Support for FNMS agent inventory for devices outside network
Working on a project where there is a requirement to enable remote users to report back their FNMS agent inventory while not on the corporate network.
We are wondering if there exists a document outlining a best practices configuration and/or if anyone can provide guidance on supporting this requirement. We are thinking deploy beacon in DMZ but wondering on how best to configure to minimize security risk etc.
Do you have any solution to manage these "remote" devices already? Maybe you could collect inventory from there and avoid managing the agent on them.
How do these devices connect with the rest of the network? Are they part of Active Directory? Do they use a VPN?
apologies for the delay,
this is a mock-up of a setup I have seen quite a few times,
it's missing the security details like firewalls, encryption setups, filtering rules and certificates etc, but hopefully, you can see the flow taken with this. I see alot of people tend to use reverse proxies and load balancers with external agent devices. The one aspect to remember is that beacons can only use http OR https, not both. And in the case of reverse beacons/load balancers for external network traffic a child beacon needs to be created dedicated to the external network
there is an extra step required on the child beacon if you want to set up something like this, I have attached a word doc showing how to setup the beacon to work in a setup like this.
Thanks for sharing the document.
On IIS, Beacons should be able to do http and https at the same time. Just add both bindings in IIS. Of course, the specific beacon will only report himself as http OR https to FNMS. But that can be worked around with custom entries in the Beacon table.
I guess, we all agree that this type of information should be sent over the internet via https only.
It's more the agents that cause problems when you have a beacon on http and https as the policy can only hold one entry per beacon, so while you can have both http and https bindings in IIS on the beacon the agents will just use one or the other, whichever is set in the policy.
however if there are alterations you can make in the beacon table perhaps you can tell the agents to do both?, that would be interesting. what sort of alterations would one make as an example?
The policy actually contains all the beacons, so whatever you enter in the Beacon table will finally translate down to all beacons and then agents. At least that used to be the way, not sure how the new 2019 R1 features will change they way stuff works.
I have done this in the past to enable agents to work with IP adresses instead of computer names. Background was a network segment not featuring DNS, at leat not for that specific Beacon. So I added a "dummy" entry to the Beacon table.
There are a few considerations:
- Those "dummy" entries will show up in the WebUI and because no beacon status will be reported, they will show errors there.
- With default settings, the agent will determine which beacon to use on it's own. So for me this was an option to present some alternatives in a complex network, just as a fallback solution.
for others reading this, when it comes to agents, this is an extract of how the beacon entry on an agent looks in the registry, so you can see it only has one key for protocol and that's the main issue, you can make another beacon in the DB instead though as @mfranz mentioned, just be aware of the consequences and possibly future breakages, its definitely abit of a hack
@mfranz I have used your method in the past with creating a fake beacon but in your scenario, if you just want to feed down IP addresses instead of hostnames have you tried using the method used for things like reverse proxies? check out the attached doc, it may be an easy method than making false entries in the DB, probably safer too in the long run
Where I could find consolidated instructions to well harden a Child Beacon Inventory server at the Internet, in a DMZ?
- To enforce any security controls at the communication level between the Agent and the Internet Child Beacon Inventory server, up to involve an authentication;
- To protect the Internet Child Beacon Inventory server again unauthorized access, malicious access from the Internet, to only allow from the Internet communication from authorized Agent.
- To harden at the maximum the Internet Child Beacon Inventory server (Windows Server, IIS, …)
Thanks for the diagram. Would like to understand
> Do we need to make changes to child's beacon config file?
> Which Ip Address need to use in beacon config file - is it Proxy server/load balancer or other?
> what is the need to child beacon?
> instead of child beacon, can I use internal load balancer and proxy server connect to this load balancer?