Client Management Suite

 View Only

  • 1.  Managing Offsite Computers

    Posted Mar 19, 2009 04:23 PM

    Hello,

    Our organization places contractors off-site with equipment provided by us. Usually these contractors are stationed at the client's site, but sometimes they are also at home. We need to be able to perform inventory on these machines and manage them, as the contractors rarely ever come onsite. It is also common that the computer they are using is NOT joined to our domain. The computer is for all intensive purposes at the mercy of the client's own IT management; however, we NEED to be able to inventory these computers because we provide the software, among other reasons.

    I have not been able to find much documentation on managing offsite/remote Altiris agents. I understand how to expose the NS and DS servers publically, but I am concerned about security… primarily agent authentication. I don’t want any agent not authenticated to be able to interact with the NS server, such as posting inventory data.

     

    1. Is there a URL, KB Article, or PDF that explains how this is accomplished?

    2. What authentication methods are available to the DS and NS that disallow unauthorized registration/communication of an Altiris Agent on our servers? I know that System Center Configuration Manager uses client certificates as an authentication mechanism for managing public/offsite/remote clients, but we don’t have a PKI but I would be content with Username/Password/SSL combo.

    3. Is it recommended that we only expose NS to our DMZ, or can we also do this with the DS safely? I don’t think the DS uses SSL, so this makes me nervous.

    I want to be able to accomplish this with Altiris, but the way I see it there are some security risks regarding Authentication of agents and need to know how this is handled, or if it is even recommended.

    As always, any help is greatly appreciated!



  • 2.  RE: Managing Offsite Computers

    Posted Mar 19, 2009 05:03 PM

    NS6 provided limited support for this, using the exact method you mentioned. Placing the server in the DMZ, and using https and a certificate to secure authentication. The clients would still need to be authenticated to the network.

    Deployment Server doesn't use IIS by default, so this wouldn't really work. I never really pursued using the (optional) add-on for DS, the web console  - which does use IIS - to attempt this.

    NS7, which in includes the new DS7 web console, is supposed to provide better functionality for managing the type of "disconnected" users and computers you are talking about.

    Unfortunately, I'm still getting spun up on it, and don't have any practical knowledge to give you.

    So if you're running NS6, there are some great kb articles (just search for SSL) on that level. If you want to use NS7, there is a very good NS7 implementation guide

    NS6 and SSL

    KB45803 - NS 7 Planning and Implementation Guide

     



  • 3.  RE: Managing Offsite Computers

    Posted Mar 19, 2009 07:14 PM

    Do the clients not use a VPN? That would solve it without any additional setup or exposure.



  • 4.  RE: Managing Offsite Computers

    Posted Mar 20, 2009 08:34 AM

    We have the same battle we want to push software, get inventory and do everything we do with our clients on the network. If you are looking to just get inventory you should be able to do that with both versions. The agent trust is the hardest one for you. nothing exist to this day unless you plan on using some type of certs. on your clients. If you are looking to push software you have many more problems.

    Symantec is saying version 7.1 will have more features, but i really say this is way to long when almostly every other vendor has support for internet management and roaming users. it's a matter of time before our management says"Microsoft can do it lets switch"



  • 5.  RE: Managing Offsite Computers

    Posted Mar 20, 2009 10:20 AM

    I can see your point, emerkle. However, in this day and age of viruses, and malware only getting worse and more intrusive, I wouldn't be surprised to see more restrictions for overall management of roaming computers, not less.

    So if you don't provide it, technically, you're ahead of the game. ;)



  • 6.  RE: Managing Offsite Computers

    Posted Mar 20, 2009 04:26 PM

     

    Thanks for the replies! At least I know this is pseudo possible. I’ll study that material you posted jharings; thanks for the shove in the right direction.
     
    Brandon, no VPN is allowed for these users. Most the time it is not because of us, but because the client's network prohibits outgoing VPN connections. We don't have SSL VPNs yet, so PPTP/L2TP ports are usually blocked to us. Also, we don't want to be at the mercy of the contractor’s discretion to VPN in when we need inventory updates. As many of you probably know, it is much easier to take the choice of management tasks out of the hands of users and force it upon them, because if you don’t, chances are they won’t happen. It’s sort of like asking users to update their own machines – you are going to get mixed results.
     
    I’ll reply to this post if I come upon anything else useful.


  • 7.  RE: Managing Offsite Computers

    Posted Mar 21, 2009 06:13 PM

    I'm not sure if this is the topic here, but there is a great article on Microsoft about how to manage roaming user data.

    http://technet.microsoft.com/en-us/library/cc766489.aspx

    Nichant



  • 8.  RE: Managing Offsite Computers

    Posted Sep 01, 2009 12:31 PM
    Does anyone know the implications/consequences of placing a site server in the DMZ? 


  • 9.  RE: Managing Offsite Computers

    Posted Sep 01, 2009 02:25 PM
    Depending on files\ports and protocols open, if they aren't secured, or using a VPN client to connect, it's like opening a door to your network.

    As I said, I haven't been able to test the ability of running a wide open server with v7, but it might work.