Our company is looking to reduce what IT resources are externally accessible and locking down what would remain accessible via an SSL-VPN. Our goal is to have KACE accessible through the SSL-VPN web portal.

The issue that was foreseen is that AMP agents outside of our network infrastructure from users reporting off-site, from home, and/or etc. will not work.

One test was performed to block port 80 and 443 to the internal address of the K1000 and use the SSL-VPN web tunnel as an alternative for user access. This was easily achieved. Then we tested a 'Force Inventory' on an external machine and after waiting awhile we didn't get refreshed inventory information. Looking at the logs of the newly enforced firewall rule, I can see that the agent from the remote IP was attempting to connect on port 443. We were under the impression that AMP traffic was only through port 32250 (which will remain unblocked).

After reviewing, this resource:

http://www.kace.com/support/resources/kb/article/troubleshooting-agents-that-are-not-checking-in-inventory

and this reference:

http://www.kace.com/support/resources/kb/solutiondetail?sol=SOL111775

The 'client check-in' is by default on port 443 and thus the behavior has been made more clear now. This is a function that we don't want to disregard completely. Although we have external users who VPN into our network and can check-in without issue, we have had useful information provided by KACE when machines are not on the VPN.

My question is, does anyone have a working implementation of KACE behind an SSL-VPN without sacrificing external clients from checking in? I would like to hear what setups are out there. Solutions and suggestions are always welcomed.

0 Comments   [ + ] Show Comments

Comments

Please log in to comment

There are no answers at this time

Answers

Answer this question or Comment on this question for clarity