Patching laptops that move in and out of the office
Howdy all,
we're currently running a second NS in an internet-facing DMZ, so we can have laptop-based clients reporting Inventory via internet connections (i.e. connected from 3G cards etc) This inventory then uploads to another NS inside the network.
Currently, only the inside NS has Patch Management installed.
My quandary is how do i patch these roaming assets? I can install Patch on the DMZ NS, and throttle the Agent so it doesn't flood the 3G cards etc, but what about when the laptop returns to the inside network? I would like it to return to downloading from an inside Package server, rather than flooding the inside port on the firewall.
Anyone running anyrthing like this? Does it work better in 7? (we're currently 6.5)
regards,
Justin
Comments
Currently no difference in v7
There is no roaming client model, and even with a hierarchy setup, clients cant' receive policies from two separate computers.
Jim Harings
HP Enterprise Services
1st Rule of Connect Club: Mark the post that helped you the most as a 'solution'. 2nd Rule of Connect Club:You must talk about Connect club.
Agree with Jim
There is no roaming client model currently. As for "flooding" the wireless card, etc...you can set throttling settings on the clients to avoid the client pulling down too much data at once. I would probably use a set KB/sec rather than a percentage throttle (because I think that the % throttle depends on being able to ping the NS which you probably won't be able to or what to enable). As Jim said it will need to continue downloading from the DMZ NS.
Thanks,
Kyle
Symantec Trusted Advisor
For Forum threads, please click "Mark as Solution" if answered.
For all content, please give a thumbs up if you agree with or support the post.
Have you considered having a
Have you considered having a single NS, in the DMZ, and using SSL? You could then place a task/package server inside the private part of the network and this would help alleviate NS load and keep much of the package traffic when clients are in the office, away from the NS.
Of course there's security concerns with it but I have seen other customers do it.
That is our currently recommeded process
There are probably other ways (opening up ports and proxies), however this method does work well.
Jim Harings
HP Enterprise Services
1st Rule of Connect Club: Mark the post that helped you the most as a 'solution'. 2nd Rule of Connect Club:You must talk about Connect club.
The main tricky part is
The main tricky part is potentially having to port forward the task server ports, unless you are happy to wait for the normal policy download schedules to take effect.
Thanks all, We're already
Thanks all,
We're already throttling the agent based on kbps, so no real issue there, is more than our existing 3G users already complain about drops etc so adding to that traffic is not something I'm overly excited about.
Moving the NS directly into the DMZ in an interesting idea, we might look at it when we go 7, as we currently use Helpdesk as well, and I'll probably have to carve that onto another server anyway (the DMZ is a long way from our Helpdesk users).
Re: Task servers, sorry, you mean port forwarding ports from the NS to the inside Task servers?
Disappointed Symantec still haven't addressed roaming clients, is such an obvious need.
thanks again,
Justin.
They are working on a proxy
They are working on a proxy type of NS idea for the future, just like PCAnywhere Access Servers. But I think it might be a fair way off. I'm anxiously awaiting it though!
Would you like to reply?
Login or Register to post your comment.