I know from conversations at the Konference that a lot of admins have experience placing their KBOX in the DMZ to help support remote users. The business I work for is 85% remote users and I am not getting the persistent AMP connections I need, nor for the length of time I need them, to properly manage our computers. I am thinking the best way for us to get the persistent connections we need is to point to our KBOX from a public IP address so that the machines will hit the kbox whether they are on our NW (VPN) or not.

I'd love some feedback regarding y'alls opinion on Best Practices, any real world experience stories, etc. as I evaluate the best way to make this transition.

We are a 99% Microsoft shop if that plays into anyone's thoughts on the subject.
0 Comments   [ - ] Hide Comments


Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
Answer this question or Comment on this question for clarity


If you want to allow connections whether they are connected out in the wild, you'll have to either port forward 52230 (AMP) to the KBOX (and point clients to the public IP where the KBOX is hosted) or put the KBOX in the DMZ. If you do decide on the DMZ solution, I don't think there are any special precautions you need to take. It is a supported practice. However, I would suggest using SSL. I'd block all ports on the firewall to the KBOX except 443 and 52230. If you use LDAP authentication, then you'll have to allow the KBOX back in to your domain controllers on port 389.

Also, AMP is just the status protocol... you won't get inventory data unless you forward 80/443 traffic to the KBOX as well - if you go with port forwarding. Obviously this doesn't matter if you go with the DMZ solution.
Answered 11/28/2010 by: airwolf
Tenth Degree Black Belt

Please log in to comment

I think this article will help.


Make sure you apply ssl.

These 3 ports are gonna be your big ones.

443 - admin port, and client check in
52230 - client heartbeat
636 - LDAPS
Answered 11/29/2010 by: dchristian
Red Belt

  • Since the link format added some extra, here's a quick cut & paste version that'll work. http://www.kace.com/support/kb/index.php?action=artikel&cat=1&id=589&artlang=en
Please log in to comment
Note that AMP is also required for other tools like Online Scripts, Patching, and items like force check-in and run-now scripts. If those are important to you (I know they are for dyehardfan) you'll want to allow AMP traffic also. There's an option in the AMP settings to enable SSL for AMP also. Enable this only if your KBOX is already in SSL mode.
Answered 11/30/2010 by: cblake
Red Belt

Please log in to comment
Thanks guys, this gives me some stuff to chew on. We're trying to decide between going this route or having all users automatically connect to the VPN whenever they hit the internet.
Answered 12/03/2010 by: dyehardfan
Second Degree Blue Belt

Please log in to comment

Will Dell Updates and security patches also go via the AMP port? Or would I need to enable SMB traffic to and from the box as well?


Answered 09/20/2012 by: KRN
Senior Yellow Belt

  • I'm also wondering this. It does seem like SMB would have to be available to pick up files, but I'd much rather see them go through an encrypted connection.
Please log in to comment