Showing results for 
Show  only  | Search instead for 
Did you mean: 

Internet - public beacon

Hi Forum, 

we are half way to setup the internet beacon which is open to internet and all non VPN users and home users are going to communicate through this beacon.

Our beacon server is on DMZ and we got external DNS record for it. and for IIS binding we are using the Internal CA issued certificate. 

However, everything is set we are able to unable to communicate over HTTPS, Test connections (DL & RL ) are getting succeeded on http. And we did testing on agent - beacon communication  on few test devices.

Agent able to connect to the beacon download policy is working fine as expected, it's been more than 48 years I haven't received any inventory record of these devices in webui. 

We have checked the logs at agent installed device  - logs states everything is good.

on beacon server, inetpub logs, I not seeing any ndi file entry. Can you help me here . 

and I want to understand if anyone have setup this  internet beacon, what is procedure that you have followed and findings or documents please share with me.

Thanks in advance.

Reshma B

(5) Replies

Hi Reshma,

48 years should be more than enough time for any inventory to be processed if it was successfully uploaded 🙂 .    You mention the policy download was successful, but can you verify by reviewing the tracker/uploader logs (on the agent machine) that inventories are being uploaded to the beacon successfully?    You could enable the Replication feature of the beacon (even temporarily) to  confirm that the NDI's are indeed accepted by the beacon.

For interest, are you enforcing any (agent) authentication for the connections?  Here is a blog post that details one option for configuring internet facing beacons using mutual TLS so that both client and server certificates are used to maximise secure connections:







Hoping its typo for 48 years . Please share tracker.log & policy.log to view further. 

Also share output of below from device where agent has been installed





I assume that the beacon server use an alias which is a FQDN publicly used, right? This alias can be different from the host name which the beacon is distributing by default by his policy.

What can happen is that the agent is connecting to beacon, receive a new policy with the new name in the fail over and then he no longer know where to send the data.

So, for this, please check tracker.log, uploader.log and check where the beacon try to send the data, if he is trying to send to the host name, then modify the beacon config file.

The file is here:

C:\Program Files (x86)\Flexera Software\Inventory Beacon\DotNet\conf


and in the networkname you put your public fqdn, so that the agent will know this name.

Also make sure to activate mTLS other wise you can risk your environment to be poisoned if some one are uploading a correctly formatted file.

I have troubleshooted the devices they are reporting now, thank you guys for your inputs. I had to manually trigger the ndtrack. 

 Quick question I'm having, if end user device is on LAN and it should report to our internet facing beacon. While policy download it is through hostname lookup error. why from the LAN I'm unable to connect to our internet beacon. Is it because our external dns is not registered on external certificate authority ??

A hostname lookup error while connected to the LAN would likely be related to the DNS servers that are used on the LAN: it sounds like the DNS servers there are unable to resolve the name that is being looked up to an IP address.

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)