We are going to be putting our Kace appliance on the web for our outside sales people to access.  Of course I will add an ssl to the Kace box but has anyone else done this? Are there any gotchas or things I need to look at before doing proceeding?   Thanks...
Answer Summary:
Cancel
1 Comment   [ + ] Show Comment

Comments

  • We are wanting agents to run so I'm going to open the ports for those but otherwise things are running great.
Please log in to comment

Answers

1
Our laptops check in via the kbox.  When we had one stolen I was able to push a script to cripple it since the kbox was available on the internet.
Answered 02/17/2015 by: SMal.tmcc
Red Belt

  • Hah! We solved a lot of our laptop mysteries as well. Once those missing laptops checked in we found out exactly who had them. Did find a stolen one too.
  • That sounds awesome. Can you share that script? It sounds very useful.
Please log in to comment
1
We did this and it works just fine with only 443 open (i am sure agent heartbeat is needed for something, but we have not noticed it yet). 

One silly thing to keep in mind: if you have shutdown scripts or other tasks enabled for internal clients, they may fire on computers connected from home after you make KBOX visible from outside. We had a global online shutdown script that fired after hours on anything connected to the kbox. When we enabled outside access, that was one of the things we forgot to adjust... you should have seen the tickets that came in the next morning. 


Answered 03/02/2015 by: merklo
Senior White Belt

Please log in to comment
0
Our KBox is accessible outside of our network. Other than requiring SSL I don't think there are any particular precautions that we took.

Answered 02/16/2015 by: chucksteel
Red Belt

Please log in to comment
0
As long as you've got a good resource on your team to assist you should be fine. It was pretty straightforward. Our Unix guy got us set up in no time (also our cert guy). I was worried about the agents checking in but we had no issues. I remember only finding documentation on the knowledge base and we thought it was a little clunky but again if someone familiar with SSL gives it a once over you'll be fine...
Answered 02/16/2015 by: jegolf
Red Belt

  • I've got a similar question as the original poster, do you know if doing this process would cause any hiccups or anything of the sort if our system is up and running? My team just wants to make sure we know all the facts before we move forward since we have multiple orgs and have deployed to a few hundred clients.

    Running v6.2.109330
    • We didn't lose communication with any agents. They all automatically switched to checking in via SSL. Initially you lose communication with all agents but slowly they check in depending on your inventory interval. We didn't disable port 80 until we knew we were good to go...
Please log in to comment
This content is currently hidden from public view.
Reason: Removed by member request
For more information, visit our FAQ's.

This content is currently hidden from public view.
Reason: Removed by member request
For more information, visit our FAQ's.

This content is currently hidden from public view.
Reason: Removed by member request
For more information, visit our FAQ's.

0

We are placing our new kbox in our offsite datacenter in a DMZ VLAN with ACLs on the firewall. Below are the ports we'll open (if anybody knows if these should be changed please let me know). I set up a replication point on a server in our office. Laptops that check in with a corporate network (office) IP address will get the replication point label and download files/patches from it. Laptops that don't have a corp IP will download files/patches from the kbox in the datacenter. Everything will be on SSL.


Ports:



From Outside of corp network:


a.  Allow https from anywhere to Kace.

b.  Allow agent heartbeat (52230/tcp) from anywhere to Kace.

  

From Kace server in Corp DMZ network:

a.  Allow SMTP (25 and 587/tcp) to anywhere for Email.

b.  Allow sftp (22/tcp) to anywhere for auto-backups to a cloud site we use, or just send them back to the replication point.

c.  Allow Ldaps (636/tcp) to AD servers.

d.  Allow https from Corp network to Kace for management.

e.  Allow https between Kace and replication point.

Answered 02/19/2015 by: bens401
Orange Senior Belt

Please log in to comment
This content is currently hidden from public view.
Reason: Removed by member request
For more information, visit our FAQ's.

Answer this question or Comment on this question for clarity