Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Hierarchy behind firewalls

Created: 11 Sep 2012 | 10 comments

Ok so we have approximately 20 computers that will be on a firewalled network. I was asked what is needed to get them patched and software.

So searching here got me to where a user posted a link to a doc that shows...

Initial connection Notification Server to client

  • UDP 138 (NETLOGON)
  • TCP 445 (MS DS/CIFS/SMB)

Initial connection Client to Notification Server (after Service Starts)

  • TCP 80 (HTTP) client download
  • ICMP Type 8 (PING) package server speed check

ok so here is my question.. I dont know much about firewalls but if we place a package server behind the firewall (im told there are 2 firewalls but both networks will talk to each other) what do I need to get those computers patched/updated?

Will a package server work for this or would a Hierarchy be needed (something else I have not done before)

Thanks guys!

Comments 10 CommentsJump to latest comment

TeleFragger's picture

no one?

ok i was told that we will have to add a notification server to the firewalled subnet... this child NS will talk to the partent...  so i have never set up a hierarchy...

guess i got a lot of reading to do!!!!

is the child NS basically a full blown NS with its on database? so when i add it to the hierarchy... the Parent passes info down to the child sql db??

Did we help you? Please Mark As Solution those posts which resolve your problem,

Kyle A's picture

TeleFragger,

You pretty much have it.  Typically, you shouldn't need a complete NS environment behind the firewall.  Having a single Site Server to handle any packages or tasks would be enough.  As long as the end points can reach their NS through the web (e.g. ports 80 and 443) and through ICMP, that should be enough.  The Package Services on your Site Server will need the same web ports, and possibly SMB/UNC ports for file shares, in case downloading packages through http/s does not work.

If you plan on using Task Services to push things out to them, then you might need to open more ports for the Task Services tickle commands (ports 50121-50124), although this might be more than you want to do.

To answer your additional question, a child NS is a complete NS with its own database and licenses.  It will communicate information back and forth with the parent NS.  You probably don't want to go that route for just 20 nodes.

-K

TeleFragger's picture

well i was told the ports i want opened will not be possible...

they dont want the machines on the firewalled side to talk to the main network.. so i think im stuck doing the child ns.. which i have never done b4 so would be neat!!!!

Did we help you? Please Mark As Solution those posts which resolve your problem,

Kyle A's picture

Are they going to allow the child NS to communicate with the parent?  It will still need network communication.

It's not hard to set it up. Just takes much longer than pushing out a simple package server. :)

TeleFragger's picture

i agree package server is easier... and cheaper.. we have a 3rd party for our servers.. so they will get pulled in and cost a lot more...

yes server > server communications they will open on the firewall

Did we help you? Please Mark As Solution those posts which resolve your problem,

Kyle A's picture

I wonder if it would be possible to put some kind of proxy server in, that would handle all endpoint-to-management server communication, and still allow you to only have one NS in place.

TeleFragger's picture

ok i found out more info..

the computers will be behind 2 firewalls... i know nothing about firewalls..

what they are saying is that they can open the ports through both firewalls but they think the traffic wont route so the client machine 2 levels deep will not be able to communicate... i would think if you update the lmhost file on the pc or something you can get it to talk?

second they do not want port 80 opened but there is a breather there..

they dont want these computers to hit the internet.. sooo..

they can open the 2nd firewall for port 80... package serve on that level.. and leave the upper firewall closed on 80... would that work? ill try and draw it in case im confusing you...

doublefirewalled.jpg

Did we help you? Please Mark As Solution those posts which resolve your problem,

KSchroeder's picture

You don't need 138 and 445 unless you want to push the agent from the ns. A single http port (could be custom if they don't want 80) so the machines can talk to ns. Easier to have site server for task and package in the field network.

Thanks,
Kyle
Symantec Trusted Advisor

For Forum threads, please click "Mark as Solution" if answered.
For all content, please give a thumbs up if you agree with or support the post.

TeleFragger's picture

even better news.. so since we have an installer and going to manually run the .exe... we dont need 138 and 445.

how do you set the singe custom port say 88? just as an example.. so every other site still uses 80 but this site will use 88?

Thanks!

Did we help you? Please Mark As Solution those posts which resolve your problem,

KSchroeder's picture

What I did in the past was add a secondary port to iis. Beware that you may get some weird results or errors with Silver light consoles.

Thanks,
Kyle
Symantec Trusted Advisor

For Forum threads, please click "Mark as Solution" if answered.
For all content, please give a thumbs up if you agree with or support the post.