The Community is now in read-only mode to prepare for the launch of the new Flexera Community. During this time, you will be unable to register, log in, or access customer resources. Click here for more information.
Hey Everyone!
Anyone here already deployed an Internet Public Available Beacon? I ask this as on my trials the policy always update the beacon location from the internet domain to the internal network/domain location. For example: (From beacon.flexera.com.br to beacon.domain.local).
Now, I know that in the cloud version this is perfect fine, but how to do it in the on-premise version?
Thanks!!
‎Jan 14, 2020 06:24 AM
I would make the public address the only one available and block via firewall the ability to connect to HTTP (or HTTPS depending on config - but I'd expect HTTPS in the DMZ). This way it's only accepting connections from folks "outside the office" rather than "in the office".
You will need to configure the "External" DNS entry in the Beacon Config. Instructions for that can be found in our KB here: https://community.flexera.com/t5/FlexNet-Manager-Knowledge-Base/How-to-configure-the-beacon-to-use-a-different-name-or-alias/ta-p/2064
‎Jan 14, 2020 12:05 PM
For On-Premises customers that require a Beacon that is publicly available from the Internet, they install the Beacon within a DMZ. They then define/allow a path from the Beacon Server into their network back to the Application Server, either directly or through a Parent Beacon.
‎Jan 14, 2020 06:32 AM
Thanks Kclausen!
But a quick question. How do you make the agent connect to the public address of the beacon instead of the internal network one. Every time I change that parameters in the registry, the policy is downloaded and it changes it back making the agents lose the connection with the external beacon.
‎Jan 14, 2020 11:09 AM - edited ‎Jan 14, 2020 11:17 AM
I would make the public address the only one available and block via firewall the ability to connect to HTTP (or HTTPS depending on config - but I'd expect HTTPS in the DMZ). This way it's only accepting connections from folks "outside the office" rather than "in the office".
You will need to configure the "External" DNS entry in the Beacon Config. Instructions for that can be found in our KB here: https://community.flexera.com/t5/FlexNet-Manager-Knowledge-Base/How-to-configure-the-beacon-to-use-a-different-name-or-alias/ta-p/2064
‎Jan 14, 2020 12:05 PM
Hi,
We are trying this configuration method to setup an external beacon like networkname="mybeacon.domain.com", after the new policy is released and the entry on the machines reflects the new networkname on the client's list of upload locations, it appears with http configured on port 80. The beacon is running on Microsoft Azure and the external interface is protected by a WAF which holds the Digital Certificate making the site externally available as https://mybeacon.domain.com/ManagesoftDL/ , that implies that the server won't have a certificate imported. Any idea in how to configure the https entry with these details?
Thanks,
CL
‎Apr 26, 2021 06:29 AM
The problem is the following, as soon as you made your beacon available on internet, any body with a little flexera knowledge can poison your database with data. For example, if I know your FQDN of the beacon, I can create a fake .ndi file, or 100, or 1000 of them and send it to your beacon server, which will happily accept it and process it, this is because at this moment Flexera don't have an agent with a secure authentication method.
‎Apr 26, 2021 08:28 AM
Thanks Adrian.
That's controlled by the certificate which will only be trusted by the machines joined to the client's domain, make the communication of an attacker unlikely.
‎Apr 26, 2021 07:25 PM
I have some question, you say that the beacon server will use an internal issued certificate that should be checked by the agents. If the agents are out on internet, how will they check the internal RootCA and CRL? From my point of view to be sure, is to use something like mTLS, the beacon should be check certificate of the agent and the agent the certificate of the beacon, which is now not supported.
‎Apr 27, 2021 01:07 AM
Klausen,
Where I could find consolidated instructions to well harden a Child Beacon Inventory server at the Internet, in a DMZ?
- To enforce any security controls at the communication level between the Agent and the Internet Child Beacon Inventory server, up to involve an authentication;
- To protect the Internet Child Beacon Inventory server again unauthorized access, malicious access from the Internet, to only allow from the Internet communication from authorized Agent.
- To harden at the maximum the Internet Child Beacon Inventory server (Windows Server, IIS, …)
Thank you.
‎Apr 28, 2020 12:16 PM
hi Forum,
I'm also trying to find the best practices for implementing a child beacon in DMZ as Jean asked and need some guidance on this.
Regards,
‎Apr 29, 2020 09:31 AM
‎Aug 21, 2020 12:00 PM