Managing Offsite Computers
Hello,
Our organization places contractors off-site with equipment provided by us. Usually these contractors are stationed at the client's site, but sometimes they are also at home. We need to be able to perform inventory on these machines and manage them, as the contractors rarely ever come onsite. It is also common that the computer they are using is NOT joined to our domain. The computer is for all intensive purposes at the mercy of the client's own IT management; however, we NEED to be able to inventory these computers because we provide the software, among other reasons.
I have not been able to find much documentation on managing offsite/remote Altiris agents. I understand how to expose the NS and DS servers publically, but I am concerned about security… primarily agent authentication. I don’t want any agent not authenticated to be able to interact with the NS server, such as posting inventory data.
1. Is there a URL, KB Article, or PDF that explains how this is accomplished?
2. What authentication methods are available to the DS and NS that disallow unauthorized registration/communication of an Altiris Agent on our servers? I know that System Center Configuration Manager uses client certificates as an authentication mechanism for managing public/offsite/remote clients, but we don’t have a PKI but I would be content with Username/Password/SSL combo.
3. Is it recommended that we only expose NS to our DMZ, or can we also do this with the DS safely? I don’t think the DS uses SSL, so this makes me nervous.
I want to be able to accomplish this with Altiris, but the way I see it there are some security risks regarding Authentication of agents and need to know how this is handled, or if it is even recommended.
As always, any help is greatly appreciated!
Comments
Some ideas, and some blank stares ;)..
NS6 provided limited support for this, using the exact method you mentioned. Placing the server in the DMZ, and using https and a certificate to secure authentication. The clients would still need to be authenticated to the network.
Deployment Server doesn't use IIS by default, so this wouldn't really work. I never really pursued using the (optional) add-on for DS, the web console - which does use IIS - to attempt this.
NS7, which in includes the new DS7 web console, is supposed to provide better functionality for managing the type of "disconnected" users and computers you are talking about.
Unfortunately, I'm still getting spun up on it, and don't have any practical knowledge to give you.
So if you're running NS6, there are some great kb articles (just search for SSL) on that level. If you want to use NS7, there is a very good NS7 implementation guide
NS6 and SSL
KB45803 - NS 7 Planning and Implementation Guide
Jim Harings
HP Enterprise Services
1st Rule of Connect Club: Mark the post that helped you the most as a 'solution'. 2nd Rule of Connect Club:You must talk about Connect club.
VPN?
Do the clients not use a VPN? That would solve it without any additional setup or exposure.
Symantec is way behind on Internet management/roaming user
We have the same battle we want to push software, get inventory and do everything we do with our clients on the network. If you are looking to just get inventory you should be able to do that with both versions. The agent trust is the hardest one for you. nothing exist to this day unless you plan on using some type of certs. on your clients. If you are looking to push software you have many more problems.
Symantec is saying version 7.1 will have more features, but i really say this is way to long when almostly every other vendor has support for internet management and roaming users. it's a matter of time before our management says"Microsoft can do it lets switch"
That's a fair criticism
I can see your point, emerkle. However, in this day and age of viruses, and malware only getting worse and more intrusive, I wouldn't be surprised to see more restrictions for overall management of roaming computers, not less.
So if you don't provide it, technically, you're ahead of the game. ;)
Jim Harings
HP Enterprise Services
1st Rule of Connect Club: Mark the post that helped you the most as a 'solution'. 2nd Rule of Connect Club:You must talk about Connect club.
Thanks
I'm not sure if this is the
I'm not sure if this is the topic here, but there is a great article on Microsoft about how to manage roaming user data.
http://technet.microsoft.com/en-us/library/cc76648...
Nichant
Does anyone know the
Does anyone know the implications/consequences of placing a site server in the DMZ?
Security, Security, Security
Depending on files\ports and protocols open, if they aren't secured, or using a VPN client to connect, it's like opening a door to your network.
As I said, I haven't been able to test the ability of running a wide open server with v7, but it might work.
Jim Harings
HP Enterprise Services
1st Rule of Connect Club: Mark the post that helped you the most as a 'solution'. 2nd Rule of Connect Club:You must talk about Connect club.
Would you like to reply?
Login or Register to post your comment.