You will need to configure the "External" DNS entry in the Beacon Config. Instructions for that can be found in our KB here: https://community.flexera.com/t5/FlexNet-Manager-Knowledge-Base/How-to-configure-the-beacon-to-use-a-different-name-or-alias/ta-p/2064

‎Jan 14, 2020 12:05 PM

Jump to solution
clugo1
By
Level 4
In response to DAWN

Hi,

We are trying this configuration method to setup an external beacon like networkname="mybeacon.domain.com", after the new policy is released and the entry on the machines reflects the new networkname on the client's list of upload locations, it appears with http configured on port 80. The beacon is running on Microsoft Azure and the external interface is protected by a WAF which holds the Digital Certificate making the site externally available as https://mybeacon.domain.com/ManagesoftDL/ , that implies that the server won't have a certificate imported. Any idea in how to configure the https entry with these details?

Thanks,

CL 

‎Apr 26, 2021 06:29 AM

0 Kudos

Jump to solution
adrian_ritz1
By
Level 10
In response to clugo1

The problem is the following, as soon as you made your beacon available on internet, any body with a little flexera knowledge can poison your database with data. For example, if I know your FQDN of the beacon, I can create a fake .ndi file, or 100, or 1000 of them and send it to your beacon server, which will happily accept it and process it, this is because at this moment Flexera don't have an agent with a secure authentication method.

 

‎Apr 26, 2021 08:28 AM

0 Kudos

Jump to solution
clugo1
By
Level 4
In response to adrian_ritz1

Thanks Adrian. 

That's controlled by the certificate which will only be trusted by the machines joined to the client's domain, make the communication of an attacker unlikely. 

‎Apr 26, 2021 07:25 PM

Jump to solution
adrian_ritz1
By
Level 10
In response to clugo1

I have some question, you say that the beacon server will use an internal issued certificate that should be checked by the agents. If the agents are out on internet, how will they check the internal RootCA and CRL? From my point of view to be sure, is to use something like mTLS, the beacon should be check certificate of the agent and the agent the certificate of the beacon, which is now not supported.

‎Apr 27, 2021 01:07 AM

0 Kudos

Jump to solution
jeanbouvrette
By
Level 2
In response to kclausen

Klausen,

Where I could find consolidated instructions to well harden a Child Beacon Inventory server at the Internet, in a DMZ?

- To enforce any security controls at the communication level between the Agent and the Internet Child Beacon Inventory server, up to involve an authentication;

- To protect the Internet Child Beacon Inventory server again unauthorized access, malicious access from the Internet, to only allow from the Internet communication from authorized Agent.

- To harden at the maximum the Internet Child Beacon Inventory server (Windows Server, IIS, …)

Thank you.

‎Apr 28, 2020 12:16 PM

Jump to solution
winvarma
By
Level 10
In response to jeanbouvrette

hi Forum,

I'm also trying to find the best practices for implementing a child beacon in DMZ as Jean asked and need some guidance on this.

 

Regards,

‎Apr 29, 2020 09:31 AM

0 Kudos

Jump to solution
hsshah28
By
Level 4
In response to jeanbouvrette
Any solution suggested by Flexera?

‎Aug 21, 2020 12:00 PM

0 Kudos