we are half way to setup the internet beacon which is open to internet and all non VPN users and home users are going to communicate through this beacon.
Our beacon server is on DMZ and we got external DNS record for it. and for IIS binding we are using the Internal CA issued certificate.
However, everything is set we are able to unable to communicate over HTTPS, Test connections (DL & RL ) are getting succeeded on http. And we did testing on agent - beacon communication on few test devices.
Agent able to connect to the beacon download policy is working fine as expected, it's been more than 48 years I haven't received any inventory record of these devices in webui.
We have checked the logs at agent installed device - logs states everything is good.
on beacon server, inetpub logs, I not seeing any ndi file entry. Can you help me here .
and I want to understand if anyone have setup this internet beacon, what is procedure that you have followed and findings or documents please share with me.
Thanks in advance.
Mar 22, 2023 02:07 PM
48 years should be more than enough time for any inventory to be processed if it was successfully uploaded 🙂 . You mention the policy download was successful, but can you verify by reviewing the tracker/uploader logs (on the agent machine) that inventories are being uploaded to the beacon successfully? You could enable the Replication feature of the beacon (even temporarily) to confirm that the NDI's are indeed accepted by the beacon.
For interest, are you enforcing any (agent) authentication for the connections? Here is a blog post that details one option for configuring internet facing beacons using mutual TLS so that both client and server certificates are used to maximise secure connections:
Mar 22, 2023 08:24 PM
I assume that the beacon server use an alias which is a FQDN publicly used, right? This alias can be different from the host name which the beacon is distributing by default by his policy.
What can happen is that the agent is connecting to beacon, receive a new policy with the new name in the fail over and then he no longer know where to send the data.
So, for this, please check tracker.log, uploader.log and check where the beacon try to send the data, if he is trying to send to the host name, then modify the beacon config file.
The file is here:
C:\Program Files (x86)\Flexera Software\Inventory Beacon\DotNet\conf
and in the networkname you put your public fqdn, so that the agent will know this name.
Also make sure to activate mTLS other wise you can risk your environment to be poisoned if some one are uploading a correctly formatted file.
Mar 23, 2023 08:21 AM
I have troubleshooted the devices they are reporting now, thank you guys for your inputs. I had to manually trigger the ndtrack.
Quick question I'm having, if end user device is on LAN and it should report to our internet facing beacon. While policy download it is through hostname lookup error. why from the LAN I'm unable to connect to our internet beacon. Is it because our external dns is not registered on external certificate authority ??
Mar 23, 2023 12:04 PM
A hostname lookup error while connected to the LAN would likely be related to the DNS servers that are used on the LAN: it sounds like the DNS servers there are unable to resolve the name that is being looked up to an IP address.
Mar 23, 2023 06:57 PM