What considerations are there for installing a Notification Server in the DMZ?
NOTE: Currently we do not support SMP Notification Server on a DMZ. There are plans for this type of approach in a future release. ITMS 7.5 introduced Cloud Enabled Management (CEM) to provide this type of functionality. Please refer to the User Guide or CEM Whitepaper for the version of the product you are using for further details.
If you require setting up a Notification Server in the DMZ even with the understanding that it is not supported, the following information is provided AS IS and is not intended to create a supported installation.
Items to consider
- All communications between systems in the SMP platform are done by system name and a DMZ does not utilize DNS. DNS is needed in order to resolve the IP address of the Notification Server, Site Servers and clients. Therefore it is necessary to create Hosts files for every system in the DMZ to facilitate communications.
- UNC package code bases should be disabled to systems in the DMZ since those won't work across the DMZ firewall.
- Another consideration in a DMZ is not using network throttling, since ICMP (ping) would be turned off there. The policies would try testing the network with ping and could not download its packages (Patch, Inventory...) due to a percieved failure in communication.
Monitoring Servers in this arena:
- As long as all appropriate communication can take place between the Notification Server and the target machine, you can monitor servers that are located in a DMZ.
Ensure that the following minimum level communication can take place:
- TCP Port 80 (2-way) to all target servers for Altiris Agent to Notification Server communication
- TCP Port 1011 (2-way) to all target servers for Monitor Solution's Performance Monitor to Monitor Agent communication
- Proper name resolution or hostname entries for all target servers from the Notification Server
- If the servers in the DMZ are members of a different domain than the Notification Server, the trusts between both domains must be properly configured