Hi,

I went to kb.altiris.com and typed DMZ in the search. It came back with a ton of information and similar situations like your. I would try that first.

Many thanks. I will try there first.

We are doing this in several of our world regions and here at headquarters.  You can assign additional ports for IIS to listen on, which is what we did (from the start, actually).  We made the new port the default and added 80 as a backup for non-DMZ machines, then added firewall rules to allow the inbound traffic from the DMZ hosts to the NS only, via the specified port (< 1024).  The Agent policies are configured to "specify an alternative URL" (err something like that) for the NS, with the port appended to the url (http://servername.company.com:port/Altiris I believe).  Actually all the agents are using the custom port (for both DMZ and regular network) so we could apply QoS de-prioritization of the traffic on that port #.  We left port 80 in play so that support staff wouldn't have to remember to add the port to the URL when accessing the console.

Well, I think the risk is fairly well mitigated by only allowing HTTP through that custom port, from the source server, and only to the NS itself.  I guess that is still some exposure...but not much.  But again, I'm not a network nor security guy, so what do I know? :)

I know other customers have put ISA (or what ever the equivalent is now) server(s) between the DMZ and the NS.  That way they could control the requests coming into the NS (only allow requests to certain http paths and with certain http verbs, etc).  It would take a little effort to investigate using an http capture tool but not too bad I don't think.

One of my clients does this and we have not had any trouble. To keep things a little more locked down, they keep their SQL instance on a seperate box inside the firewall.

We went alternate ports. Nightmare! You then need to check that every other solution that you want to install can use alternate ports. Task server doesn't!!

Well, lucky for us we never installed nor deployed Task in our environment! :)  Call me crazy..but when I'm managing 14,000 machines....I don't want ANYTHING happening to all of them "right now" via an "oops" Task.  I'm a big fan of policy-based management for that reason.  Does Task Server just not like a custom port for the ALtiris Agent communication with the NS, or if you're trying to force it to use a different port specifically for Task Server communications with task agents?