Can we Inventory/Patch machines outside of our Firewall, without opening the user/admin web UIs?
Similar to the question at https://www.itninja.com/question/k1000-inventorying-remote-machines, which leads me to believe the answer to my question is "No", but I'd like that to be confirmed if possible.
Can we do inventories and patches to remote machines that are outside of our network, without opening up the user and admin web UIs to the world?
We've found the ACL option to restrict access per IP, but we're not confident that will stand up to IP-spoofing.
The article linked above indicates that we'd need to open ports 443 and 52230, but it's also a 7-year-old article, and when I look at https://support.quest.com/kb/111775/which-network-ports-and-urls-are-required-for-the-kace-sma-appliance-to-function-, I see no indication of needing port 52230 opened. That document makes me suspect that the AMP agent, when it changed a few versions back, stopped using 52230 and started using 443, sharing the same access as the web UIs. I think what I'm asking is to have the old functionality, where I could open 52230 for AMP, and leave 443 closed for the web UIs.
Any enlightenment would be appreciated. Thanks!
short answer: no
long answer: yes, but you need to modify your firewall or you use the appliance unencrypted (not suggested!)
The agent communication is running over port 443 (SSL) so the access to this port needs to be given. See here: https://support.quest.com/kb/111775
If you allow access to this port also the interfaces are open to the internet which also go over 80 (default without SSL) or 443. But to secure the access you can use Two Factor Authentication (2FA) inside the appliance.