I've been doing some testing by using agents as proxies. Although the work gets done, I have been facing some issues with latency, etc. I therefore decided to sniff the network traffic and here's what I found.
I have two machines, one client C and a server S. Although both are accessible from the machine hosting SecurityExpressions, I want the audit of C to be proxied through S (which already has the agent installed and properly configured). I was quite amazed to see that the SecurityExpressions console, despite proxy having been chosen in the preferences of C client, tried to contact (either ICMP ping or Netbios traffic!) the C machine. Why is that so, I mean I explicitly set it to be contacted only through S? It seems that eventually the proxy is used for the actual auditing, but nevertheless (useless) traffic is exchanged between console and C.
The documentation presents the proxy solution as a way to bypass firewall limitations. If firewall are (properly) set, this kind of ICMP/Netbios traffic will most certainly be blocked; why even bother then? I tried to change the communication method from dynamic, to agent, to "not connect" (just in case), and that didn't change much.
Any insight on that?
I was also wondering how do proxies truly operate. Does the console send the whole policy and just expects the result back from the proxy or is every rule sent one by one? And if several clients are set to be reached via the same proxy on a scheduled audit, does the console relay the whole job on the proxy in one piece, or does it treat every client distinctively and recontacts the proxy for each and everyone of them?
Thanks in advance for your (much appreciated) comments!