Client Management Suite

I have a current scenario that requires the communication of clients from outside the internal network and also have communications from the same client on the inside. How do you configure this to be secure and easy to maintain? I am currently seeking everyone else's thoughts on design and risks attributed to the use of a Notification Server in the DMZ and/or possibly the use of a reverse proxy. Also, I would like to know how you handle client computers requiring patch, inventory, and software delivery in this scenario. Keep in mind that I am currently looking at everyone's thoughts for Altiris 7.0 specifically. I know that the issues are fewer on 7.1 but I currently do not have the option to upgrade and will need to make these changes on version 7.0.

 

Thanks everyone!!!

You'll need to have an NS in the DMZ.  Configure it to use SSL.  Obtain a cert and install it.  If it's self-signed, install it on each client using GPO.  Specify the alternate URL as the internet-accessible FQDN of the NS in the DMZ using SSL.

I'd definitely start with an HTTP server in test and a handful of clients, doing the entire process and becoming familiar with it, before attempting the same in production.  I would keep your existing NS using HTTP for provisioning internal systems and for then redirecting them to use your SSL NS in the DMZ.  The clients will either be HTTP with your internal NS or HTTPS using your NS in the DMZ, but this setup won't give you location awareness.

http://www.symantec.com/business/support/index?page=content&id=HOWTO53002

http://www.symantec.com/docs/DOC1240

I should also mention that the option to use ssl could be an issue as the system has about 10,000 nodes with a single NS. I have read about the overhead that ssl can bring to the mix. I have gone down this path and it seems that the organization is more hesitant to make such a major change to the environment. Currently the options I have been presented with are the use of a NS in the DMZ and/or use of a reverse proxy. I also have encountered issues with task services when you use such configurations.. I have a site server lined up to use in the DMZ but not sure how to get the client to talk to task services Any thoughts?

Since two years, Symantec have put an Internet SMP Gateway on their sources and hide his usage.

I don't know why, but if anyone have some informations about this....

Search for Internet on your console and have a look on NSCAP\bin\Win32\x86\SMP Internet Gateway

 

I want to test it, but i have no time to do this (and without any idea of how it works)

 

Also you should note that deployment is not fully supported in ssl environment. We have found out that by default WinPE images are not working as intented in SSL environment. This can be fixrd but needs some customization and ongoing maintenance.

Symantec has said to fix this in near future (early next year).

Dear friends,

 

I have having same scenario and am using SMP 7.1 . Can any one suggest  what is the process so that I can make the connectivty for the client those are not in Intranet. I know DMZ can solve the issue but i wanted to know how it works and what i need to configure at both NS and Clients.

 

Thanks in Advance,

 

Pravash Sahu

I had the same idea but encounter several issues. Symantec mentioned that currently this option was not available. They are currenlty working to get a product out for this same issue. The only issue I find with this is that the SMP Gateway will be made only compatible with version 7.1. I had the same though but could not get it to activate. The alternative to this I found was possibly using a reverse proxy in the DMZ. I went down this path and it seems logical but much testing is required. 

The documents above are most of what exists on the topic.