DMZ solutions for Notification Server/Inventory/Patch Management

Hi,

I went to kb.altiris.com and typed DMZ in the search. It came back with a ton of information and similar situations like your. I would try that first.

Many thanks. I will try there first.

We are doing this in several of our world regions and here at headquarters.  You can assign additional ports for IIS to listen on, which is what we did (from the start, actually).  We made the new port the default and added 80 as a backup for non-DMZ machines, then added firewall rules to allow the inbound traffic from the DMZ hosts to the NS only, via the specified port (< 1024).  The Agent policies are configured to "specify an alternative URL" (err something like that) for the NS, with the port appended to the url (http://servername.company.com:port/Altiris I believe).  Actually all the agents are using the custom port (for both DMZ and regular network) so we could apply QoS de-prioritization of the traffic on that port #.  We left port 80 in play so that support staff wouldn't have to remember to add the port to the URL when accessing the console.

Well, I think the risk is fairly well mitigated by only allowing HTTP through that custom port, from the source server, and only to the NS itself.  I guess that is still some exposure...but not much.  But again, I'm not a network nor security guy, so what do I know? :)

I know other customers have put ISA (or what ever the equivalent is now) server(s) between the DMZ and the NS.  That way they could control the requests coming into the NS (only allow requests to certain http paths and with certain http verbs, etc).  It would take a little effort to investigate using an http capture tool but not too bad I don't think.

One of my clients does this and we have not had any trouble. To keep things a little more locked down, they keep their SQL instance on a seperate box inside the firewall.