Kbox agents in the DMZ zone
Can We give the kbox 2 ip addresses one for local and one for DMZ for our outside DM's or can you only give one IP and does the Client check in by server IP or name
0 Comments
[ + ] Show comments
Answers (6)
Please log in to answer
Posted by:
airwolf
13 years ago
Are you talking about clients in the DMZ or the KBOX itself in the DMZ?
Clients check-in by IP or hostname, whichever is specified in config.xml and SMMP.conf. If you want clients to check-in to a KBOX in the DMZ, you'll need ports 80* and 52230 opened up from the DMZ to the internal network. If you plan on allowing clients to hit a public IP address to check-in, then you'll need ports 80* and 52230 open to the outside as well. *Substitute port 443 if you are using SSL.
Clients check-in by IP or hostname, whichever is specified in config.xml and SMMP.conf. If you want clients to check-in to a KBOX in the DMZ, you'll need ports 80* and 52230 opened up from the DMZ to the internal network. If you plan on allowing clients to hit a public IP address to check-in, then you'll need ports 80* and 52230 open to the outside as well. *Substitute port 443 if you are using SSL.
Posted by:
airwolf
13 years ago
You can point all of your clients at a public IP given to the KBOX, but internal routing to that IP is up to you. Your clients can go out and back in, or you can route traffic back into the DMZ when internal traffic hits the firewall (suggested). There is no need to give your KBOX an internal IP if it's going to be public facing.
Keep the ports in mind that I mentioned in my previous post. With a publicly accessible KBOX, you may want to seriously consider SSL. However, you should check with support first, because last I heard 5.1 had SSL issues.
Keep the ports in mind that I mentioned in my previous post. With a publicly accessible KBOX, you may want to seriously consider SSL. However, you should check with support first, because last I heard 5.1 had SSL issues.
Posted by:
TJSmithCIQ
13 years ago
We have our K1000 in a DMZ with one-way communication. So we can go from internal-to-DMZ but not DMZ-to-internal. Works just fine as long as you can route from your internal network to the DMZ and you have firewall rules open for that IP and the right ports (80, 443, 52230). Edit: I should also note that things like Wake-On-LAN and push-provisioning obviously do not work as that would require DMZ-to-internal communication.
We don't have any external-to-DMZ communication but yes, SMMP.conf shows hostname, not IP. So if the same hostname is available on the public internet, you have NAT configured, and firewall ports open from external to DMZ, I don't see why it wouldn't work. (Interesting side note, apparently config.xml is phased out for 5.1? I didn't realize it until I looked for it, and it was gone.)
Andy, where did you hear about 5.1 SSL issues, and what issues exactly? PM me if you don't want to hijack. :)
We don't have any external-to-DMZ communication but yes, SMMP.conf shows hostname, not IP. So if the same hostname is available on the public internet, you have NAT configured, and firewall ports open from external to DMZ, I don't see why it wouldn't work. (Interesting side note, apparently config.xml is phased out for 5.1? I didn't realize it until I looked for it, and it was gone.)
Andy, where did you hear about 5.1 SSL issues, and what issues exactly? PM me if you don't want to hijack. :)
Posted by:
airwolf
13 years ago
SMMP.conf shows hostname, not IP. So if the same hostname is available on the public internet
You can use an IP instead of a hostname, so a public A record isn't required for your KBOX.
Andy, where did you hear about 5.1 SSL issues, and what issues exactly?
There were known SSL issues with 5.1 beta and RC... I never heard whether or not they had resolved the issues.
Posted by:
TJSmithCIQ
13 years ago
ORIGINAL: airwolf
You can use an IP instead of a hostname, so a public A record isn't required for your KBOX.
Gotcha, good point. If you're installing the agent manually, you can use whatever you like. I'm too used to having it scripted out. :)
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.